Published on Wednesday, May 8, 2019 - 16:23 by Camilla Winlo
The ICO has issued another fine to an organisation that did not do enough to ensure that its marketing activities were lawful. In fact, it has issued over £2 Million of fines to organisations for marketing failures since the beginning of 2018. If your organisation is carrying out direct marketing activities, and in particular if those activities include direct marketing on behalf of third parties, it would be worth checking that your approach ensures the rewards outweigh the risks.
In our experience, it is not uncommon for marketers to lack confidence in their knowledge of the laws relating to marketing and to rely on other teams such as compliance to ensure that their activities are lawful. Those other teams may not appreciate the extent to which the marketing team believes they have transferred the risk and responsibility. In smaller organisations, the knowledge gap may not be filled at all.
The three most common reasons for fines are:
Privacy and Electronic Communications Regulation
PECR non-compliance fines are commonly issued to organisations that send direct marketing to individuals without being able to demonstrate that they have a lawful basis to do so.
Most commonly, the most appropriate lawful basis will be either Consent or Legitimate Interest, although other bases may be available in some circumstances.
If the organisation relies on Consent, it will need to demonstrate that the individual was fully informed about how their data would be used, was able to freely give or refuse their consent and could withdraw it as easily as they gave it, and expressed their consent in an active way such as by checking a box.
Where the Consent is provided indirectly, in other words where it is collected by a third party such as a list broker, the organisation that sends or instigates the sending of the communication will need to demonstrate that the individual was aware that they would receive communications from the organisation. This means that they should have specifically chosen to receive communications about the organisation by name.
If the organisation relies on Legitimate Interest, it will need to demonstrate that it has an existing relationship with the individual and complete a Legitimate Interest Assessment, also known as a Balancing Test, to show that the benefit to the organisation outweighs any disbenefit to the individual. There is an inherent conflict of interest in such assessments and the organisation will need to ensure that it manages this conflict appropriately when making its decisions.
Data sharing failures
Organisations that share information with third parties must ensure that they have a lawful basis for such sharing. This means that they must be able to demonstrate an appropriate lawful basis, have appropriate safeguards in place to protect the data that is shared, and ensure that individuals are fully informed about what data is shared and how it will be processed.
The lawful basis for data sharing for marketing purposes will usually be Consent, which is discussed above.
Safeguards vary, but if the data may be processed outside the EEA, the organisation will need to be able to demonstrate that the data is as safe as it would have been if it had stayed in the EEA and been covered by GDPR. This usually means contract terms and/or an adequacy agreement, but there are other options available.
There will also need to be a contract underpinned by effective processes to ensure that individuals are aware of how, when and why their data will be shared and processed and that their rights are not affected by such sharing. Data flow and process maps can be very helpful to ensure that nothing is missed.
Telephone Preference Service
There are a number of Preference Services and in our experience awareness of the different services varies. If an individual is signed up to one of the services, any organisation wishing to market to them needs to be able to demonstrate that they have an appropriate and valid consent in place that overrides the service registration – for example, proof that the individual has opted in to telephone marketing from the organisation after the date on which they registered with the Telephone Preference Service.
The Telephone Preference Service is run by the government and allows private individuals to opt out of telephone marketing. It is a legal requirement that organisations to screen their marketing lists against the Telephone Preference Service and individuals do not need to take any further action to stay registered. Individuals are advised that calls should stop within 28 days – so you need to screen your lists at least monthly to ensure you comply.
The Corporate Telephone Preference Service is run by the government and allows companies to opt out of telephone marketing. It is a legal requirement that organisations screen their B2B marketing lists against the Corporate Telephone Preference Service. Companies must renew their subscription to the Corporate Telephone Preference Service every year or they will be removed from the list. Companies are advised that calls should stop within 28 days – so you need to screen your lists at least monthly to ensure you comply.
The Fax Preference Service is run by the government and allows individuals and companies to opt out of fax marketing. It is a legal requirement that organisations screen their fax marketing lists against the Fax Telephone Preference Service.
The Mailing Preference Service is run by the Direct Marketing Association and allows individuals to register their preference not to receive direct marketing by post. It is not compulsory, however individuals have the right to object to marketing and it is considered best practice to screen against the list. Individuals are advised that mailings should stop within four months – so you need to screen your lists at least three times a year to ensure you comply.
The Baby Mailing Preference Service is run by the Direct Marketing Association and allows individuals to register their preference not to receive baby-related marketing by post. It is not compulsory, however individuals have the right to object to marketing and it is considered best practice to screen against the list. Individuals are advised of a specific time after which marketing should stop, however organisations should be aware that it is particularly aimed at parents who have lost their child in the weeks after birth. It is therefore considered best practice to screen against the list before every campaign is sent out.
Organisations must also maintain their own databases to ensure that they do not market to individuals without a lawful basis. They should also respect any preferences that their customers express. Increasingly, such preferences are expected to be granular and cover marketing channels and the types of communications that are sent.
Action you should take
You should ensure that your marketing team: