UK telemarketing rules

November 2023

How to avoid falling foul of the rules for marketing calls

Hardly a month goes by without the UK’s Information Commissioner’s Office (ICO) fining another company for breaking the telemarketing rules under the Privacy and Electronic Communications Regulations (PECR).

I’m sure all of us have been on the receiving end of a dodgy call. The favoured have you recently been involved in an accident? springs to mind.

Tackling nuisance calls is clearly a key priority for the Regulator, so how do bone fide businesses avoid being tarred with the same brush as the rogue operators?

6-point telemarketing guide

1. Service vs marketing calls

The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Routine customer service calls don’t count as direct marketing.

But if you’re treating a call as a service call (and not applying the marketing rules under PECR) you need to be careful the script / call guide and what your call handlers say in practice doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts.

A Trade Union was fined in 2021 for not screening numbers against the TPS. The Union didn’t believe its calls were direct marketing, but the ICO judged they were. Just because you believe you’re acting in good faith doesn’t mean you are. Marketing messages and service messages

2. Consent or Legitimate Interests?

Telephone numbers which can directly or indirectly identify an individual are personal data and fall under the scope of UK GDPR. For example, when using someone’s personal or work mobile, direct line business number or home landline you’ll need to comply with both UK GDPR and PECR.

You’ll need to decide whether to rely on consent or legitimate interests as your lawful basis under UK GDPR to make telemarketing calls to people. In brief:

  • Consent: make sure this meets the requirement to be a specific, informed, unambiguous indication of someone’s wishes made with a positive action (e.g. an opt-in). Keep records of consent (including, if relevant the script used) and make sure withdrawing consent is as easy as it is to give it. Consent – getting it right
  • Legitimate Interests: conduct a Legitimate Interests Assessment (LIA), keep a record of this assessment and be sure to provide people with a way to opt-out of future calls. Legitimate interests – is it legit? 

3. Live marketing calls to individuals

Below are the key rules to follow:

  • Don’t make marketing calls to anyone who’s told you they don’t want to hear from you. Keep a suppression file of all objections to telemarketing, and screen your campaigns against this internal ‘do not call list’.
  • Don’t make marketing calls to anyone registered with the Telephone Preference Service, unless you’ve collected consent to call them.
  • Say who’s calling – i.e. clearly state the name of your organisation.
  • Always display your number (or an alternative contact number).
  • Provide an address or freephone contact number if asked.
  • Make it easy to opt-out of further calls.

4. Remember sector specific rules

Stricter rules apply if you’re making calls about claims management or pension schemes. For claims management services you must have consent. For calls about pension schemes, you must have consent unless:

  • You are a trustee/manager of a pension scheme; or
  • A firm authorised by the Financial Conduct Authority; or
  • Your relationship with the individual meets strict criteria.

5. Automated calls

When using automated dialling systems which play a recorded message the rules are very strict. You must have:

  • Specific consent from individuals indicating they’re okay to receive automated calls; and
  • Calls must include your organisation’s name and contact address or freephone number; and
  • You must display your number (or alternative contact number).

In practice, these consent rules make genuine compliant automated calls very difficult.

6.  Marketing/sales calls to business numbers

The rules under the UK’s PECR are the same for calling businesses as they are for individuals.

  • You can call any business that has specifically consented to your calls. Or, and most commonly…
  • You can make live calls to any business number which is not registered with the TPS or the Corporate Telephone Preference Service (CTPS). But only if they haven’t objected to your calls and you’re not calling about claims management services.

The reason screening against both TPS and CTPS is necessary (if you don’t have consent), is sole traders and some partnerships may have registered with the TPS.

Applicable laws for telemarketing

PECR gives us the rules for telemarketing calls in the UK and the ICO has published telemarketing guidance. As well as complying with PECR you should comply with UK GDPR for your handling of personal data.

The rules differ in other countries, so check local laws if your telemarketing extends to calling people in other territories. Many countries have a ‘do not call’ register similar to the Telephone Preference Service.

