Data Protection Network | Direct Marketing

UK telemarketing rules How to avoid falling foul of the rules for marketing calls Hardly a month goes by without the UK’s Information Commissioner’s Office (ICO) fining another company for breaking the telemarketing rules under the Privacy and Electronic Communications Regulations (PECR). I’m sure all of us have been on the receiving end of a dodgy call. The favoured have you recently been involved in an accident? springs to mind. Tackling nuisance calls is clearly a key priority for the Regulator, so how do bone fide businesses avoid being tarred with the same brush as the rogue operators? 6-point telemarketing guide 1. Service vs marketing calls The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Routine customer service calls don’t count as direct marketing. But if you’re treating a call as a service call (and not applying the marketing rules under PECR) you need to be careful the script / call guide and what your call handlers say in practice doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts. A Trade Union was fined in 2021 for not screening numbers against the TPS. The Union didn’t believe its calls were direct marketing, but the ICO judged they were. Just because you believe you’re acting in good faith doesn’t mean you are. Marketing messages and service messages 2. Consent or Legitimate Interests? Telephone numbers which can directly or indirectly identify an individual are personal data and fall under the scope of UK GDPR. For example, when using someone’s personal or work mobile, direct line business number or home landline you’ll need to comply with both UK GDPR and PECR. You’ll need to decide whether to rely on consent or legitimate interests as your lawful basis under UK GDPR to make telemarketing calls to people. In brief: Consent: make sure this meets the requirement to be a specific, informed, unambiguous indication of someone’s wishes made with a positive action (e.g. an opt-in). Keep records of consent (including, if relevant the script used) and make sure withdrawing consent is as easy as it is to give it. Consent – getting it right Legitimate Interests: conduct a Legitimate Interests Assessment (LIA), keep a record of this assessment and be sure to provide people with a way to opt-out of future calls. Legitimate interests – is it legit? 3. Live marketing calls to individuals Below are the key rules to follow: Don’t make marketing calls to anyone who’s told you they don’t want to hear from you. Keep a suppression file of all objections to telemarketing, and screen your campaigns against this internal ‘do not call list’. Don’t make marketing calls to anyone registered with the Telephone Preference Service, unless you’ve collected consent to call them. Say who’s calling – i.e. clearly state the name of your organisation. Always display your number (or an alternative contact number). Provide an address or freephone contact number if asked. Make it easy to opt-out of further calls. 4. Remember sector specific rules Stricter rules apply if you’re making calls about claims management or pension schemes. For claims management services you must have consent. For calls about pension schemes, you must have consent unless: You are a trustee/manager of a pension scheme; or A firm authorised by the Financial Conduct Authority; or Your relationship with the individual meets strict criteria. 5. Automated calls When using automated dialling systems which play a recorded message the rules are very strict. You must have: Specific consent from individuals indicating they’re okay to receive automated calls; and Calls must include your organisation’s name and contact address or freephone number; and You must display your number (or alternative contact number). In practice, these consent rules make genuine compliant automated calls very difficult. 6. Marketing/sales calls to business numbers The rules under the UK’s PECR are the same for calling businesses as they are for individuals. You can call any business that has specifically consented to your calls. Or, and most commonly… You can make live calls to any business number which is not registered with the TPS or the Corporate Telephone Preference Service (CTPS). But only if they haven’t objected to your calls and you’re not calling about claims management services. The reason screening against both TPS and CTPS is necessary (if you don’t have consent), is sole traders and some partnerships may have registered with the TPS. Applicable laws for telemarketing PECR gives us the rules for telemarketing calls in the UK and the ICO has published telemarketing guidance. As well as complying with PECR you should comply with UK GDPR for your handling of personal data. The rules differ in other countries, so check local laws if your telemarketing extends to calling people in other territories. Many countries have a ‘do not call’ register similar to the Telephone Preference Service. There are also specific rules under PECR for email marketing messages, see UK email marketing rules.

