Do you send direct marketing emails or texts to your customers or web/app users? Then Don’t miss these simple tips to make sure you’ve obtained the necessary consent first.
One of most common questions mobile app and website owners ask relates to the use of personal data for marketing purposes. There’s a whole raft of regulations dealing with consents, including opt ins, soft opt ins and opt outs and how these differ across text, e-mails, mail and phone. We can’t sum up everything in the space of a page or so, but these simple DOs and DON’Ts are based on the ICO’s own guidance put together earlier this month. That guidance can be found here, and a useful checklist, here.
DO – take it seriously
Direct marketing covers any advertising or marketing material which is directed at particular individuals. The Information Commissioner’s Office regulates such activity in the UK and has the authority to impose penalties of up to £500,000 for serious breaches of the regulations.
DO – ensure consent is properly given
Adequate consent must be “freely given”, “specific” and “informed”. The strictness with which this is enforced depends on the type of marketing method. For example, consent to receive electronic marketing calls or messages (e.g. text, e-mail), consents must be “extremely clear and specific”. In practice, this means that any wording next to a tick box should specifically name the organisation and the marketing method that can be used.
In practice, the ICO recommends that the safest way of obtaining consent is through a “opt in” tick box, on the basis that it presents “a positive choice by the individual to give clear and express consent.”
DO – make checks on marketing lists
If you are buying a marketing list, you are expected to undertake rigorous checks to ensure that the seller of the list has obtained the personal data lawfully. This is especially the case if you intend on sending those individuals e-mails or texts, because of how specific consent has to be to allow marketing using these channels. The due diligence and enquiries you make need to be reasonable and should include checks on:
DON’T – rely on indirect consent
Indirect or “third party” consent is when an individual tells an organisation that they are happy for their details to be passed to third parties. This will usually be in the form marketing list, as described above. Although some forms of marketing to individuals who have given such consent is permissible, it’s unlikely to be sufficient for marketing by e-mail or text, where the rules are much stricter. In order to validly market through these channels, consent would have to be extremely clear and specific, as described above.
DON’T – assume consent is forever
The actual duration of consent will depend on the circumstances. The ICO give the example of consent to receive materials in respect of a particular marketing campaign. Once that campaign is complete, consent can’t be taken to extend to further campaigns.
DO – give the option to “opt out”
If an individual has said they no longer want to receive marketing materials, you must stop sending them. In addition, you mustn’t make it difficult or overly complicated to opt out of receiving materials. Details of the individual should go onto a suppression list, as opposed to simply deleted. Suppression involves retaining enough details on an individual to ensure they are not marketed to again, and ensuring they stay off any lists or databases compiling individuals to be marketed to.
DO – remember the “existing customers” exception
The requirement for specific consent does not apply to the sending of electronic messages if:
The individual is given an option to opt out when the details were collected and such an option is given in every message sent thereafter (e.g. a notice at the foot of any e-mail correspondence or an option to “STOP” at the end of a text).
Although most users of your website will not read your terms, this is an important part of your business. Having to argue in court is expensive, so a little investment to avert the risk is a pragmatic approach. This article highlights some of the most common points which your terms should cover so that the risks explained below do not crystallise.
If your business involves sending personal data outside the UK and EEA, you may be aware of the need for a transfer risk assessment (TRA) to demonstrate that you have properly considered and mitigated any associated risks.
When it comes to commercial negotiations, they often don’t turn out the way you had hoped and then there is no going back. Instead of struggling on your own, losing a lot of management time and still not being sure you have got the best deal, let us negotiate for you.
Get it in writing – Commercial Contracts