There are also specific rules under PECR for email marketing messages, see UK email marketing rules.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketing messages and service messages

September 2023

How to avoid falling foul of the PECR rules

Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply.

The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below.

The risk for businesses is it can take just one, or a handful of complaints to cause a problem.

What’s a service message?

Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information.

The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’.

Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include:

  • confirming an order/purchase
  • confirming a delivery date/time
  • providing necessary event information when someone has purchased a ticket (free or paid for)
  • notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight
  • informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed
  • communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information

What’s a marketing message?

If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature.

The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR.

It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning.

Regulatory communications

Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information.

The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing.

  • give advance warning of changes to terms, conditions or tariffs
  • explain about statutory complaint or compensation schemes
  • warn about fraud and how to report it
  • remind people of how to get in touch if they are struggling with payments
  • provide offers of support for those customers most at risk of harm.

Where businesses have got it wrong

Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered.

We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules.

American Express

In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing.

The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on.

The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied.

And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent.

In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”.

The ICO however assessed the content of the emails and found the following:

  • The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app
  • The emails were clearly of an advertising and promotional nature
  • None were “neutrally worded and purely administrative”

Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain.

The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability.

What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals).

It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint).

Halfords

In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny.

Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics.

This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link.

In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages.

However the ICO said the content of the email promoted Halfords, and was therefore a marketing message.

  • It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords.
  • People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’

The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar.

  • A lack of clarity was initially provided surrounding the numbers of emails delivered/received
  • No policies and procedures existed to guide staff in respect of PECR

It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked.

What lessons can we learn?

It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach.

These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO issues fine for invalid marketing consent

April 2023

How do we make sure the consent we collect is compliant?

The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’.

What did JTT get wrong?

It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific.

One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’.

Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’.

Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to.

Do we have to name third parties which rely on the consent we collect for them?

Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states:

Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.

It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’.

What does valid consent look like?

The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise:

  • A consent request must be prominent and separate from terms & conditions
  • People must take a positive action to opt in
  • Pre-ticked boxes must not be used
  • Clear and plain language must be used
  • It should be clear what we will use the data collected for
  • Any other organisation relying on consent must be named
  • People should be told, when they give their consent, they can withdraw it at any time
  • Consent shouldn’t be a precondition of a service

Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist.

SIGN UP FOR OUR NEWSLETTER
DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button.

Is consent always needed for email marketing?

The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case.

Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met).

When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests.

The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance.

Quick takeaways

  • Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive?
  • Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear.

For more detail see the ICO enforcement notice.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO direct marketing guidance for email and other electronic mail

October 2022

The rules and regulatory expectations spelt out

The ICO has published guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more.

The guidance specifically focuses on direct marketing by electronic mail to individuals (‘individual subscribers’). The term ‘electronic mail’ covers email, text, picture, video, voicemail, and in-app messages, as well as sending people direct private messages via social media.

The rules for sending direct marketing by electronic mail are covered by the UK’s Privacy and Electronic Communications Regulations (PECR). We’re also reminded to comply with UK GDPR if we’re handling personal data.

This summary covers the core rules under PECR, as set out in the guidance, picks up on specific areas where the ICO has clarified its position and includes an occasional soupçon from me.

Where italics are used, this is text lifted from the guidance itself – so the regulator’s words not mine.

A. Core direct marketing rules and definitions

Options for electronic direct marketing messages

PECR says you can only send direct marketing by electronic mail if:

  • You have consent; or
  • you can meet all of the requirements of the ‘soft opt-in’.

I’d just stress, this means the consent of the individuals the message is target to.

Importantly it’s made clear these rules only apply to what are termed ‘individual subscribers’. It says, you can send electronic mail marketing to a corporate subscriber without needing to comply with the above requirements.