Marketing messages and service messages How to avoid falling foul of the PECR rules Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply. The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below. The risk for businesses is it can take just one, or a handful of complaints to cause a problem. What’s a service message? Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information. The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’. Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include: confirming an order/purchase confirming a delivery date/time providing necessary event information when someone has purchased a ticket (free or paid for) notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information What’s a marketing message? If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature. The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR. It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning. Regulatory communications Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information. The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing. give advance warning of changes to terms, conditions or tariffs explain about statutory complaint or compensation schemes warn about fraud and how to report it remind people of how to get in touch if they are struggling with payments provide offers of support for those customers most at risk of harm. Where businesses have got it wrong Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered. We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules. American Express In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing. The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on. The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied. And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent. In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”. The ICO however assessed the content of the emails and found the following: The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app The emails were clearly of an advertising and promotional nature None were “neutrally worded and purely administrative” Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain. The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability. What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals). It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint). Halfords In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny. Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics. This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link. In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages. However the ICO said the content of the email promoted Halfords, and was therefore a marketing message. It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords. People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’ The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar. A lack of clarity was initially provided surrounding the numbers of emails delivered/received No policies and procedures existed to guide staff in respect of PECR It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked. What lessons can we learn? It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach. These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

ICO issues fine for invalid marketing consent How do we make sure the consent we collect is compliant? The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’. What did JTT get wrong? It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific. One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’. Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’. Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to. Do we have to name third parties which rely on the consent we collect for them? Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states: Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’. What does valid consent look like? The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise: A consent request must be prominent and separate from terms & conditions People must take a positive action to opt in Pre-ticked boxes must not be used Clear and plain language must be used It should be clear what we will use the data collected for Any other organisation relying on consent must be named People should be told, when they give their consent, they can withdraw it at any time Consent shouldn’t be a precondition of a service Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist. SIGN UP FOR OUR NEWSLETTER DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement. A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button. Is consent always needed for email marketing? The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case. Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met). When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests. The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance. Quick takeaways Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive? Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear. For more detail see the ICO enforcement notice.

How did a trade union fall foul of the marketing rules? Unite the Union has been fined £45K over its telemarketing practices The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’). This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer. Unite believed these calls did not fall within the scope of the direct marketing rules. What is the Telephone Preference Service? The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls. There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS). What does PECR require? Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS). Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements. The ICO’s findings The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too. In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.” The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR. In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS. Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer. The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints. Not deliberate The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention. The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic. What can we learn from this? Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS. I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA). Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals. Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied. If you would like help to ensure your marketing is compliance, please Contact Us.

Direct marketing: household names fined for breaking the rules What did We Buy Any Car, Saga and Sports Direct get wrong? The ICO has announced a series of fines for companies which have contravened the direct marketing rules under the Privacy and Electronic Communications Regulations (PECR). Fines amounting to £495,000 have been issued to Sports Direct, We Buy Any Car, Saga Personal Finance and Saga Services. Contraventions include not being able to evidence valid consent, not abiding by the conditions of the ‘soft-opt in’ exemption, and emails sent via affiliates without valid consent. In the ICO blog announcing the fines, their Head of Investigations commented: “These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.” It’s worth noting the Government’s data regime reform consultation proposes increasing the maximum fines under PECR to be in line with GDPR. So in future we could see much higher sums being levied for breaking the rules. We Buy Any Car Key finding: failure to meet all ‘soft opt-in’ conditions We Buy Any Car (WBAC) has been fined £200,000 for sending 191.4 million marketing messages and 3.6 million SMS messages in contravention of the PECR rules. WBAC came to the attention of the ICO due to complaints received directly to their online reporting tool. Between October 2019 and January 2020, the Regulator received 10 complaints from individuals, and a further two complaints from the same individual. Much of the investigation focuses on email communications which were sent after people had requested a valuation. People can use the WBAC website to input details about their vehicles to get a valuation. WBAC claimed it relied on the ‘soft opt-in’ exemption for such messages and said people would anticipate further email communications as part of what was described as ‘journey emails’. The ICO found while people were informed about these communications, they were not given an opportunity to opt-out at the point their details were collected. This is one of the key conditions businesses have to meet when relying on the soft opt-in exemption. A clear message to other businesses to assess whether they are taking any risks when relying on the ‘soft opt-in’. Are you meeting these core conditions? The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication You only send marketing about your own similar products and services Saga Key finding: inadequate consent obtain for marketing by affiliates/partners Saga Services Limited (SSL) has been fine £150,00 for sending more than 128 million emails in contravention of the PECR rules. Saga Personal Finance (SPF) has been fined £75,000 for sending 28 million emails. These cases focus on the potential risks when using partners or affiliates to send marketing on your behalf. Both SSL and SPF paid partners and affiliates to send promotional emails on their behalf for lead generation purposes. The companies were relying on ‘indirect consent’. In other words they hadn’t collected people’s details directly from them, and were using other parties’ lists to promote their services. The enforcement notice points to the ICO’s direct marketing guidance which states: “organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.” The guidance goes on to say ‘indirect consent’ may be valid, but only if it is clear and specific enough. Providing an individual with a long, seemingly exhaustive list of categories of organisations that may send marketing communications to them is not likely to be sufficient. In summary, it was found that SSL and SPF were the instigators of these email communications, and the ‘consent’ collected by affiliates and partners was not sufficient. A lesson here for all organisations using marketing affiliates and partners, to conduct due diligence. You can’t just simply accept claims by those sending emails on your behalf that they have a ‘fully consented list’. Sports Direct Key finding: inability to produce evidence of marketing permissions Sports direct has been fined £70,000 for sending 2.5 million email messages without valid consent. The company came to the ICO’s attention after the regulator received 12 complaints via is online reporting tool. This case focuses on a ‘re-engagement’ campaign whereby Sports Direct had identified an ‘aged dataset’ to send communications to. These were described as records which had not unsubscribed – “a category of data that showed as being opted in to receive email marketing but had not received any marketing emails”. Sports Direct informed the ICO it was either relying on the ‘soft opt-in’ or ‘consent’ to contact this ‘aged dataset’. However, during the ICO investigations Sports Direct could not provide sufficient evidence it had valid permission to contact people. In one case Sports Direct couldn’t identify a lawful basis, because the customer in question had asked for their details to be erased, so they had no record at all. This ruling acts as reminder to all organisations to keep adequate records and specifically highlights the risks of emailing customers who you haven’t been in contact with for some time. It also confirms that, even if someone submits an erasure request, you should keep minimised but detailed enough records for a suitable period of time so you can adequately respond to any subsequent complaints. Full details of the above enforcement action can be found on the ICO website.

