January 2017: The Information Commissioner’s Office (ICO) has fined a company £100,000 for sending unsolicited spam texts attempting to solicit leads for financial services institutions. The ICO found that between May to December 2015, the company sent 1,132,149 unsolicited texts to individual subscribers for the purposes of direct marketing.
The government has recently transferred the function of maintaining, and of keeping the Telephone Preference Service and Fax Preference Service (the registers) up to date, from Ofcom to the ICO. This transfer will allow the ICO direct control over how the registers are maintained and direct access to the information they contain. As a result, it is hoped that complaints arising from nuisance calls and faxes will be dealt with more efficiently.
July 2016: In 2015/16, a clampdown on nuisance callers led to the Information Commissioner’s Office (ICO) imposing penalties of almost £2 million for unsolicited marketing call offences, with the largest fine being £350,000 for automated calls without individuals’ prior consent. The ICO also imposed a penalty of £130,000 for a breach of the first data protection principle, the first penalty of its kind, for the sale of customer details (without their informed consent) to third parties.
The ICO has maintained its focus on nuisance marketing practices and in particular nuisance callers, as they are considered to be the most distressing form of direct marketing,. Changes in the rules on nuisance marketing have given the ICO greater scope to levy fines. It recently imposed a monetary penalty notice of £180,000 on a company for jointly instigating automated marketing calls without prior consent, failing to both identify the sender or instigator of the calls and failing to provide the address of a person or a telephone number on which they could be reached free of charge.
March 2016: In December last year, the Information Commissioner’s Office (ICO) warned companies making nuisance calls to expect more fines in 2016. The ICO has stuck to its promise and recently issued two monetary penalty notices, totalling £150,000, on two separate companies for making direct marketing telephone calls in breach of the Privacy Regulations 2003.
It fined the first £80,000 for making unsolicited telephone calls to sell solar panels and other green energy saving equipment to people registered with the Telephone Preference Service. The second was fined £70,000 for making close to 40,000 automated calls without consent in one day, many in the middle of the night and during the early hours of the morning, inviting individuals to purchase a security system.
December 2015: Businesses that use text marketing should take note of the Information Commissioner’s recent enforcement action. The Information Commissioner’s Office (ICO) has fined a lead generation company £200,000, under its new enforcement powers, for sending thousands of unsolicited marketing texts. The company ran a marketing campaign in April 2015 that prompted 6,758 complaints in one month alone.
The ICO considered that the breach was serious due to the scale of the contravention over a short period of time and the volume of complaints. The breach was deliberate because the company was also in breach of an earlier ICO enforcement notice and it was still using unregistered SIM cards and dongles to avoid detection by mobile networks’ spam detectors. Further, as breach of an enforcement notice is a criminal offence, the ICO is considering further action.
November 2015: Businesses that use and rely on third party marketing lists should take note of a First-tier Tribunal (Information Rights) decision relating to breach of the Privacy and Electronic Communications Regulations 2003. The tribunal upheld the Information Commissioner’s Office (ICO) enforcement notice requiring a company to stop sending unsolicited marketing texts to individuals whose details were obtained under data supplier agreements. The company used personal data provided by several suppliers to send text messages to individuals, without their prior consent, marketing its laser eye surgery. The ICO received 7506 complaints from individuals about this.
This decision serves as a reminder that third party marketing lists must be treated with great caution and the business buying or renting the list must make rigorous checks before relying on them. It also reinforces the need for businesses to inform individuals who their personal data will be shared with and for what purposes, and to obtain prior consent in relation to email and text marketing.
The ICO has also recently issued a record monetary penalty notice of £200,000 to a company for making automated marketing calls without the recipients’ prior consent. The company made or instigated over six million calls as part of a massive automated call marketing campaign offering “free” solar panels. In just over two months (from October to December 2014) the ICO received 242 complaints from recipients. When assessing the level of the penalty, the ICO also took into account that the company did not identify themselves, nor provide an address or freephone contact number.
March 2015: Nuisance Calls and Texts: From 6 April 2015, the DPA 1998 will be amended to remove the need to prove “substantial damage or substantial distress” before the ICO can take action in respect of unsolicited direct marketing communications, including calls (automated or live), faxes, texts and emails. The amendment will make it easier for the ICO to issue monetary penalty notices to organisations that flout the rules on unsolicited electronic direct marketing.
It will now become increasingly important for organisations to comply with the rules on direct marketing and keep their records of consent and suppression lists up-to-date as evidence, in case of a complaint or an ICO investigation.
This business briefing highlights the key data protection issues a business should consider when carrying out direct marketing. It explains how the business should collect information about its customers (including individual customers, named individuals within a business and businesses themselves) and how to communicate information about the business’ products and services to existing and potential customers.
What are the penalties for failing to comply?