The following definitions are given:

  • Corporate subscribers are corporate bodies with separate legal status (eg companies, limited liability partnerships, Scottish partnerships).
  • Individual subscribers are people but also include some types of businesses (eg sole traders and some types of partnerships).

Another way to put this is individual subscribers are people who’ve signed up to the email service provider themselves.

I’d also just add, where you don’t have consent for business-to-business marketing – marketing to corporate subscribers – you’d be relying on Legitimate Interests under UK GDPR. Legitimate Interests is subject to a balancing test, so it’s wise to conduct a written assessment (Legitimate Interests Assessment).

What constitutes direct marketing?

The Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which applies under PECR too.

It’s a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.

This latest guidance says; The definition doesn’t cover online advertising (eg advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (eg advertising messages shown on news feeds). This is even when organisations target these advertisements to a particular user of the site or platform.”

We’d point out targeted online advertising would fall under PECR rules where your using cookies and similar technologies.

For more information see: What is direct marketing?

Service messages

Messages sent for purely administrative or necessary customer service purposes are not considered direct marketing. However, if such messages include any promotional content, they’ll be considered direct marketing.

The ICO regularly issues fines where organisations have intentionally, or unintentionally, disguised marketing messages as service ones. An area I’ve written about before; Another ICO fine for a ‘service’ email deemed to be marketing.

Organisations have even been fined for sending messages asking people (who haven’t given permission or who’ve opted out) to confirm their marketing preferences. This in itself is judged to be direct marketing.

Solicited messages

If a customer specifically asks for information about your products and services, responding with the information requested will be considered a solicited message and won’t fall under the definition of direct marketing.

B. What constitutes valid consent?

There are specific requirements which the ICO says must be met for consent to be valid.

  • you must give people a free choice to consent so that they can refuse without detriment and you must keep the consent separate from other things, such as terms and conditions (‘freely given’);
  • you must make it clear that the consent covers your electronic mail marketing messages and you must give your name in the consent request (‘specific and informed’);
  • you must have no doubt that they are consenting to your electronic mail marketing messages (unambiguous indication); and
  • they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as an indicator of consent (clear affirmative action).

You should keep a record of the consent (e.g. who, when, how) so that you can demonstrate that it is valid. People can also withdraw consent and you must make it easy for people to do this.

For more information see: How do we use consent?

At DPN we’d recommend any permission statement also includes a clear link to your privacy notice. This is so you can be confident you meet UK GDPR requirements to provide privacy information when personal data is collected.

C. Using the soft opt-in

The guidance reiterates all of the following conditions must be met to compliantly rely on this exemption to consent.

  • You want to send marketing by electronic mail to individual subscribers (includes sole traders and some types of partnerships).
  • You collected their contact details directly from them
  • You collected their details during a sale, or negotiations for a sale, or your products and services
  • You want to use their details to send them marketing about your similar products and services
  • You gave them a clear, simple way to opt-out, or say no to your marketing, when you collected their details
  • You give them a clear, simple way to opt-out, or change their mind about your marketing, in each message you send.

Just to be very clear on the fifth point, you must tell people you want to send them marketing, and give them the ability to say no.

What constitutes a ‘sale’?

Currently, the soft opt-in under PECR specifically uses the word “sale” and refers to “products and services”. The ICO says this means the soft opt-in doesn’t apply to details collected where there’s no sale (or such a negotiation), or where there are no products or services involved.

For “negotiations for a sale” to be triggered the ICO says the customer must actively express an interest in buying your products or services. Examples given include:

  • A request for a quote
  • Specifically asking for more details about what you offer
  • Signing up for a free trial

The ICO says: The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.

What about other companies in the same group?

The ICO considers use of the soft opt-in to be only available to the same entity or single organisation that originally collected the contact details. It says this means it won’t apply to other companies within the same group as the collecting organisation.

Charities and the soft opt-in

The way it’s worded in PECR means the soft opt-in only currently applies to commercial marketing of products and services. The ICO says this does not apply to the promotion of aims and ideals, for example campaigning or fundraising.

