2014 Legal Update on Sales and E-marketing Practices

May 3, 2014,  Essential Law for Marketers, Guru in a Bottle, Legal update  One comment

Every organisation needs to address data protection, confidentiality, data security, data breaches and freedom of information as part of their compliance and risk management policies and procedures. UK-based companies face a major shake-up in how they conduct consumer sales and marketing activities over the next 12-months in the wake of a raft of new laws and regulations emanating from the UK and the European Union (EU).

With a close focus being taken by UK and European legislators on the individual’s right to privacy, marketers face one of the toughest marketing regulatory regimes in the world.

Keeping up-to-date with a torrent of guidance from the Information Commissioner’s Office (ICO) and ever more prescriptive drafts of the forthcoming EU General Data Protection Regulation is now essential in order to stay one step ahead of the competition.

This note has been compiled with the kind expertise and assistance of Jenny Moseley, director, Opt-4 and Robert Bond, partner, Speechly Bircham.

DIRECT MARKETING GUIDANCE FROM INFORMATION COMMISSIONER’S OFFICE

Overview

There are two key statutes that UK marketers must be aware of in their on-line and off-line direct marketing activities:

• Data Protection Act 1998[1]
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (Amended 2004 and 2011).[2]

The Deputy Information Commissioner, David Smith[3] has provided this guidance to the marketing profession:

“The best way to prepare for the new European General Data Protection Regulation is to make sure you are compliant now.”

A core document that all marketers will find invaluable in this area is the ICO’s own Guidance Note ‘Direct Marketing’ that was published in September 2013[4]. This was widely recognised as being a ‘game changer’ for all electronic direct marketing activities as it updated all previous guidance that had been issued and strengthened the Information Commissioner’s Office (ICO) view on PECR.

Despite being labelled as “guidance”, this has the full effect on marketers as if it was Regulation[5].

A key issue for marketers is about obtaining permission of customers, clients, supporters or donors to receive direct marketing. Rather confusingly, neither DPA 1998 or PECR state that consent for marketing must be explicit although it’s clear that the ICO would prefer opt-in consent.

Opt-out for post and phone is still acceptable and soft opt-in consent for electronic channels is also acceptable but subject to the following conditions:

1. marketers have obtained the contact details in the course of a sale (or negotiations for a sale) of a product/service to that person;
2. marketers are only marketing their own similar products/services; and
3. marketers give the person a simple opportunity to refuse consent or opt out of the marketing at the time of collecting their details and in every message sent to that individual thereafter.

New research[6] by Opt-4/fast.MAP surveyed the views of a representative sample of 1,175 consumers in the UK about their attitudes to sharing data.

In summary, the research found:

• 49% of respondents would tick to opt-out of receiving communications when asked for their permission[7]
• 29% of respondents would tick to opt-in to receive communications when asked for their permission.[8]

This research shows that there’s an opportunity for brand owners to engage with desired customer and client segments in a way that achieves a higher level of acceptance than experienced by less capable competitors. In other words, marketers need to get better at marketing!

However, in order to achieve a strong performance from direct marketing, there are some ground rules provided by the ICO Guidance that all marketers must observe:

Ground rules provided by the ICO

#1: Consent to receive marketing needs to be freely given

The ICO Guidance Note provides:

“Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses.”

In practical terms, this means that marketers can’t offer EXTREME PRIZES such as ‘Gives us your contact details and we’ll enter you into a competition to win a MONTH’S stay at this fantastic resort – failure to complete your details means that we can’t enter you into the competition.”

A further restraint on the use of such promotions even where the prizes are appropriate is that marketers can’t hide the intention of using data collected for marketing purposes.

The ICO Guidance Note provides:

“Organisations must not conceal or misrepresent their purpose (eg. as a survey or competition entry) if they also intend to use the details for marketing purposes.”

In practice, consent mustn’t be obtained by surreptitious means and in fact the ICO has provided guidance on the quality of that consent:

“…Individuals must take a positive action by which the individual clearly and knowingly indicates their agreement.”

This can be satisfied by asking the individual to:

• tick a box
• click an icon
• subscribe to a service
• provide oral confirmation of acceptance.

#2: Consent to receive marketing should not be conditional

The ICO Guidance Note provides:

“Consent cannot be a condition of subscribing to a service or completion of a transaction.”

