Marketing and the ‘soft opt-in’ – are you getting it right?

June 2021

The ICO has recently issued a £10,000 fine to a pizza company for sending ‘nuisance marketing messages’ to its customers.

Papa Johns claimed it was relying on the exemption to consent, known as the ‘soft opt-in’, but it was found to have not abided by the rules of this exemption.

So, what is the ‘soft opt-in’ and how can you use it, within its limitations, and not fall foul of the rules? What did Papa John’s get wrong?

What is the soft-opt-in?

The laws governing electronic marketing are covered in the UK’s Privacy and Electronic Communications Regulations (PECR) and these govern email, SMS and telemarketing.

Under PECR you need to have consent to send electronic marketing messages (e.g. email or SMS) to what are termed ‘individual subscribers’. These are people who personally subscribe to their email/SMS service provider (this is often referred to as B2C marketing).

But you don’t always legally need consent…

There’s an exemption under PECR for electronic marketing to existing customers. This is commonly known as the ‘soft opt-in’. An annoyingly ambiguous term as it permits the use of an ‘opt-out’ mechanism!

When relying on the ‘soft opt-in’ you need to be careful to make sure you follow the rules about when this exemption applies, which can be summarised as:

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services; AND
  • You provide the ability to opt-out in every communication

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

It’s worth noting the rules on consent and the soft opt-in under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email/SMS service. (Commonly referred to as B2B marketing).

To quote the ICO on this, here’s an extract the draft Direct Marketing Code of Practice:

“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”

You do however need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

What did Papa John’s get wrong?

The ICO says it received 15 complaints from Papa John’s customers about the unwanted marketing they were receiving by text and email. The Regulator points out, ‘the complaints noted the distress and annoyance the messages were causing’.

Subsequent ICO investigations found the pizza company sent more than 168,000 messages to its customers without valid consent.

Papa John’s claimed it was relying on the ‘soft opt in’ exemption in order to send these marketing messages. But the ICO ruled they were unable to rely on this exemption for customers who’d placed orders over the telephone, as people had not been given the opportunity to opt-out at this point. The ICO also makes the point that customers were not provided with a privacy notice.

Andy Curry, ICO Head of Investigations said:

“The law is clear and simple. When relying on the ‘soft opt in’ exemption companies must give customers a clear chance to opt-out of their marketing when they collect the customers details. Papa John’s telephone customers were not given the opportunity to refuse marketing at the point of contact, which has led to this fine.

“We will continue to take action against companies who may be gaining unfair advantage over those companies that adhere to the law and comply with electronic marketing law”.

The message is clear, you need to tell people you’d like to send them marketing and give them an opportunity to object when you collect customers’ details in order to rely on the ‘soft opt-in’. You can read more from the ICO about this case here.

This latest fine comes hot on the heels of action against another company for falling foul of PECR. A case which focused on the often fine line between a service message and a marketing one. I wrote about this here; Are your service message actually direct marketing?

Both these fines act as warnings to organisations, and provide a good opportunity to review practices and check you aren’t taken any unnecessary risks.

Social media targeting: consent or legitimate interests?

April 2021

Social media marketing is well established and mainstream – lots of organisations carry out targeted advertising via various social media platforms.

But are we being open and upfront about it? Do our customers, or supporters, know enough about how you use their data on social media platforms?

From retargeting your own customers by uploading pseudonymised data to a social media platform, through to targeting ‘lookalikes’, there are a variety of options available.

Are there any compliance risks when we conduct these activities? Do people have enough control over the use of their data and the advertising they see? And to what degree are people even bothered by it?

What does the ICO think?

We began to get an insight into the ICO’s expectations when they published their draft Direct Marketing Code, back in January 2020.

Firstly, yes they are in scope:

Online behavioural advertising and some types of social media marketing are not classed as electronic mail under PECR but these are still direct marketing communications.

The ICO points out the need for transparency:

Individuals may not understand how non-traditional direct marketing technologies work. Therefore it is particularly important that you are clear and transparent about what you intend to do with their personal data.

Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way.

You must be transparent and clearly inform individuals about this processing so that they fully understand you will use their personal data in this way. For example, that you will use their email addresses to match them on social media for the purposes of showing them direct marketing.

When using “list-based” tools (e.g. Facebook Custom Audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing.

The draft DM Code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

So, the ICO says we need consent.

But actually many disagree with this rather draconian interpretation of the law. Remember this is still draft guidance and we don’t know if it will change or when the Code will be published.

(When finalised, as a Code of Practice it will replace and carry more weight than the existing Direct Marketing Guidance, which doesn’t really touch on social media marketing).

So, is Legitimate Interests out of the question?

Many organisations may be currently relying on Legitimate Interests, especially when using “list based tools”. It’s not been made clear why the ICO believes these tools would not meet the three-part test for Legitimate Interests.

In contrast, the European Data Protection Board (EDBP) suggest in their August 2020 social media guidelines that Legitimate Interests might be suitable for social media targeting:

Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

The EDPB goes on to explain the 3 conditions for a Legitimate Interests must be met:

(i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed
[i.e. the processing must be for a legitimate purpose]

(ii) the need to process personal data for the purposes of the legitimate interests pursued, and
[i.e. the processing must be necessary]

(iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

The EDPB reminds us that, in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration in relation to (iii) above.

Therefore it is important to make sure your privacy notice is clear about the use of personal data for social media targeting.

The EDPB also reminds us that CJEU have previously specified that, in a situation of joint controllership (as there might be with a controller and a social media platform):

It is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them.

Why would you want to be a trail blazer and limit the scale of your marketing activity by adopting a consent-based approach, when others don’t do it too?

John Mitchison is Director of Policy and Compliance at the Data and Marketing Association (DMA);

“The current compliance landscape can be very confusing for marketers, not least in the area of online advertising and social media.  We have a ‘draft’ version of the ICO’s Direct Marketing Code of Practice and guidance from the EU, of which the UK is no longer a part.

If a person has a first party relationship with a brand and a first party relationship with a social media platform it seems entirely reasonable for that person to see ads about the brand on the social site, and for this processing to be done under Legitimate Interest. 

Transparency and control are essential if you want to retain the trust with your customers; clearly explain what is going on in your privacy policy and allow people to opt out if they really want to.”

Consumer expectations

It can be argued people nowadays expect to see relevant advertising when they browse social media and that ads which are relevant to their interests have got to be better then untargeted ads.

So is there really any harm in this type of targeted advertising?

It’s important to acknowledge there could be harm if data is used in intrusive, appropriate or unlawful ways, especially were individuals may be minors or vulnerable people.

When data is used without the proper controls to protect people, such as offering dieting tablets to anorexics, targeting alcohol offers to alcoholics, or offering gambling services to problem gamblers – it is highly likely to be harmful.

This type of advertising is also regulated under the CAP code, so we’re not entirely reliant on data protection rules here.

But outside of these concerning situations, where targeted advertising is used for non-sensitive products and services, is this type of targeting likely to cause harm?

What user-controls are available within social media platforms?

Most social media platforms which carry advertising provide user controls on the advertising you are exposed to. For example, Facebook Ad Preferences enable users to:

  • see which advertisers are targeting you directly and hide ads if you wish
  • manage advertising topics and ‘see fewer’ if you wish
  • view data about your activity from ad partners
  • decide if you wish to share certain profile information (employer, job title, education & relationship status) for advertising purposes
  • edit you’re your interests and other categories used by advertisers to reach you
  • find out whose targeting you via audience-based advertising and hide those ads if you want

What are the risks to advertisers?

At this point in time, it seems the likelihood of enforcement action by the ICO regarding social media targeting (for non-sensitive products & services) appears rather low. But of course this could change.

It’s certainly wise to keep a close eye out for customer / supporter complaints which might arise from social media targeting, as if these are not handled properly, people could escalate their concerns to the ICO.

