Document history and version control - Home | ICO

1 Privacy and Electronic Communications Regulations direct marketing ICO. Information Commissioner's Office direct marketing Data Protection Act Privacy and Electronic Communications Regulations Contents Legal framework ..6 Data Protection Act ..7 Privacy and Electronic Communications Regulations ..8 Other regulation ..10 ICO direct marketing ..13 The definition of direct marketing ..13 Market research and sugging ..14 Charities, political parties and other not-for-profit organisations 15 Solicited and unsolicited Consent ..19 The definition of consent ..20 Implied Methods of obtaining Opt-in and opt-out Indirect (third party) consent ..29 Time Proof of consent ..34 marketing General rule: screen live calls against the Fairness.

2 37 The right to opt Automated Business-to-business calls ..39 marketing texts and General rule: only with consent ..39 Existing customers: the soft opt-in ..40 The right to opt Business-to-business texts and emails ..44 direct marketing 20180306 version : Other types of direct marketing marketing marketing mail ..46 Lead generation and marketing lists ..47 Generating leads .. 47 Selling a marketing Buying a marketing In-house marketing Other More direct marketing 20180306 version : 2 Introduction This guidance has been updated to include GDPR update boxes.

3 These updates signpost key differences in the new data protection regime that will affect those wanting to conduct direct marketing from 25 May 2018 onwards, and link to new sources of relevant GDPR guidance. This guidance was produced under the Data Protection Act 1998. We have since consulted on a draft marketing code of more information on the GDPR, see our Guide to the GDPR. Data Protection Act 1998 (the DPA) is based around eightprinciples of good information handling. These give peoplespecific rights in relation to their personal information andplace certain obligations on those organisations that areresponsible for processing Privacy and Electronic Communications (EC Directive)Regulations 2003 (PECR) provide rules about sendingmarketing and advertising by electronic means, such as bytelephone, fax, email, text and picture or video message, or byusing an automated calling system.

4 PECR also include otherrules relating to cookies, telephone directories, traffic data,location data and security overview of the main provisions of the DPA and PECR canbe found in The Guide to Data Protection and The Guide to thePrivacy and Electronic Communications is part of a series of guidance, which goes into more detailthan the Guides, to help organisations to fully understand theirobligations and to promote good guidance explains the DPA and PECR rules on directmarketing with a focus on calls and texts to individuals andhow this affects lead generation and the use of marketing will help responsible organisations to keep within the law andmaintain a good reputation with customers, and sets out whatenforcement action the ICO can take against those who ignorethe marketing 20180306 version : 3 6.

5 This guidance can be read end-to-end for a full discussion of the issues, but it does not have to be used in that way. It has been designed so that organisations can dip in and out as necessary, using the links in the contents page to go directly to particular issues of concern. The text of each section will provide further links to other relevant parts of the guidance. 7. The guidance starts with a broad overview of the law, then contains separate sections on what counts as direct marketing , what counts as consent, the specific rules on calls and texts, and the use of marketing lists. We have also published a separate direct marketing checklist (pdf) to help organisations comply with the law and good practice. direct marketing 20180306 version : 4 Overview GDPR Update A definition of direct marketing is contained within the DP Bill and is likely to be similar to the definition in the Data Protection Act 1998 (the 1998 Act).

6 The GDPR definition of consent is similar to the 1998 Act, but is clearer that consent must be unambiguous and involve an affirmative action. There is also more detail on the level of detail and control individuals must have. An unambiguous affirmative action requires a positive opt-in. Don t use pre-ticked boxes or any other method of consent by default. Any third party controllers who will rely on the consent must be named listing categories of organisation will not give valid third party consent. The GDPR contains substantial fines for failing to comply with its requirements including fines of up to 20 million, or 4% of your total worldwide annual turnover, whichever is higher. direct marketing covers the promotion of aims and ideals as well as the sale of products and services.

7 This means that the rules will cover not only commercial organisations but also not-for-profit organisations (eg charities, political parties etc). In many cases organisations will need consent to send people marketing , or to pass their details on. Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent. The ICO recommends that opt-in boxes are used. The rules on calls, texts and emails are stricter than those on mail marketing , and consent must be more specific. Organisations should not take a one-size-fits-all approach. Organisations can make live marketing calls to numbers not registered with the TPS, if it is fair to do so. But they must not call any number on the TPS list without specific prior consent.

8 direct marketing 20180306 version : 5 Organisations must not make any automated pre-recorded marketing calls without specific prior consent. Organisations making marketing calls must allow their number (or an alternative contact number) to be displayed to the person receiving the call. Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for previous customers, known as the soft opt-in. Organisations must stop sending marketing messages to any person who objects or opts out of receiving them.

9 Organisations must carry out rigorous checks before relying on indirect consent (ie consent originally given to a third party). Indirect consent is highly unlikely to be valid for calls, texts or emails. Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list was compiled fairly and accurately reflects peoples wishes. Bought-in call lists should be screened against the TPS. It will be very difficult to use bought-in lists for text, email, or automated call campaigns as these require very specific consent (either where the specific organisation is named or it is within a precisely defined category of organisation). The ICO will consider using its enforcement powers, including the power to issue a fine of up to 500,000, where an organisation persistently ignores individuals objections to marketing or otherwise fails to comply with the law.

10 Our direct marketing checklist can help organisations to comply. Legal framework 8. The DPA and PECR both restrict the way organisations can carry out unsolicited direct marketing (that is, direct marketing that has not specifically been asked for). 9. This guidance focuses primarily on these DPA and PECR rules on direct marketing . However, direct marketing can engage a wide range of other regulatory and conduct issues. direct marketing 20180306 version : 6 Organisations should ensure they are also familiar with other relevant laws and industry codes of practice. See the section below on other regulation for more information.