However, it could potentially apply to any commercial services or products offered. For example, if a charity has an online shop, they could use the soft opt-in to send direct marketing emails about the shop’s products, assuming all other conditions are met. In other words, the marketing could only be about products, not fundraising.

Under UK Government plans to reform data protection law and PECR it’s been proposed the soft opt-in should be extended to cover charities and political campaigning. (At time of writing, with the current political turmoil, the future direction of the Data Protection and Digital Information Bill is not known).

For more information see: How do we use soft opt-in?

An important point to highlight here, if you’re using the soft opt-in, you’ll be relying on Legitimate Interests as your lawful basis to process personal data for this activity under UK GDPR. This would therefore be subject to a balancing test – a Legitimate Interests Assessment. This is covered in the guidance under: What else do we need to consider?

D. Hosted email campaigns

The guidance doesn’t use the term ‘hosted’ email campaigns, but mentions how both the sender and the instigator of direct marketing by electronic mail will be responsible for complying with PECR.

It says you’re likely to be instigating if you; encourage, incite, incentivise or ask someone else to send electronic mail containing your direct marketing message.

We can take from this that if you ask another company to send your marketing messages to their customers, or you send a third-party’s marketing to your customers, the rules under PECR will apply.

The ICO doesn’t spell it out, but it’s clear it would not be possible to meet the conditions of the soft- in, and therefore consent would be required.

For more information see: Who is responsible?

It’s not unusual for companies to include an element of third-party marketing within their email campaigns, where this is perhaps not the main purpose. For example a travel company might include details of hire car companies within its own marketing messages.

The ICO has previously issued a fine to the Brexit Leave Campaign for including a promotion for an insurance company. In this case the promotion was totally unrelated to the content people might have expected to receive.

Where third-party content is incidental and relevant to the product or service, people are less likely to complain. Some companies may choose to take a risk-based approach here, balancing their commercial imperatives with the arguably lower likelihood of regulator enforcement action. A stand-alone message about a third party’s products and services would carry greater risks.

We’d stress here we do not know what stance the ICO would take should a complaint arise about a campaign which included some relevant and useful content promoting a third party.

E. Using bought-in lists

The message is clear – in order to use bought-in lists for electronic mail marketing to individual subscribers, the ICO says people must have given their consent to receive such marketing from your organisation. The ICO’s separate consent guidance states; Name any third party controllers who will rely on the consent.

For more information see: Can we use bought-in lists?

F. Viral marketing and refer-a-friend

The ICO says you must comply with the PECR rules if you engage in viral marketing, ‘refer a friend’ or ‘tell a friend campaigns. It’s stated: This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.

For the Regulator to consider you the ‘instigator’, just encouraging someone to send or forward the message is enough.

Essentially the ICO says encouraging customers to forward your emails or texts is a non-starter. You don’t have consent from the recipients, and you can’t rely on the soft opt-in.

However, the ICO says you can take steps to avoid being an instigator, such as:

  • Don’t create pre-populated emails for marketing which customers can send their friends and family
  • Avoid actively encouraging customers to forward on an email or text. (If they do it without being encouraged to, the PECR rules wouldn’t apply).

An example is given of a customer logging into their account which includes information about a rewards scheme for friends and family. This explains, if friends or family input the customer’s unique code when signing up to the company’s services, the customer will get a discount on their bill. The ICO says this approach would be okay.

The guidance doesn’t cover viral marketing via social media. We’re presuming the rules would only apply if you sent this as a private message encouraging people to forward it, as opposed to posting something let’s say on a forum.

For more information see: Can we ask people to send our electronic mail marketing?

G. Using publicly available contact details

The ICO says it’s unlikely you can use contact details sourced indirectly from social media accounts, websites or other online or offline sources for electronic marketing. The reason being you can’t comply with PECR as you won’t have their consent and can’t rely on the soft opt-in.