In practical terms, marketers can’t indulge in ‘take it or leave it’ coercion in order to get consent for future marketing activities, such as: ‘I understand that XYZ Bank may use and disclose details it has about me to inform me by letter, telephone, email or otherwise about any products and services offered by the group or selected third parties. if you do not wish to receive this information I may write to XYZ Bank at any time. all the information provided by me is true and correct.’

#3: Consent is for the time being

The days of having obtained consent to receive marketing being ‘forever’ unless it’s revoked by the consumer have long gone! There’s no exact time limit set by the ICO Guidance but it’s highly unlikely that marketers can rely on consent to receive marketing lasting indefinitely.

Where marketers are using third party consent lists, for example, this will be deemed to be valid for six months.

The ICO Guidance Note provides:

“We consider this implies a period of continuity and stability, and that any significant change in circumstances is likely to mean that consent comes to an end.”

So, nothing lasts for ever!

Consent could cease when:

• someone opts out;
• someone unsubscribes;
• when the contract comes to an end; or
• when the company that obtained that original consent ceases to trade or is sold to another entity.[9]

But the absence of any hard and fast rules here means this is a grey area for marketers – a position recognised by the ICO: “Exactly how long that (consent) is will depend on the circumstances and the person’s expectations, which can be affected by the context in which consent was originally given and the nature of the relationship.”

In order to form a reasonable view, it’s likely that the legitimate interests of the brand owner may be taken into account when making such a judgment call.

#4: Consent to receive marketing must be specific

This tightens up the regime around consent where now there’s a ‘higher degree of proof’ to show that consent has been given in two clear ways:

• for specific purposes; and
• for specific marketing channels.

Specific purposes can include:

• consent given at the time of processing information asked from the customer.

It should be noted that marketers don’t need consent to fulfil an order or to process for legal purposes.

Specific marketing channels include:

• post
• telephone
• email
• SMS (mobile)

The ICO Guidance Note provides:

“In the context of direct marketing, consent must be specific to the type of marketing communication in question (eg. automated call email or text message)”

In practical terms, consent needs to be spelt out in full and the communication channels need to be separated because the consumer could refuse to be contacted by any other channel except email, for example.

For illustration purposes, the box on the left is unlikely to be compliant with the ICO Guidance whereas the box on the right is now the minimum of what’s to be expected:

 

 

 

 

 

 

 

 

 

 

Research by Opt-4/fast.MAP shows that respondents to the survey overwhelmingly preferred to receive marketing messages via email[10].

#5: Consent to receive marketing must be informed

This is a major principle in the way in which marketers now need to conduct direct marketing activities – on an informed basis and this must be reflected in privacy notices used in direct marketing activities.

The ICO Guidance Note provides:

“The person must understand what they are consenting to. Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious.”

Previously, marketers may have indulged in “fishing” activities such as sending out a load of emails to see who bounces, who unsubscribes and then assume that the remainder of the list has “consented”. This practice is unlawful under DPA 1998 and PECR.

The ICO Guidance Note provides:

“Organisations cannot email or text an individual out of the blue to ask for consent to future marketing messages.”

There’s never been a more important time to get the wording right on future direct marketing uses in the privacy notices used by marketers.

The ICO Guidance Note provides:

“It is not enough for implied consent if such a statement is only provided as part of a privacy policy or notice which is hard to find, difficult to understand, lengthy, or rarely read.”

#6: Consent to receive marketing messages can be implied subject to certain conditions

Previously, marketers may have relied on silence from the consumer as being tantamount to having received “consent”.

For illustration purposes, the box on the left is unlikely to be compliant with the ICO Guidance whereas the box on the right is now what’s to be expected:

 

 

 

 

 

 

 

 

 

Implied consent can’t be stretched to include other subsidiary or sister companies in the same group as in many cases these will be separate legal entities in their own right and therefore subject to exactly the same controls[11].

The ICO Guidance Note provides:

“Clearly, organisations cannot infer consent just because consent was given to a similar organisation, or an organisation in the same group.”

#7: Indirect or third party consent to receive marketing messages

The regulator doesn’t consider it reasonable for marketers to assume that a customer would intend to consent to receive unlimited future marketing emails, calls, or texts from anyone, anywhere.

Research by Opt-4/fast.MAP indicates that there is lack of appetite from consumers to want to receive multiple marketing messages about different products from third parties[12].

Previously, marketers may have tried to rely on a ‘catch-all’ indirect or third party consent wording in general terms, but this isn’t likely to work under the current regime.

The ICO Guidance Note provides:

“If consent was more general – eg.to marketing ‘from selected third parties’ – it will be very difficult to demonstrate valid consent to a call, text or email if someone complains.”