- Serious financial, commercial and reputational issues for the business, including possible criminal penalties
- A negative impact on the ability of the business to use databases for marketing purposes
- Reputational loss and the potential to be barred from trade bodies
What customer data needs to be protected and secured? Any information about a customer that is held on computer or in an organised filing system that could identify them (for example, names, addresses or e-mail addresses)
Collecting customer data for marketing purposes
- Generally, a business can only collect information if it has a good reason for doing so (for example, the business wants to market new products to the customer contact)
- A business must make sure that people are aware when the business collects their data that it will be used for marketing and other purposes. The most effective way is by issuing a privacy notice (also known as a fair processing notice (FPN)). A privacy notice is a notice given to an individual to explain who will be using their personal data and what the business will use their personal data for (for example, the notice may say that the business will pass the personal data to third parties (and preferably, name the organisation or the type of organisation) for marketing purposes)
- If a business has a website and intends to collect data using it, the website should include a prominent privacy notice
- Always take legal advice if the business is planning to collect bank or credit card details, as there are security implications
Storing customer data for marketing purposes
- Businesses should keep records of their compliance to enable them to provide evidence in the event of a complaint or an investigation by the Information Commissioner’s Office. For example:
- note the individual’s preferences to receive marketing by fax, telephone, automated calls or post
- record when and how they obtained consent and whether this was opt-in or opt-out
- record whether the customer is an individual or a business, as different rules apply
- have separate databases to distinguish between those individuals to whom the business can and cannot send marketing emails (for example, maintain a suppression list of individuals and businesses that have opted out)
- check databases against the relevant preference service regularly and comply with the preference
- Businesses must ensure that personal information is kept secure at all times (for example, data stored on mobile devices should be kept to a minimum)
- Regularly review databases to ensure that data is accurate and up-to-date
- A business must make sure customer data is only stored for the purpose it is collected and only for as long as it is required (for example, do not keep an event delegate list for marketing purposes unless delegates were aware that their details could be used for marketing purposes and were given the opportunity to opt out)
Opting in and opting out
- A business must ensure that people are always given the opportunity to opt in or out of receiving marketing from the business. The business should make this as simple as possible (for example, clicking an unsubscribe link in an e-mail or “Text STOP to 12345”).
- Retain details of any opt-out requests the business receives, so that the individuals who have opted out in the past are not contacted in the future (this is known as “suppressing” the details). If a business simply deletes their details, the business may obtain their data later from another source and will not know that they have opted out of marketing contact
- Avoid contacting someone who has opted out, unless they are being contacted for another purpose (for example, sending a bill). In this instance, it would be acceptable to include a message from time to time stating that the business would like to send them marketing material and invite them to opt back in
- It is not generally acceptable to include pre-ticked opt-in boxes or to rely on silence as an indication to opt in. Positive action is required from a customer (for example, returning a form)
Sending solicited marketing
- If an individual or company has contacted a business requesting marketing material, the business can send it out even if they are included in an opt-out list or have registered with a preference service. A preference service holds the details of people who do not wish to receive direct marketing material
- Individuals and businesses can register with preference services to indicate that they do not wish to receive direct marketing by a particular means (for example, by fax (the Fax Preference Service (FPS), mail (Mail Preference Service (MPS)) or telephone (Telephone Preference Service (TPS)).
Sending unsolicited marketing by post or telephone
- A business can contact individuals and companies on its databases by post or telephone, unless they have stated that they do not wish to receive direct marketin
- Before sending out marketing, the business must check whether an individual or company has opted out or signed up to the TPS (it is a legal requirement to do so). It is good practice to also check the MPS.
Sending unsolicited marketing by automated calling system, SMS, fax or e-mail
- A business will generally need specific prior consent from individuals (including named individuals at a company), but not businesses, to send unsolicited marketing by SMS, fax or e-mail
- Before sending out marketing to individuals (including named individuals at a company) the business should check that the individuals have given their specific prior consent to a particular type of marketing and that they have not opted out or signed up to a relevant preference service
- Before sending out marketing to a company, the business must check that they have not opted out or signed up to the FPS (it is a legal requirement to do so). It is also good practice to check the MPS
- If a business has collected a customer’s SMS or e-mail details when selling something to them or negotiating to sell something to them, the business can use those details in future to market the same or similar products to them without prior express consent. This is known as the “soft opt in”
- Businesses are required by law to check databases against the relevant preference service regularly and comply with the preference
Using external databases
- A business should always take legal advice if it is considering purchasing an external database to make sure that it gets the rights the business needs to use it effectively
- Before a business can use the data, the business must introduce itself to the new customer and explain how it intends to use their data (for example, by issuing a privacy notice). In cases where the business requires specific prior consent for marketing purposes (automated calling systems, SMS, email and fax marketing to individuals) the customer must give consent. · The purchaser must make careful checks to ensure that the seller has properly informed the individuals and that the consent given to the seller covers such disclosure and use.
- Always check whether any of the customers on the database that the business purchased have signed up to any preference services
- The business should also check the details on the new database against existing databases to see whether anybody has opted out
- Although the business may agree with the supplier that it will not supply the bought-in data to any other party, there is generally no way to prevent others from collecting the same data themselves or from sourcing them from somewhere else
- Bought-in data may not be appropriate for use in targeted marketing campaigns or when data mining
Selling databases to a third party
- A business may be able to sell or transfer a database if it has all the customers’ consent or it is in the business’ legitimate interest (for example, if it is part of a merger)
- Always take legal advice before selling a database. A business will need to put a formal agreement in place as the business will still be responsible for protecting the data
Allowing third party access to data held by the business
- A business may want to allow a third party to manage data it holds (for example, using a fulfilment house or a call centre)
- Always take legal advice before allowing a third party access to the data. The business will need a formal agreement in place to deal with confidentiality and security of the data. This applies even if the third party is a group company
The content of this Business Briefing is for information only and does not constitute legal advice. It states the law as at January 2017. We recommend that specific professional advice is obtained on any particular matter. We do not accept responsibility for any loss arising as a result of the use of the information contained in this briefing.