The guidance makes it clear, an exception would be where this is business contact details, where the requirement for consent or soft opt-in doesn’t apply. (We take this to mean ‘corporate subscribers’).

For more information see: Can we use publicly available contact details to send marketing by electronic mail?

The above is a summary of the guidance and we’d encourage you to read the full guidance, or at least any areas specifically relevant to your organisation. In saying this, I’d recommend not taking aspects of the guidance in isolation. If you’re relying on consent, read the ICO’s consent guidance. If you are relying on soft opt-in read guidance on legitimate interests.

I’d also highly recommend making sure you have tailored marketing guidance (or a policy) for employees (and/or your marketing agency). Training for specific teams is also likely to improve awareness and knowledge. A great way to prevent unnecessary mistakes.

Relevant teams should understand the rules and your internal approach. It’s clear in recent PECR fines the ICO sometimes discovers there is insufficient guidance given to staff.

Alongside this guidance on electronic marketing mail, the ICO has also published guidance on live telemarketing.

I think we can take from these specific pieces of guidance the Direct Marketing Code of Practice has been pushed further into the long grass. The draft consultation published back in 2020 is clearly on the backburner, perhaps until there’s a clearer picture of what is, or isn’t happening, with UK data reform?

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Is your marketing profiling lawful, fair and transparent?

October 2022

ICO fines catalogue retailer £1.35 million for ‘invisible processing’

Many companies want to know their customers better. This is not a bad thing. Information gathered about people is regularly used for a variety of activities including improving products and services, personalisation or making sure marketing campaigns are better targeted.

However, the significant fine dished out to catalogue retailer Easylife highlights why companies need to be transparent about what they do, have a robust lawful basis, be careful about making assumptions about people and take special care with special category data.

It also shows how profiling is not limited to the realms of online tracking and the adtech ecosystem, it can be a simpler activity.

What did the catalogue retailer do?

Easylife had what were termed ‘trigger products’ in its Health Club catalogue. If a customer purchased a certain product, it triggered a marketing call to the individual to try and sell other related products. This was done using a third-party call centre.

Using previous transactions to tailor future marketing is not an unusual marketing tactic, often referred to as ‘NBA – Next Best Action’. The key in this case is Easylife inferred customers were likely to have certain health conditions based on their purchase of trigger products.

For example, if a customer bought a product which could be associated with arthritis, this triggered a telemarketing call to try and sell other products popular with arthritis sufferers – such as glucosamine and bio-magnetic joint patches.

Data relating to medical conditions, whether provided by the individual or inferred from other data, is classified as special category data under data protection law and handling this type of data requires special conditions to be met.

The ICO’s ruling

To summarise the ICO’s enforcement notice Easylife was found have failed to:

  • have a valid lawful basis for processing
  • meet the need to have an additional condition for processing special category data
  • be transparent about its profiling of customers

It was found to have conducted ‘invisible processing’ of 145,000 customers.

There were no complaints raised about this activity; it only came to light due to a separate ICO investigation into contraventions of the telemarketing rules. The ICO says it wasn’t surprised no one had complained, as people just wouldn’t have been aware this profiling was happening, due to the lack of transparency.

It just goes to show ICO fines don’t always arise as a result of individuals raising complaints.

Key findings

Easylife argued it was just processing transactional data. The ICO ruled when this transactional data was used to influence its telemarketing decisions, it constituted profiling.

The ICO said while data on customer purchases constituted personal data, when this was used to make inferences about health conditions, this became the processing of special category data. The ICO said this was regardless of the statistical confidence Easylife had in the profiling it had conducted.

Easylife claimed it was relying on the lawful basis of Legitimate Interests. However, the Legitimate Interests Assessment (LIA) the company provided to the ICO during its investigation actually related to a previous activity, in which health related data wasn’t used.

When processing special category data organisations need to make sure they not only have a lawful basis, but also comply with Article 9 of UK GDPR.

The ICO advised the appropriate basis for handling this special category data was with the explicit consent of customers. In other words legitimate interests was not an appropriate basis to use.