However, the ICO have stopped short of saying that all indirect or third party consent is invalid, but have provided the following guidance:

“Indirect consent may be valid if that organisation was specifically named, or if the consent described a specific category of organisations and it clearly falls within that description.”

For illustration purposes, the box below followed by a clear opt-in is likely to be compliant with the ICO Guidance where indirect or third party consent is required to send marketing messages of a general nature:

 

 

 

 

 

Over time, this list of products could grow and in which case these will also needed to be added to the Privacy Policy.

The ICO Guidance Note provides:

“PECR specifically requires that the customer has notified the sender that they consent to messages from the sender. On a strict interpretation, indirect consent would not meet this test – as the customer did not directly notify the sender, they notified someone else.”

In practical terms, this means that marketers shouldn’t release an opt-in list to third parties but control the dissemination of marketing messages in-house themselves or use an outsourced provider but remain identified as the sender of these marketing messages.

And marketers can’t simply rely on the word of rental list providers that the list of consumers have all opted in to receive marketing messages – the onus of responsibility to ensure compliance remains with the marketer (as well as the rental list provider).

The ICO Guidance Note provides:

“Organisations must ensure that consent was validly obtained, that it was reasonably recent, and that it clearly extended to them or organisations fitting their description.”

With respect to the quality of that consent, ‘reasonably recent’ has again been determined to be up to six (6) months old.

The ICO Guidance Note provides:

“We would advise (marketers) not to rely on any indirect consent given more than six months ago. For indirect consent obtained via a third party, it is good practice to ask whether the individual wants to withdraw consent from other organisations as well, and so to inform the third party source to suppress those details and to inform any other users.”

Over time, this list of products could grow and in which case these will also needed to be added to the Privacy Policy.

The ICO Guidance Note provides:

“PECR specifically requires that the customer has notified the sender that they consent to messages from the sender. On a strict interpretation, indirect consent would not meet this test – as the customer did not directly notify the sender, they notified someone else.”

In practical terms, this means that marketers shouldn’t release an opt-in list to third parties but control the dissemination of marketing messages in-house themselves or use an outsourced provider but remain identified as the sender of these marketing messages.

And marketers can’t simply rely on the word of rental list providers that the list of consumers have all opted in to receive marketing messages – the onus of responsibility to ensure compliance remains with the marketer (as well as the rental list provider).

The ICO Guidance Note provides:

“Organisations must ensure that consent was validly obtained, that it was reasonably recent, and that it clearly extended to them or organisations fitting their description.”

With respect to the quality of that consent, ‘reasonably recent’ has again been determined to be up to six (6) months old.

The ICO Guidance Note provides:

“We would advise (marketers) not to rely on any indirect consent given more than six months ago. For indirect consent obtained via a third party, it is good practice to ask whether the individual wants to withdraw consent from other organisations as well, and so to inform the third party source to suppress those details and to inform any other users.”

#8: Consent to receive telemarketing calls

There are two important points that need to be noted by marketers:

• that they need to respect the wishes of consumers that have elected not to receive telemarketing calls at home through the Telephone Preference Services[13] (TPS)
• they can’t rely on past relationships with customers or the absence of any compliant as a sign that it’s OK to conduct telemarketing. Marketers must have consent to call.

The ICO Guidance Note provides:

“Organisations can make live unsolicited marketing calls, but must not call any number registered with the TPS unless the subscriber (ie. the person who gets the telephone bill) has specifically told them that they do not object to their calls.”

In other words, the ICO is taking a middle ground view that TPS doesn’t necessarily screen out every telemarketing call and so marketers can continue to make calls even if a consumer has registered with the TPS after having given consent to be called at home.

#9: Consent to receive B2B marketing

The difference between consent as an individual and as a person at the work place is rapidly evaporating.

The same rules apply to telemarketing calls made to businesses. Sole traders and partnerships may register their phone numbers with the TPS in the same way as individual consumers, while companies and other corporate bodies register with the Corporate Telephone Preference Service (CTPS).

Marketers making “cold” B2B telemarketing calls will need to screen against both the TPS and CTPS registers in order not to fall foul of the ICO.

#10: Keeping proof of consent

The principle here is extremely clear for marketers: if someone claims that they didn’t consent to receive an organisation’s marketing messages, then that organisation maybe at risk of enforcement proceedings by the ICO unless it can demonstrate that the person did give valid consent.