At the end of the day the key is making sure you are open and upfront about how you use people’s personal information.  Take a risk-based judgement call on the right lawful basis for your business and try to avoid any unwelcome surprises!

 

If you’d like any advice or support regarding social media marketing, or any other use of data, please get in touch – Contact Us 

Minimise your data with maximum permissions

March 2021

Deliver successful marketing campaigns without hoarding data

This might seem like a contradiction in terms. How can you minimise the volumes of data you keep whilst also maintaining good levels of marketing permissions?

The answer, of course, is to only keep the data you need. Less is more. I’ll say that again – less is more. However, the challenge for many marketers is to understand which data to discard and which data to keep.

Figuring out which data is needed takes time and effort and draws on some old-fashioned skills we learnt in the pre-internet era to maintain data accuracy and assess what variables/values actually drives a sale.

Before the ubiquitous email, which appears to cost nothing, we used to make some very difficult decisions about who to contact because each contact cost a fortune. Now is the time to re-discover some of those skills and cut down on those emails and digital ads, whilst rebuilding trust with prospects and customers.

1. Data accuracy

Arguably the most boring job for any marketer is to keep their customer and prospect data up to date and accurate.

Questions to consider:

  • How many records hold inaccurate data?
  • Are they worth keeping?
  • How recently did that prospect engage with you?
  • Will they ever engage again?
  • Are the marketing permissions up to date and valid?

Like de-cluttering your house, it’s difficult to throw away data but keeping data for too long can attract large fines and a bad reputation.

2. Effective retention policies

If you understand the patterns of purchase and sale you’ll have a good idea of when people who are customers are no longer engaged and either need to be refreshed or removed.

Asking if people want to be removed from a database after a long period of inactivity is a good idea. Why keep people on a list who don’t want to hear from you?

Questions to ask:

  • Have you reviewed your retention policy and refreshed permissions?
  • Do you have a regular routine in place to identify and update permissions once they reach their retention policy limit?
  • Do you regularly review the responses you generate from the older data sets?
  • Based on your findings, should you adjust the retention policy periods?

3. Reduce the collection of data points

If I provide a phone number when I place an order, what happens to that data?

Unless it’s for a carrier I’ll always provide an inaccurate number. It makes more sense to explain exactly why you need every single data point and provide a “what’s in it for me” reason why this data should be collected. The completion rate will be greater with more accurate information.

Questions to ask:

  • Do have a clear plan for how every single data point is used?
  • Have you communicated that intention clearly?
  • Have you explained clearly the “what’s in it for me”?
  • Which data can be discarded?

4. Special category data

Special category data can be explicitly collected or inferred from the combination of other data sets. This is a particular challenge in Adtech where the quantity of data collected through third party cookies is, frankly, mind blowing.

If you’re able to establish  sexuality from which websites someone uses this, potentially, becomes special category data. Keeping any special category data presents an additional risk and should be carefully considered, whilst consent for marketing needs to be sought under any circumstance. If in doubt get rid of it.

Questions to consider:

  • Do you really need to know anything sensitive about your prospects and customers?
  • What difference will knowing the information make to your ability to sell your products and services?

5. Preference centres

The notion you should give your customers and prospects the choice to manage their preferences in an open and transparent way is at the heart of data protection legislation.

There are technology solutions from a wide variety of providers to create preference centres for cookies, as well as managing marketing preferences for emails, direct mail and so on.

Presenting this information in an easy-to-understand format can feel like a formidable challenge and there’s sometimes the temptation to hide it or just not bother to explain clearly enough.

Not explaining or hiding information is never a great idea, as there is a direct link between openness and transparency and trust.

“Doing the right thing” and building trust is a No 1 priority for many brands and they see it reaps dividends in greater loyalty and repeat purchase.

Not only that but the afore-mentioned technology solutions have relatively inexpensive options for smaller or medium sized businesses. Cost should not be an impediment.

