Banks have been warned that they must not hide behind data protection rules to avoid alerting savers to better deals. The warning, was immediately followed by a joint letter from the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) to the UK Finance and Building Societies Association, clarifying that savings providers can inform customers of the best rates available, even where the customer has previously opted out of (or has not consented to) receiving direct marketing. See also the FT’s report of this.
These recent discussions around data protection and direct marketing restrictions, present a timely reminder of the UK’s laws on sending marketing communications. We have summarised the position below and provided some answers to Frequently Asked Questions.
Direct marketing regulation in the UK is recognised as a complex and challenging area of law. Navigating the intricate legal requirements and ensuring compliance with the applicable law poses significant challenges for businesses engaging in direct marketing activities. The Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK’s implementation of the General Data Protection Regulation (UK GDPR) all need to be taken into consideration.
The Privacy and Electronic Communications Regulations 2003 (PECR)
- PECR prohibits the sending of unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers.
- When businesses intend to send unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers, they are obligated to adhere to PECR’s stipulations, which may involve obtaining the recipient’s prior consent and cross-checking statutory preference services and internal “Do not send” lists.
- PECR only applies to messages sent to “individual subscribers”. These will generally be individuals, sole traders, and partnerships. It does not apply to “corporate subscribers” (generally companies and LLPs).
- PECR only applies to electronic communications (e.g., email, fax or SMS message). Postal marketing therefore falls outside the scope of PECR.
- The material must be directed to particular individuals. Indiscriminate blanket marketing – for example, leaflets delivered to every house in an area, magazine inserts, or adverts shown to every person who views a website – will not therefore fall within this definition of direct marketing.
- Under Regulation 22 of PECR, consent must be obtained prior to sending unsolicited electronic marketing communications (for example emails) unless specific criteria are fulfilled.
- PECR remains applicable regardless of whether personal data is being processed.
- The maximum fine for non-compliance with PECR is currently £500,000, but there are plans to bring this into line with the UK GDPR which would mean that ceiling is raised to £17.5 million.
UK GDPR and DPA 2018
- Both the UK GDPR and DPA 2018 come into effect when personal data, such as a data subject’s name, address, email, and contact details, is processed (including when that personal data is collected).
- Within the DPA 2018, the term “direct marketing” is defined as… “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” (section 122(5), Part 5, DPA 2018). Direct marketing would therefore involve the processing of personal data.
- Under the UK GDPR consent must include a clear affirmative action. This higher standard for consent is adopted by PECR and applies to consent required for direct marketing.
- The ICO explains “Clear affirmative action means someone must take deliberate and specific action to opt in or agree to the processing, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default.”
- Article 21(2) of the UK GDPR grants data subjects an unconditional right to object to all electronic marketing and postal communications. The data subject is not required to provide any justification for their objection, and the controller must comply without any exemptions or exceptions. Consequently, if direct marketing is based on legitimate interests, the data subject’s right to object takes precedence, mandating the controller to cease processing the data for direct marketing purposes.
Frequently Asked Questions
- Do I always need consent to send email marketing ?
In the UK, consent is a crucial requirement for email marketing. In most cases you must not send marketing emails or texts to individuals without their specific consent.
Regulation 22(2) of PECR states the following:
Except in the circumstances [set out below], a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
A restricted exception exists for your existing customers (in Regulation 22(3) of PECR) , commonly referred to as the ‘soft opt-in’.
The concept of the ‘soft opt-in’ is often used to refer to the provision concerning existing customers. If an individual has recently made a purchase from you, shared their details, and has not expressed a desire to opt out of marketing messages, it is assumed they may be open to receiving marketing communications about similar products or services, even without explicit consent. However, it is essential that you have offered them a clear opportunity to opt out at the time you collected their information and in every subsequent communication.
While the soft opt-in rule allows for emailing or texting your existing customers, it does not extend to prospective customers or new contacts, such as those from purchased lists. Furthermore, it does not apply to non-commercial promotions, such as charity fundraising or political campaigning.
Sending marketing emails or texts to companies is permissible, but it is advisable to maintain a ‘do not email or text’ list comprising companies that express objections to receiving such communications.
- What about postal marketing ?
When sending direct marketing via post, PECR does not apply and consent is not required.
However, as you will be processing the personal data of the person that is receiving that marketing communication you must still comply with the requirements of the UK GDPR and the DPA 2018. This includes ensuring that your processing of the personal data is fair, lawful and transparent.
It is therefore essential to establish a lawful basis for using a recipient’s personal data if you intend to include their name on a letter or flyer. This requirement also applies when you possess information that can identify the individual being targeted in your marketing communication.
The lawful basis for postal marketing will frequently be legitimate interests. Deciding whether an organisation has legitimate interests involves balancing the interests of the business in sending out the marketing with the rights and freedoms of the individual. This balance will be tipped in favour of the individual where the individual has objected to marketing communications or where a particularly large quantity or high frequency of marketing is going to be sent.
- What constitutes consent for direct marketing purposes?
PECR uses the definition of consent under the UK GDPR. Under the UK GDPR, consent must be freely given, specific, informed and unambiguous.
If you’re relying on consent, you cannot use people’s personal data for any purpose other than the one they originally consented to. For example, if someone gives you consent for their details to be used to send them details of your products or promotions you cannot send them details about a third party’s products or services. The consent they’ve given for their details to be used can’t be carried over for anything else and they don’t expect to hear from you about anything else.
A person is able to withdraw consent at any time, and databases need to be able to effectively record this. The key thing however is to be able to demonstrate that consent has been given.
- What does the term “marketing email” refer to?
The DPA 2018 defines “direct marketing” as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This includes the sending of any promotional and marketing materials.
Communications which are made for administration or organisational purposes such as a letter or email notifying customers of a change to Terms of Business or a change of address will not be marketing communications.
However, if the communication contains any element of marketing (perhaps for example a banner or footnote giving details of a product promotion) then the communication will be a marketing communication.
The distinction can be particularly important in regulated sectors and the ICO has published some advice on this.
- Can I email people to get consent?
In 2017, the ICO issued Flybe and Honda with fines of £83,000 for emails sent to customers to obtain consent to future marketing messages. The ICO found that both Flybe and Honda violated PECR, and it was concluded that organizations cannot send an email to an individual seeking consent for future marketing messages, as that very email is considered a marketing communication, necessitating prior consent. The Head of Enforcement of the ICO at the time, said “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”
You can read more about the case in our blog, here.
- When is a marketing message unsolicited?
Most of the rules in PECR only apply to unsolicited marketing messages. They do not restrict solicited marketing.
Put simply, a solicited message is one that is actively requested. So, if someone specifically asks you to send them some information, you can do so without worrying about PECR.
An unsolicited message is any message that has not been specifically requested. So even if the customer has ‘opted in’ to receiving marketing from you, it still counts as unsolicited marketing. An opt-in means the customer agrees to future messages (and is likely to mean that the marketing complies with PECR). But this is not the same as someone specifically contacting you to ask for particular information.
This update was co-authored by Trainee Solicitor (Seconded) Eghosa Okoro.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.