Gearing up for the GDPR: Marketing
In this next bulletin of our series on the General Data Protection Regulation ("GDPR"), we discuss issues around marketing and what impact the GDPR will have on how your organisation markets its products and services.
The GDPR is set to come into force on 25 May 2018 and will result in changes in obligations when collecting personal data that will impact on your marketing practices. These changes include enhanced information requirements, the clear obtaining and recording of consent and enhanced privacy policies. Further, if you are marketing your goods and services using "electronic methods" there are specific rules on marketing calls, emails, texts and faxes pursuant to the Privacy & Electronic Communications (EC Directive) Regulations 2003 (PECR) and these will not be affected by the implementation of GDPR.
Whilst a new updated ePrivacy regulation was scheduled to replace PECR and come into force at the same time as the GDPR, the text has not yet been finalised. Therefore, whilst the future of marketing will depend on a revised ePrivacy regulation (along with any guidance that the ICO issues) this bulletin sets out how the GDPR and PECR will work together in the interim.
Marketing under the GDPR
As with all processing of personal data, in order to market your goods and services, the GDPR requires that your organisation has a lawful basis for such processing. Whilst you can of course satisfy this by obtaining explicit consent, this will become more onerous under the GDPR. Consent must be unambiguous and given either through a statement or clear affirmative action. It cannot be inferred from silence, pre-ticked boxes or inactivity.
More helpfully the GDPR makes it clear that an organisation could instead rely on the processing condition of legitimate interest (therefore without the need to obtain consent) for marketing activities. Recital 47 states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” However, it is important to be aware that if you are relying on this condition you will always need to offer the individual an opt-out and if an individual objects to this marketing you must stop processing that individual's data as soon as this objection has been received.
The GDPR requires organisations to be transparent with individuals about what they are using their data for, how it might be shared, the legal basis for processing their data, and how long it will be kept. The GDPR requires organisations to be transparent with individuals about what they are using their data for, how it might be shared, the legal basis for processing their data, and how long it will be kept. For more details on the enhanced privacy notices under the GDPR please see our February 2017 bulletin.
If your organisation is sending unsolicited direct marketing by electronic means then you must comply with PECR (as well as the GDPR).
As set out above, electronic means include telephone calls (both live and automated), faxes, emails, text messages and other forms of electronic message. In addition to the sale of products and services "direct marketing" also covers the promotion of aims and ideals. Accordingly, PECR applies to not-for profit organisations such as charities and political parties as well as commercial businesses. Different rules apply to different types of communication, and also depend on whether your organisation is marketing to an individual or a business.
Business to individual customers marketing
If you are marketing by telephone and on the condition that the individual is not listed on the Telephone Preference Service (TPS) you can call without consent as long as that person hasn’t objected to your calls in the past. On the contrary, in relation to automated calls, you must first obtain specific consent before undertaking any marketing using this method.
Texts and emails
PECR makes it clear that organisations must not send marketing texts or emails to individuals without their specific prior consent. However, there is a limited (but useful) exception for previous customers which is known as the "soft opt-in". The soft opt-in applies where an individual bought something from your organisation recently and during that process gave you their details and did not opt out of marketing messages. In that regard it can be concluded that they are probably happy to receive marketing from your organisation about similar products or services even if they haven’t specifically consented. However, it is important to give them a clear chance to opt out (both when you first collected their details, and in every message you send).
Accordingly, whilst the soft opt-in rule means you may be able to email or text your own customers it does not apply to new customers or contacts. Further, it is important to note that it does not apply to non-commercial matters. Therefore, you cannot rely on the soft opt-in for charity fundraising or political campaigning.
In the event that your business wants to market via fax then the consumer must have given specific consent.
Business to business marketing
It is important to remember that when marketing to sole traders or partnerships, the rules governing Business to individual customers apply (as set out above).
As with individuals, organisations can market using live calls as long as the target is not a member of the Corporate Telephone Preference Service. In relation to recorded calls, the individual within the business must have given their specific consent.
Emails or texts
Whilst PECR allows you to market to an organisation by email or text it is good practice to provide an opt out option. Further, individual employees can explicitly opt out.
Organisations can send marketing faxes to companies (or other corporate bodies) without consent, unless the fax number is listed on the Fax Preference Service (FPS).
What is next?
Whilst this bulletin focuses on the relationship between PECR and GDPR, as set out above a new ePrivacy regulation is on cards. As currently drafted the new regulation will tighten the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in (therefore getting rid of the soft opt-in exception) and further broadening the definition so that these will apply to services that use the internet such as Facebook Messenger, WhatsApp and Skype.