On September 10, 2013, the UK Information Commissioner’s Office (“ICO”) published new guidance on direct marketing (the “Guidance”). The Guidance explains the application of the two principal legislative instruments that affect direct marketing in the UK: (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which relates specifically to direct marketing; and (2) the Data Protection Act 1998 (the “DPA”), which governs data protection issues generally. The Guidance is not legally binding, but it reflects the ICO’s interpretation of the requirements and indicates how the ICO is likely to enforce them.
Consent is a key focus of the Guidance because organizations will often need to obtain consent in order to send direct marketing communications. The Guidance confirms that consent to receive direct marketing must be given knowingly, clearly and specifically, and should be recorded for future reference. When tick-boxes are used to obtain consent, they should seek opt-in, rather than opt-out, consent. Otherwise, the Guidance reiterates much of the ICO’s previous views on direct marketing.
Frequently, organizations that send direct marketing communications utilize marketing lists obtained from third parties. The ICO’s guidance confirms that these lists can be used but notes that organizations using such lists must first carry out rigorous checks to ensure that consent has been validly obtained from the listed individuals. The legal requirements that govern marketing via telephone, text and email are stricter than those that apply to physical mail marketing, so consent must be specific for these forms of direct marketing. The ICO has produced a two-page direct marketing checklist that gives organizations an “at-a-glance” guide to the different rules on marketing calls, faxes, emails and texts.
The ICO’s Guidance explains that “marketing” should be interpreted broadly, and includes the promotion of an organization’s aims and ideals. Accordingly, the Guidance is relevant not only to companies, but also to charities, religious groups and political organizations that engage in direct marketing activities. The Guidance also discusses the ICO’s power to issue fines of up to £500,000 for serious breaches of the PECR. The ICO would likely issue a fine of this magnitude only if an organization repeatedly breaches its legal obligations.