Questions to consider:

  • Are all your marketing and cookie preferences managed centrally?
  • Do you know what all the cookies on your website do?
  • Do you know what happens to the data that is captured by third party Adtech providers?
  • Have you completed a DPIA for Ad Tech activity?
  • Do you have a compliant cookie notice and preference centre with the permissions options applied correctly?

6. Understanding the ROI of your campaigns

Being able to analyse the customer/prospect journey from first point of data capture through to a final sale is the holy grail. An apparently cost-efficient lead at the front end may not translate into high margin sales in the end.

Equally, being able to understand what influences a purchasing decision and what environment is most successful will allow you to filter your marketing effort against fewer key variables.

As the ICO clearly stated in their review of RTB, the sheer volume of data in use by Adtech providers feels disproportionate to the outcome.

Questions to ask:

  • Can you calculate an end-to-end ROI on customer transactions?
  • Do you know which variables will influence purchase more than anything else?
  • Have you done some modelling of your own customer data to create anonymised look alike segments to be used with contextual advertising?

7. How do you move on from third-party cookies?

As we know, Google will stop supporting third party cookies in 2022. This places an immediate pressure on advertisers to focus on their own first party data.

Immediate questions to ask:

  • Do we have any first party data?
  • How else do we add to what we already know?
  • Can we ask our customers to share more data? What interests them, what content do they consume, how do they shop?

If we’re able to create segments from our own data, the opportunity to use that information to create anonymised look-alikes will improve targeting efficiency. We are seeing a proliferation of providers who are using different variables to target customers which does not even involve large quantities of cookie data and this trend is set to grow.

If you understand your data well and create meaningful segments for targeting from first party data, which has been volunteered by customers, marketing teams will be in a strong position to deliver more with less.

 

Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service.

Marketers: Will You Need to do a DPIA for that?

February 2020

Why Marketers need to understand Data Protection Impact Assessments

The ICO published its draft Direct Marketing Code of Practice on 8 January 2020.

One of the key topics which emerged from DPN’s analysis of the draft Code is the ICO’s clarification of the types of marketing / profiling activities where organisations should be carrying out a Data Protection Impact Assessment (DPIA).

In simple terms, a DPIA is a process that helps companies to identify, assess and mitigate privacy risks right from the start of a project.

An organisation must be able to demonstrate accountability and privacy by design principles by showing they have taken the appropriate measures to safeguard the ‘rights and freedoms’ of individuals.

When should a DPIA be conducted?

The ICO states, in their draft Code, that any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing.

The following examples are given:

  • when conducting ‘large scale’ profiling of individuals for marketing purposes
  • matching datasets for marketing purposes
  • processing may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
  • using geo-location data for marketing purposes
  • tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
  • targeting children or other vulnerable individuals for marketing purposes

That certainly sounds like a lot of situations, doesn’t it?

We anticipate a lot of marketers who have never conducted DPIA before will have to learn fast.

The ICO suggests it’s likely that ALL marketers will need to carry out a DPIA at some point. The Regulator says this will bring financial and reputation benefits – and crucially, will help to build trust with individuals.

The draft code includes a ‘good practice recommendation’:

“Even if there is no specific indication of likely high risk in your direct marketing activity, it is good practice to do a DPIA for any major new project involving the use of personal data.”

So what do you need to do?

When carrying out a DPIA for marketing, organisations must be able to:

  • describe the nature, scope, context and purposes of what you are planning to do
  • assess its necessity, proportionality and any compliance measures in place
  • identify and assess risks to individuals
  • identify any additional measures which may be appropriate to mitigate any risks

As with any ‘new’ process, it will take time, patience and practice to embed into the culture and develop expertise within your teams. Over time, marketing teams will get more and more adept at carrying out DPIAs.

Smart marketers see the DPIA process as a way to demonstrate they’ve truly focused on their customer or prospect – from the planning phase all the way through to implementation.

It helps to recognise and tackle any privacy issues early on and helps to prevent any undesirable consequences.