ICO direct marketing guidance for email and other electronic mail
The rules and regulatory expectations spelt out
The ICO has published guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more.
The guidance specifically focuses on direct marketing by electronic mail to individuals (‘individual subscribers’). The term ‘electronic mail’ covers email, text, picture, video, voicemail, and in-app messages, as well as sending people direct private messages via social media.
The rules for sending direct marketing by electronic mail are covered by the UK’s Privacy and Electronic Communications Regulations (PECR). We’re also reminded to comply with UK GDPR if we’re handling personal data.
This summary covers the core rules under PECR, as set out in the guidance, picks up on specific areas where the ICO has clarified its position and includes an occasional soupçon from me.
Where italics are used, this is text lifted from the guidance itself – so the regulator’s words not mine.
A. Core direct marketing rules and definitions
Options for electronic direct marketing messages
PECR says you can only send direct marketing by electronic mail if:
- You have consent; or
- you can meet all of the requirements of the ‘soft opt-in’.
I’d just stress, this means the consent of the individuals the message is target to.
Importantly it’s made clear these rules only apply to what are termed ‘individual subscribers’. It says, you can send electronic mail marketing to a corporate subscriber without needing to comply with the above requirements.
The following definitions are given:
- Corporate subscribers are corporate bodies with separate legal status (eg companies, limited liability partnerships, Scottish partnerships).
- Individual subscribers are people but also include some types of businesses (eg sole traders and some types of partnerships).
Another way to put this is individual subscribers are people who’ve signed up to the email service provider themselves.
I’d also just add, where you don’t have consent for business-to-business marketing – marketing to corporate subscribers – you’d be relying on Legitimate Interests under UK GDPR. Legitimate Interests is subject to a balancing test, so it’s wise to conduct a written assessment (Legitimate Interests Assessment).
What constitutes direct marketing?
The Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which applies under PECR too.
It’s a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.
This latest guidance says; “The definition doesn’t cover online advertising (eg advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (eg advertising messages shown on news feeds). This is even when organisations target these advertisements to a particular user of the site or platform.”
We’d point out targeted online advertising would fall under PECR rules where your using cookies and similar technologies.
For more information see: What is direct marketing?
Service messages
Messages sent for purely administrative or necessary customer service purposes are not considered direct marketing. However, if such messages include any promotional content, they’ll be considered direct marketing.
The ICO regularly issues fines where organisations have intentionally, or unintentionally, disguised marketing messages as service ones. An area I’ve written about before; Another ICO fine for a ‘service’ email deemed to be marketing.
Organisations have even been fined for sending messages asking people (who haven’t given permission or who’ve opted out) to confirm their marketing preferences. This in itself is judged to be direct marketing.
Solicited messages
If a customer specifically asks for information about your products and services, responding with the information requested will be considered a solicited message and won’t fall under the definition of direct marketing.
B. What constitutes valid consent?
There are specific requirements which the ICO says must be met for consent to be valid.
- you must give people a free choice to consent so that they can refuse without detriment and you must keep the consent separate from other things, such as terms and conditions (‘freely given’);
- you must make it clear that the consent covers your electronic mail marketing messages and you must give your name in the consent request (‘specific and informed’);
- you must have no doubt that they are consenting to your electronic mail marketing messages (unambiguous indication); and
- they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as an indicator of consent (clear affirmative action).
You should keep a record of the consent (e.g. who, when, how) so that you can demonstrate that it is valid. People can also withdraw consent and you must make it easy for people to do this.
For more information see: How do we use consent?
At DPN we’d recommend any permission statement also includes a clear link to your privacy notice. This is so you can be confident you meet UK GDPR requirements to provide privacy information when personal data is collected.
C. Using the soft opt-in
The guidance reiterates all of the following conditions must be met to compliantly rely on this exemption to consent.
- You want to send marketing by electronic mail to individual subscribers (includes sole traders and some types of partnerships).
- You collected their contact details directly from them
- You collected their details during a sale, or negotiations for a sale, or your products and services
- You want to use their details to send them marketing about your similar products and services
- You gave them a clear, simple way to opt-out, or say no to your marketing, when you collected their details
- You give them a clear, simple way to opt-out, or change their mind about your marketing, in each message you send.
Just to be very clear on the fifth point, you must tell people you want to send them marketing, and give them the ability to say no.
What constitutes a ‘sale’?
Currently, the soft opt-in under PECR specifically uses the word “sale” and refers to “products and services”. The ICO says this means the soft opt-in doesn’t apply to details collected where there’s no sale (or such a negotiation), or where there are no products or services involved.
For “negotiations for a sale” to be triggered the ICO says the customer must actively express an interest in buying your products or services. Examples given include:
- A request for a quote
- Specifically asking for more details about what you offer
- Signing up for a free trial
The ICO says: The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.
What about other companies in the same group?
The ICO considers use of the soft opt-in to be only available to the same entity or single organisation that originally collected the contact details. It says this means it won’t apply to other companies within the same group as the collecting organisation.
Charities and the soft opt-in
The way it’s worded in PECR means the soft opt-in only currently applies to commercial marketing of products and services. The ICO says this does not apply to the promotion of aims and ideals, for example campaigning or fundraising.
