Handling personal data for the purpose of marketing used to be easy. In most cases, it meant little more than making sure that the appropriate data protection notice was provided on web site registration forms and other data collection points.
But recent changes to the law relating to electronic marketing means that has all changed.
The use of personal data in the UK for direct marketing is governed by the Data Protection Act 1998 and related legislation. But the 2003 Privacy and Electronic Communications Regulations adds new rules affecting the way businesses carry out direct marketing.
The laws, in force from 11 December 2003, include provisions concerning email, mobile text messaging and the use of the Internet. In addition, the new rules will also regulate the provision of value added services using traffic and location data, and provide controls over the use of ‘cookies’ on web sites.
Spam ban
The new default requirement is that all email and mobile text message marketing must only be sent to a recipient who has previously given their consent to the sender by explicitly ‘opting-in’. Furthermore, certain information about the sender (whose identity must be clear) must be provided to the recipient at the same time.
There are, however, some exceptions to the ‘opt-in’ requirement. These include circumstances where:
These rules do not apply to communications sent to someone at their work email address or work mobile number, provided they are provided by the employer and that the employer is a limited company. But they will still apply to marketing communications sent to the work email or mobiles of sole traders or those working in a partnerships.
Confusing? In practice it is easier to assume that the rules apply to all email and text messages rather than struggle with the burden of monitoring all customer and prospect marketing lists to make sure that a communication does not inadvertently fall foul of the regulations.
Cookie cutters
Similarly, the use of cookies has been tightened up. Cookies are small text files downloaded to Internet users’ PCs from web sites they visit that can help the operators of those web sites uniquely identify them.
If cookies or other similar tracking devices are used to store or access any information on a user’s computer then clear and comprehensive information must be provided about the cookies and how they are used. In addition, web site operators must provide users with the means to refuse the storage of, or access to, the relevant information.
An exception applies to the technical storage of information where this is only to enable the transmission of a communication or where this is strictly necessary to provide the service requested by the user. This is intended only to apply in limited cases. For example, where the delivery of a service would be impossible without the cookie.
In a similar vein, the new rules aim to bring a level of regulation to the previously grey area of ‘location-based marketing and services’.
They allow for the provision of services based on location or traffic data in conjunction with network operators, but only provided that the subscriber has consented to this use of their information and can withdraw or suspend their consent at any time.
Criminal offence
The regulations are not without teeth. Failure to conform could result in an organisation being the subject of an enforcement action from the Information Commissioner – and breach of an enforcement notice is a criminal offence.
Businesses could also face a court order to pay compensation to any person who suffers damage as a result of any contravention of the regulations, as well as having to deal with the commercial implications of a public loss of business reputation and credibility.
Organisations of all sizes therefore need to examine their marketing practices closely to ensure that they comply with the new regulations, if they haven’t already done so.
That ought to include considering whether the marketing database is constructed so that different levels of consent can be flagged depending upon the type of marketing channel used, and taking steps to obtain explicit consent for future email and text message marketing campaigns.
Without the required level of consent a business runs the risk of being ordered to delete its electronic marketing records – clearly, something that would severely restrict its ability to communicate with customers and prospects in the future.