Question of the month – What does the new ICO guidance on marketing by electronic mail tell us?
In October last year, the ICO produced some new guidance on direct marketing by electronic means. The guidance covers a lot of familiar ground, but nonetheless has some interesting commentary.
Consent and the soft opt-in
The new guidance restates the (fairly well understood) position under the Privacy and Electronic Communications Regulations 2003 (PECR) that you will need to have consent to send electronic mail marketing to an individual subscriber, unless you can comply with all elements of the soft opt-in exception.
As well as a run through of the elements of consent required (UK GDPR standard consent) the new guidance adds value by giving examples of obtaining consent verbally and stating that you must obtain consent for the method of communication you will be using (e.g. text, email etc.) as well as providing useful clarifications such as that obtaining consent for marketing by telephone is not the same as having consent to receive marketing by SMS.
There are useful reminders, like the fact that consent is not transferrable and so just because an individual is happy for you to send marketing material to a particular email address, does not give you the right to use other email addresses for the same person.
On a helpful note, the guidance puts to bed the question of whether free trials constitute “negotiations” for the purposes of relying on the soft opt-in exception. The guidance confirms that if you have offered a free trial to an individual and they have not opted-out, you can send direct marketing to them by electronic mail (so long as you comply with all the elements of the soft opt-in).
“Tell a friend”
The new guidance contains a section on viral marketing (so called “tell a friend” or “refer a friend” campaigns), which are frequently used on social media and through “ambassador” or “influencer” campaigns. The ICO makes it clear that, despite the seeming informality of these types of engagements and the fact the original party is not “sending the messages”, the entity whose brand is being promoted or who is offering incentives is instigating the sending or forwarding of electronic mail marketing if they ask people to send direct marketing on to others. It does not matter if they provide a reward/benefit to an individual to encourage them to send the messages, it is enough that they encourage them to do so.
The ICO further states that this method of marketing cannot be achieved compliantly by relying on soft opt-in and therefore consent must be sought from the individuals who are the recipient of the “refer a friend” communication. In reality, obtaining consent for this is unlikely to be possible and therefore organisations should take steps to avoid encouraging the sending on of promotions by electronic mail unless they are compliant.
Bought in marketing lists
The ICO confirms that individuals on bought in marketing lists must have given their consent to receive marketing from the organisation using the bought in list and sets out questions that an organisation intending to use a bought-in list should ask. We would recommend that the responses to such questions are documented fully as part of a data protection impact assessment or as part of any pre-contractual and ongoing due diligence undertaken. The ICO recommends that you always ask:
- What were people told?
- What did they consent to?
- Was your organisation named on the consent request?
- When and how did they consent?
- Did they have a choice to consent?
- Is there a record of the consent?