The Information Commissioners Office (ICO) published a post on LinkedIn recently which reminded businesses about the importance of respecting individual’s preferences about direct marketing.
With the potential for challenging times for business in 2023 the temptation to bombard people with emails and texts in the hope of attracting extra business is huge. The potential for reputational damage from spamming them is just as big.
In the ICO webpage that was connected to their LinkedIn post the ICO make several key points about how businesses should conduct themselves:
People can object to you using their personal information for direct marketing – High Street retailer Halfords was fined for sending nearly half a million emails to consumers, without their consent, in 2020. In their ruling the ICO confirmed this was a breach of the Privacy and Electronic Communications Regulations 2003 (PECR). Andy Curry, ICO head of investigations said: “Halfords are a household name, and we expect companies like them to know and act better. This incident does not reflect well on the internal advice or processes and therefore a fine was warranted in this case.” While the breach was considered negligent rather than deliberate, the reputational damage from appearing in several national newspapers could be long lasting and cloud customer perceptions of their trustworthiness as a brand.
People can also change their mind and can withdraw their consent or choose to opt-out of your direct marketing – While an individual may have wanted to see emails for a specific reason, they can then withdraw their consent at any time. The ICO go on to say: “You must make people aware that they can object to your direct marketing. You must clearly bring this to their attention, presenting it separately from other matters, using plain language.” Burying an unsubscribe link at the bottom of an email in font size five is not acceptable to the ICO. Their repeated use of the word ‘must’ should leave businesses in no doubt about their responsibilities.
If someone no longer wants you to use their personal information for direct marketing purposes, you must put their personal details onto a ‘restriction of processing’ list, instead of deleting them – When this statement was made on LinkedIn, a commenter found fault with retaining details for ‘restriction of processing’ purposes. It should be self-evident that to prevent repeatedly adding people back to direct marketing email lists, you must delete their personal data. The ICO comment: “You may be relying on the PECR soft opt-in to send direct marketing emails. If your customer uses the ‘unsubscribe’ link within your email to opt-out, you mustnotsend them any further marketing emails”. Deletion is always a good policy, unless you need to retain their personal details for another purpose, such as the facilitation of a contract for goods or services for example.
Direct marketing emails can be a very effective form of marketing, but only to those who have given consent and are receptive to receiving them. In the Halfords case, mentioned above, they relied on ‘legitimate interest’ as their lawful base for sending the emails. They needed to have used the lawful base of ‘consent’. This was a prime example of an organisation having not undertaken the relevant data protection training, thus meaning they had not met their minimum UK GDPR data controller responsibilities. This lack of accountability led to an unintended personal data breach of both the PECR and UK GDPR.
CSRB bring clarity to data protection. We provide clear advice, privacy policies and training to help your organisation market themselves in a compliant, fair and transparent manner.
By stripping the jargon away, we help you navigate the minefield of terminology that surrounds data protection and direct marketing. Please get in touch with us here or call 0117 325 0830 to learn more about how our certified data protection practitioners can support your organisation.