ICO says most public sector messages are not direct marketing One of the unwelcome side effects of the pandemic has been the proliferation of bogus emails and texts trying to illegally elicit personal data from us. I speak with my elderly mother almost daily, repeating the same lines; ‘don’t click on the link’, ‘don’t respond if someone is asking you to enter your details’, ‘hang up’, ‘delete it’, ‘you haven’t ordered a package, please ignore it’. However, we’ve also all received other communications which I feel have been largely helpful. Messages such as pandemic update emails from our local councils, notifications about vaccines from our GPs, and text messages about the NHS app. But would some of these be regarded as direct marketing messages? Did some contravene the rules under PECR (the Privacy and Electronic Communications Regulations)? Possibly, perhaps in some cases definitely (under existing guidance). But does it matter? Surely, there’s an argument to say some communications may not be strictly necessary but are informative and useful, and don’t unduly impact on our privacy. This is clearly an area the ICO felt needed addressing. The Regulator has issued new guidance, which appears to alter the long-standing interpretation of direct marketing. What does the new guidance say? The ICO says public sector organisations can send ‘promotional’ messages which would not be classed as direct marketing, if they are necessary for a public task or function. This is significant. ‘Promotional’ messages have always been considered as ‘direct marketing’ before, regardless of whether they are sent by commercial companies, not-for-profits or the public sector. It also means, in the eyes of the Regulator, such public sector ‘promotional’ emails, SMS messages and telephone calls do not fall within the scope of the UK’s Privacy and Electronic Communications Regulations (PECR). In a blog announcing the new guidance the ICO states: “Any sector or type of organisation is capable of engaging in direct marketing. However the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.” Anthony Luhman, ICO Director, goes on to say: “Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.” As said, until now any ‘promotional’ message was considered direct marketing. So this new guidance raises some questions: Has the long-standing interpretation of the definition of direct marketing been changed? Is this a sensible new interpretation? Will this open the floodgates to us being spammed by public authorities? What is the definition of ‘direct marketing’? The definition is broad. Under section 122(5) of the DPA 2018 the term ‘direct marketing’ means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which also applies for PECR. What exactly is meant by ‘advertising or marketing material’ is not clarified in the DPA 2018 or PECR, but the long-standing interpretation of this has been that it is not limited to commercial marketing and includes any material which promotes ‘aims and ideals’. This interpretation is clear in the ICO’s Direct Marketing Guidance and more recently in the draft Direct Marketing Code, published in January 2020, which says of directly marketing;: “It is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.” When is a promotional public sector message not direct marketing? In a nutshell, the new guidance states; If you’re a public authority and your promotional messages are necessary for your public task or function, these messages are not direct marketing If your messages by telephone, text or SMS are not direct marketing, you don’t need to comply with PECR. (But you still need to comply with UK GDPR). The ICO is now drawing a distinction between promotional messages necessary to fulfil a public task or function, as opposed to messages from public authorities promoting services which a user pays for (such as leisure facilities) or fundraising activities. The latter would still be considered direct marketing. The new guidance provides the following interpretation; “In many cases public sector promotions to individuals are unlikely to count as direct marketing. This is because promotional messages that are necessary for your task or functions do not constitute direct marketing. We do not consider public functions specified by law to count as an organisation’s aims or ideals.” This is in marked contrast to the wording of the draft Direct Marketing Code which says: ‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules.” What types of messages are direct marketing and which aren’t? The following examples are given of the types of promotional content a public authority might communicate which would NOT constitute direct marketing; new public services online portals helplines guidance resources The ICO says promotional messages likely to be classed as direct marketing include: fundraising; or advertising services offered on a quasi-commercial basis or for which there is a charge (unless these are service messages as part of the service to the individual) How do you decide if messages are necessary for public task or function? The ICO says it accepts all public authorities will have what it describes as ‘incidental powers’ to promote their services and engage with the public. It therefore says it is not necessary for a public authority to identify an ‘explicit statutory function’ to engage with promotional activity which is deemed ‘necessary’ for a task or function. However, the ICO does stipulate you can’t just say a direct marketing message is no longer direct marketing because the lawful basis has been stated as public task. Nor can you just decree a promotional message is ‘in the public interest’, this won’t automatically mean it isn’t direct marketing. What the Regulator expects is for public authorities to identify