Easylife was found to have no lawful basis, nor a condition under Article 9.

It was ruled there was a lack of transparency; customers hadn’t been informed profiling was taking place. Easylife’s privacy notice was found to have a ‘small section’ which stated how personal data would be used. This included the following:

*Keep you informed about the status of your orders and provide updates or information about associated products or additional products, services, or promotions that might be of interest to you.
*Improve and develop the products or services we offer by analysing your information.

This was ruled inadequate and Easylife was found to have failed to give enough information about the purposes for processing and the lawful bases for processing.

The ICO’s enforcement notice points out it would have expected a Data Protection Impact Assessment to have been conducted for for the profiling of special category data. This had not been done.

The Data Processing Agreement between Easylife and its processor; the third-party call centre, was also scrutinised. While it covered key requirements such as confidentiality, security, sub-contracting and termination, it failed to indicate the types of personal data being handled.

Commenting on the fine, John Edwards, UK Information Commissioner, said:

“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.

The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.”

Alongside the £1.35 million fine, Easylife’s been fined a further £130,000 under PECR for making intrusive telemarketing calls to individuals registered on the Telephone Preference Service. Currently the maximum fine for contravening the marketing rules under PECR is £500,000, much lower than potential fines under DPA 2018/UK GDPR.

Update March 2023: The ICO announces reduction in GDPR fine from £1.35 million to £250,000.

6 key takeaways

1. If you are profiling your customers, try to make sure this is based on facts. Making the type of assumptions Easylife was making will always carry risks.

2. Be sure to be transparent about your activities. This doesn’t mean you have to use the precise term ‘profiling’ in your privacy notice, but the ways in which you use personal information should be clear.

3. Make sure your clearly state the lawful bases you rely upon in your privacy notice. It can be helpful and clear to link lawful bases to specific business activities.

4. If you’re processing special category data, collected directly or inferred from other data, make sure you can meet a condition under Article 9. For marketing activities the only option is explicit consent.

5. If you’re conducting profiling using special category data, carry out a DPIA.

6. Always remember the marketing rules under PECR for whatever marketing channel you’re using. For telemarketing, if you don’t have the consent of individuals, be sure to screen lists against the TPS.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Consumers increasingly comfortable sharing data

March 2022

Trust and transparency remain fundamental drivers

In the modern data-driven economy, businesses need people to share their data. Marketers need to understand what makes their audience tick and be willing to share.

But how important is trust in the data exchange? How do attitudes to data sharing differ across international borders and between age groups?

New research shows people increasingly understand the benefits of sharing their data; a clear value-exchange has never been more important. Younger people are shown to have less privacy concerns than older generations.

These are just some of the findings of the ‘Global Data Privacy: What the Consumer Really Thinks 2022’ research report. The report represents 28 marketing associations whose reach stretches to more than half the world’s population – including the UK Data &  Marketing Association (DMA). The latest findings build on previous studies, giving us trends useful over the past decade.

Here are some key points from the global and UK-specific reports.

Rise of the ‘unconcerned’

The research categorises people into three groups:

  • Data unconcerned – people who have little or no concerns about their data privacy. The UK report shows a notable rise in this group, almost doubling over the past decade from 16% in 2012 to 31% in the latest study. So nearly a third of consumers are not unduly concerned about their privacy.
  • Data pragmatists – people who are happy to share data with businesses as long as there’s a “clear benefit in doing so”. This group still makes up the largest group of consumers, but has declined in the past decade from 53% to 46%.
  • Data fundamentalists – People who are unwilling or highly cautious about sharing their personal information. This group is in decline reducing in the past decade from 31%  to 23%.

The chart below illustrates UK trends over the last 10 years:

Data unconcerned

Younger people are most comfortable sharing their data

Growing numbers of consumers claim to feel more comfortable with the idea of exchanging personal information with companies, although there’s a significant variation across age groups.