However, it could potentially apply to any commercial services or products offered. For example, if a charity has an online shop, they could use the soft opt-in to send direct marketing emails about the shop’s products, assuming all other conditions are met. In other words, the marketing could only be about products, not fundraising.
Under UK Government plans to reform data protection law and PECR it’s been proposed the soft opt-in should be extended to cover charities and political campaigning. (At time of writing, with the current political turmoil, the future direction of the Data Protection and Digital Information Bill is not known).
For more information see: How do we use soft opt-in?
An important point to highlight here, if you’re using the soft opt-in, you’ll be relying on Legitimate Interests as your lawful basis to process personal data for this activity under UK GDPR. This would therefore be subject to a balancing test – a Legitimate Interests Assessment. This is covered in the guidance under: What else do we need to consider?
D. Hosted email campaigns
The guidance doesn’t use the term ‘hosted’ email campaigns, but mentions how both the sender and the instigator of direct marketing by electronic mail will be responsible for complying with PECR.
It says you’re likely to be instigating if you; encourage, incite, incentivise or ask someone else to send electronic mail containing your direct marketing message.
We can take from this that if you ask another company to send your marketing messages to their customers, or you send a third-party’s marketing to your customers, the rules under PECR will apply.
The ICO doesn’t spell it out, but it’s clear it would not be possible to meet the conditions of the soft- in, and therefore consent would be required.
For more information see: Who is responsible?
It’s not unusual for companies to include an element of third-party marketing within their email campaigns, where this is perhaps not the main purpose. For example a travel company might include details of hire car companies within its own marketing messages.
The ICO has previously issued a fine to the Brexit Leave Campaign for including a promotion for an insurance company. In this case the promotion was totally unrelated to the content people might have expected to receive.
Where third-party content is incidental and relevant to the product or service, people are less likely to complain. Some companies may choose to take a risk-based approach here, balancing their commercial imperatives with the arguably lower likelihood of regulator enforcement action. A stand-alone message about a third party’s products and services would carry greater risks.
We’d stress here we do not know what stance the ICO would take should a complaint arise about a campaign which included some relevant and useful content promoting a third party.
E. Using bought-in lists
The message is clear – in order to use bought-in lists for electronic mail marketing to individual subscribers, the ICO says people must have given their consent to receive such marketing from your organisation. The ICO’s separate consent guidance states; Name any third party controllers who will rely on the consent.
For more information see: Can we use bought-in lists?
F. Viral marketing and refer-a-friend
The ICO says you must comply with the PECR rules if you engage in viral marketing, ‘refer a friend’ or ‘tell a friend campaigns. It’s stated: This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.
For the Regulator to consider you the ‘instigator’, just encouraging someone to send or forward the message is enough.
Essentially the ICO says encouraging customers to forward your emails or texts is a non-starter. You don’t have consent from the recipients, and you can’t rely on the soft opt-in.
However, the ICO says you can take steps to avoid being an instigator, such as:
- Don’t create pre-populated emails for marketing which customers can send their friends and family
- Avoid actively encouraging customers to forward on an email or text. (If they do it without being encouraged to, the PECR rules wouldn’t apply).
An example is given of a customer logging into their account which includes information about a rewards scheme for friends and family. This explains, if friends or family input the customer’s unique code when signing up to the company’s services, the customer will get a discount on their bill. The ICO says this approach would be okay.
The guidance doesn’t cover viral marketing via social media. We’re presuming the rules would only apply if you sent this as a private message encouraging people to forward it, as opposed to posting something let’s say on a forum.
For more information see: Can we ask people to send our electronic mail marketing?
G. Using publicly available contact details
The ICO says it’s unlikely you can use contact details sourced indirectly from social media accounts, websites or other online or offline sources for electronic marketing. The reason being you can’t comply with PECR as you won’t have their consent and can’t rely on the soft opt-in.
The guidance makes it clear, an exception would be where this is business contact details, where the requirement for consent or soft opt-in doesn’t apply. (We take this to mean ‘corporate subscribers’).
For more information see: Can we use publicly available contact details to send marketing by electronic mail?
The above is a summary of the guidance and we’d encourage you to read the full guidance, or at least any areas specifically relevant to your organisation. In saying this, I’d recommend not taking aspects of the guidance in isolation. If you’re relying on consent, read the ICO’s consent guidance. If you are relying on soft opt-in read guidance on legitimate interests.
I’d also highly recommend making sure you have tailored marketing guidance (or a policy) for employees (and/or your marketing agency). Training for specific teams is also likely to improve awareness and knowledge. A great way to prevent unnecessary mistakes.
Relevant teams should understand the rules and your internal approach. It’s clear in recent PECR fines the ICO sometimes discovers there is insufficient guidance given to staff.
Alongside this guidance on electronic marketing mail, the ICO has also published guidance on live telemarketing.
I think we can take from these specific pieces of guidance the Direct Marketing Code of Practice has been pushed further into the long grass. The draft consultation published back in 2020 is clearly on the backburner, perhaps until there’s a clearer picture of what is, or isn’t happening, with UK data reform?