a relevant task or function for the communication they wish to send. There’s a risk here the ICO has not been clear enough. This could cause confusion and I suspect plenty of deliberation over which messages are or are not direct marketing. Transparency It’s made clear that even if you determine certain promotional messages are not direct marketing, this doesn’t mean you can ignore other basic data protection principles. You still need to make sure people know what you are doing with their personal data, and this must be within their reasonable expectations. In other words public authorities must make it clear to people they intend to send promotional messages which are necessary for a public task or function. Which may mean updating their privacy notices. Right to object People have an absolute right to object to direct marketing, but they also have a general right under data protection law to object to processing, which includes when organisations are relying on the lawful basis of public task. A right people should be made aware of. The guidance makes it clear – if someone objects to a promotional message from a public authority, it will only be possible to continue sending messages if ‘compelling legitimate grounds’ to do so can be demonstrated. The ICO makes the point it would be difficult to justify continuing to send unwanted promotional messages if this goes against someone’s wishes. My advice would be to include a clear ability to opt-out on any promotional message; any message which isn’t an essential service message. (Albeit, this could cause some configuration issues for public authorities who don’t have sophisticated systems which can distinguish between different types of messages and opt-outs). Lawful basis for promotional non-marketing messages The ICO points to two lawful bases under UK GDPR for sending promotional messages necessary for a public task or function, either public task or consent. The guidance suggests just because you can rely on public task, doesn’t mean you shouldn’t consider consent, which may be considered appropriate for public trust reasons. The ICO accepts that Public Authorities may be reluctant to rely on consent, due to a potential imbalance of power, but says it may be considered appropriate if the individual has a genuine free choice to give or refuse to consent to promotional messages. A change in interpretation This new guidance certainly seems to represent a marked change in the ICO’s previous interpretation of direct marketing. It’s interesting to note the following pertinent examples which are present in the draft Direct Marketing Code (which I suspect may be altered in the final version). Example Scenario A A GP sends the following text message to a patient: ‘Our records show you are due for x screening, please call the surgery on 12345678 to make an appointment.’ As this is neutrally worded and relates to the patient’s care it is not a direct marketing message but rather a service message. Scenario B A GP sends the following text message to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.’ This is more likely to be considered to be direct marketing because it does not relate to the patient’s specific care but rather to a general service that is available. It seems to me Scenario B, under the new guidance could be classed as a promotional message, but NOT direct marketing. (Personally, I would never have complained about Scenario B, it’s a helpful, informative message and hardly in the realms of the untargeted nuisance spam). The draft Code goes on to confirm the following would be direct marketing; a GP sending text messages to patients inviting them to healthy eating event; a regulator sending out emails promoting its annual report launch; a local authority sending out an e-newsletter update on the work they are doing; and a government body sending personally addressed post promoting a health and safety campaign they are running. The specific examples from the draft Code were used by people to question whether some of the messages they received during the pandemic contravened PECR. Would these types of communications now no longer be direct marketing? It would certainly seem like they aren’t if you go by the clear message from the ICO that; ‘the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.’ Will the above examples disappear from the final Direct Marketing Code? In summary This new guidance is likely to be welcomed by some who have been frustrated, or indeed bewildered their communications could be considered direct marketing. However, it could also muddy the waters. It leaves the public sector needing to clearly define different types of communications and make sure relevant teams are adequately briefed to understand the difference. As I see there are three types of communication: a) Service messages – essential messages relating to the provision of a service b) Promotional messages for public task or function (which are highly likely to need an opt-out) c) Direct marketing messages (must have an opt-out to honour the individual’s absolute right to object). I just wonder whether the term ‘promotional messages’ could have been avoided in this guidance. I am not sure I have a satisfactory alternative, but perhaps something like ‘information messages’ – i.e. messages that are not essential service messages but provide helpful information. I also wonder whether there could have been a carve out for important health-related messages, rather than applying this new interpretation to any ‘promotional’ message from any public authority. Let’s hope the public sector now pays due care and attention to transparency, provides an opt-out to all but essential messages, and doesn’t abuse this new-found power to engage with us beyond what is actually necessary.