Younger people (18-44) are most likely to feel comfortable sharing data. However those aged 55+ have actually become less comfortable sharing data.

Trust and transparency remain fundamental

Trust in an organisation remains the most important factor driving consumer willingness to share personal information. This comes significantly above factors such as product/service benefits, price and value perceptions.

The chart below shows UK trends for the factors driving consumers to share their data:

Trust remains vital

Consumers continue to seek transparency. Today, 77% of global consumers claim that transparency around how their data is collected and used is important to them.

Industry is still seen to benefit more than consumers from the data economy

The majority of consumers globally see data exchange as essential for the running of society. Over half (53%) of consumers across all markets agreed ‘the exchange of personal information is essential for the smooth running of modern society’.

However, consumers globally continue to believe that industry benefits more than they do from data sharing, despite a small shift towards greater value being perceived by consumers. On average (across the 10 trended markets) 71% of consumers believe that ‘industry benefits more from data sharing’. In general, younger people tend to be more likely to understand and recognise the benefits from sharing their data.

This suggests we still have a long way to go to truly enable consumers to fully realise the benefits from sharing their data, or they could see this as an unfair trade.

Importance of the data exchange

The findings once again illustrate the importance of the data exchange – the moment when businesses request or otherwise collect personal data from individuals. Whilst increasingly many consumers understand the intrinsic value of their data, they want easy access to clear information about how their data will be used and need to understand what product, service or value benefits they’ll get from sharing it.

The age profile of your customers is crucial here. It’s clear businesses need to work hard to win trust and provide clear information for older age groups.

Alex Hazell, Head of Privacy and Legal at Acxiom (the DMA’s UK research partner):

‘We must drive home the value exchange between brands and people – in other words, strive harder to help people understand what they receive in return for sharing their data. For marketers, we must continue to make that value clear, whether it’s in more straightforward scenarios like relevant discounts and offers, or in more complex processing such as cross domain personalised experiences that surprise and delight.’

Concerns about online privacy remain, although reduced

As the digital economy has expanded and matured, more and more consumers are engaging with online data exchange. The proportion of UK consumers who claim to have ‘high levels of concerns’ about online privacy has fallen to 69%.

Younger consumers want to support smaller businesses

The role data sharing can play in driving more competitive economies is a compelling reason for many UK consumers to share personal information. 52% of UK consumers stated they would be more likely to exchange personal data to provide a competitive advantage to smaller companies. This sentiment was most pronounced for the under 45s.

DMA Chief Executive, Chris Combemale gave a summary the UK findings:

‘Overall, concern with data privacy is in decline, while the levels of happiness with the amount of data shared and comfort with the notion of data exchange are on the rise. In addition, public awareness and understanding of the role that data exchange plays in the modern digital economy has increased dramatically since 2012.’

“As the UK’s digital economy, alongside digital markets around the world, continue to advance and mature, there has been an increase in public ease and engagement with data sharing and the digital world. Younger people are digital natives – this is reflected in both their willingness to share data and acceptance of its importance to modern society.”

The times they are a changin’

The research highlights some interesting trends. You can read more detail in the Global report or UK report.

While consumers may be increasingly comfortable with sharing their data, it’s clear they’re most likely to do this with brands they trust, who’ve been upfront and honest about how they handle personal information and clearly demonstrate the benefits of the data exchange.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

How did a trade union fall foul of the marketing rules?

November 2021

Unite the Union has been fined £45K over its telemarketing practices

The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’).

This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer.

Unite believed these calls did not fall within the scope of the direct marketing rules.

What is the Telephone Preference Service?

The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls.

There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS).

What does PECR require?

Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS).

Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements.

The ICO’s findings

The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too.

In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.”

The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR.

In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS.

Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer.

The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints.

Not deliberate

The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention.

The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic.

What can we learn from this?

Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS.

I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA).

Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals.

Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied.

 

If you would like help to ensure your marketing is compliance, please Contact Us.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.