Direct marketing requires specific consent says new ICO guidance

Businesses need to gain clear and specific consent from individuals to send direct marketing via email, SMS and automated recorded messages according to new guidelines from the Information Commissioner's Office (ICO). The new guidelines clarify the ICO’s view of the dos and don'ts for direct marketing under the Data Protection Act 1988 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR). The ICO’s interpretation places additional consent requirements across the various direct marketing channels. It should be noted that the new guidance does not amend the existing legislation. It is the first of a series of guidance notes to help businesses fully understand their obligations and to promote good practice, says the ICO.

Here's a summary of what the new ICO guidance says:

Third-party consent
The ICO is tightening up its view of what constitutes third-party consent, particularly in the case of email, SMS and automated recorded calls. This is because the law states that the recipient of an unsolicited email or SMS marketing message must have given their consent to the sender. If that sender is a third party (somebody renting the list), they cannot rely on the consent the individual may have given to the first party (the list owner), unless the exceptions below apply.

The only exceptions are where the first party names the third party or the third party falls into a category of organisations for which the first party gained consent from the individual to pass their email address or SMS contact details on to. For example, a travel company may gain consent to pass on the individual's email or SMS contact details to other travel companies. The ICO expects organisations to carry out rigorous checks to ensure that email and SMS contact details and are not passed on or resold to organisations without the specific consent of individuals.

Consent time limits
Although the guidance doesn't set an expiration date for consent, it will not be valid forever. It will become harder to rely on consent given some time ago as a genuine indication of a person's wishes. Furthermore, consent under PECR (which deals with email, SMS, telephone and fax marketing) is expressly stated in the Regulations to be "for the time being". The ICO interprets this as any significant change in circumstances, such as a change of ownership, is likely to bring the consumer's consent to an end, unless the consent is re-validated at the same time as the change in circumstances.

Another issue is the context in which the individual gave their consent to receive unsolicited marketing and the nature of the relationship between the consumer and the marketer. For example, if a consumer gives their consent when signing up to a service that they subsequently cancel, then that consent should expire on the cancellation of the service, unless the consent is re-validated during the cancellation process.

Time limits for third-party consent
The ICO believes that consumer consent to third-party marketing should last for a maximum of six months from the date the consent was given to the first party collecting the customer contact details. The only exception is for seasonal products such as Christmas cards or an annually renewable insurance service. The time limit is not in the legislation and the DMA will ask the ICO as to where the six-month time limit came from.

Proof of consent
The ICO warns that if it receives a complaint from a consumer about receiving unsolicited direct marketing, it is up to the organisation in question to ensure it has obtained the appropriate consent (and prove it) or risk facing enforcement action.

Records should include:

1. Date of consent.

2. Whether consent was obtained by unsubscribe/subscribe methods.

3. Which organisation obtained the consent.

Organisations should not rely on a bought-in list from a third party unless the organisation that collected the contact details or the list broker can provide these details.

This reflects the existing legislation and the DMA’s DM Code of Practice. Members should already have policies and procedures in place to comply with this. The ICO does not expect users of list of email addresses and mobile phone numbers to have sight of all opt-ins. What the ICO would expect is for the organisation renting the email or mobile list to make appropriate enquiries of the list provider to check that the correct opt-in permissions have been obtained.

This should extend to getting generic example copies of the data collection statements or the telephone scripts used and the records above. It has always been the ICO’s view that a list renter cannot rely on a list owner’s undertakings as to the validity, legality and compliance of the data being rented. Since email marketing is based on an opt-in/subscribe/positive consent model the general rule is that individual preferences must be respected.

The DMA’s viewpoint
There are some areas of concern in the ICO guidance such as consent time limits. For instance, wording along the lines of “We would like to send you information about our products and services in the future” followed by subscribe/unsubscribe wording (depending on the marketing channel) is clear indication of consent to receive unsolicited marketing about all products and services now and in the future. The DMA is seeking clarification and will update members when the ICO has replied.

James Milligan, Solicitor, DMA