The ICO Guidance Note provides:

“Organisations should therefore make sure that they keep clear records of exactly what someone has consented to. In particular they should record:

• the date of consent
• the method of consent
• who obtained the consent; and
• exactly what information was provided to the person consenting.”

 

FORTHCOMING EU GENERAL DATA PROTECTION REGULATION

General observations

Currently, the European Parliament and the Council are negotiating on the compromise draft of the EU General Data Protection Regulation.

The European Parliament has indicated that it wants to have the Regulation approved by the end of 2014, with it being enforced across all 28 Member States by 2016.

The Regulation will impact all organisations anywhere in the world that target EU citizens. This is a key piece of EU legislation and a cornerstone of the Single Market Digital Agenda.

Lawful processing

Marketers need to comply with the forthcoming EU General Data Protection Regulation with respect to processing data that will be only be lawful if:

• consent has been obtained;
• there’s a contract with data subject;
• controller’s legal obligation has been complied with;
• data subject’s vital interests have been protected under EU law;
• that processing is necessary for public interest or official authority; and
• processing of data is done in accordance with legitimate interests[14].

Consent

In effect the new EU Regulation raises the bar with respect to the quality of consent that marketers now must work to achieving.

In Recital 25 to the General Data Protection Regulation:

“Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject…..”

With respect to lawfulness of processing, Article 6 provides:

“(1) Processing of personal data shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of their personal data for one or more specific purposes…”

With respect to the conditions for consent, Article 7 provides:

“(1) The controller shall bear the burden of proving that the data subject has given consent for the processing of their personal data for specified purposes.

(2) If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

(3) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

(4) Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

Creation of Data Protection Officers (DPOs)

This is one of the most significant steps that the new Regulation will make as organisations of a certain size[15] must employ a Data Protection Officer[16] (DPO).

The appointment of a DPO will be mandatory for all public authorities and also for organisations where they process >5,000 subjects in one year. The DPO will be responsible for monitoring data subjects as well as processing sensitive personal data. DPO will have a unique role in an organisation as they will act autonomously of the Board of the organisation, have their own budget and a four-year protected contract that will make them ‘bullet proof’ unless they are in severe breach of the terms of their employment[17].

Typically, DPOs will be responsible for:

• monitoring compliance
• liaising with works’ councils on Data Protection issues
• Report on data protection breaches
• conduct regular periodic audits to ensure the organisation remains compliant

Regulators in each 28 EU Member State will be designated as a Supervisory Authority (SA) where the data controller has its main establishment. The SA will be the point of contact for complaints via other local SA and each Member State SA will enjoy localised powers within their own territory.

Data breaches

The new Regulation tightens up the data protection regime and there are now enhanced requirements for data security and specifically there is a mandatory breach notification procedure to the Data Protection Authority (DPA) without undue delay and effectively within 72 hours of the incident.

There are no de minis limits for reports to the DPA, so this increases transparency within the monitoring process.

Data subjects will need to be notified and must be informed of their right to claim compensation from the data controller.

The DPA must keep a public register of types of breaches notified and this is the responsibility of the DPO.

Whereas previously Data Controllers and Data Processers had different duties and obligations, under the new regime they both have largely the same obligations.

These obligations include:

• data protection by design and default
• maintaining documentation
• extensive security requirements
• extensive new requirements for data processing contracts
• appointment of a DPO
• Binding Corporate Rules[18] (BCRs) for data processors.

Privacy Impact Assessments (PIA)

As part of the new regime, EU legislators have turned their focus on the impact of the proposed processing upon an individual’s personal data. Rather than being a remedial measure, data processers will be expected to conduct such a review ahead of any processing, which of course will have its challenges depending on the capability of the IT system or the adoption of new software, for example.

Considerations for the DPO will include:

• Centralised HR system hosted outside the EU
• Use of social media for marketing purposes
• Use of cookies for targeted advertising
• Cloud hosted solutions
• Adoption of bring your own device policy
• Remote working policy
• Due diligence in a company sale

The protection of data outside of the EU is also a key consideration that traditionally centred around the so-called Safe Harbor Rules. The new regime has tightened this up considerably and marketers must now consider how they are to exchange data across trans-borders if they are to avoid being sanctioned by the DPA in their territory:

 

 

 

 

 

 

 

 

 

 

Further considerations

It is highly likely that brand owners will be expected to provide some visible assurance to consumers that they fully comply with the new requirements under the Regulation, which could take the form, of a tick mark, for example, granted by the Regulator in their territory (SA).

Remedies and sanctions[19]

This is another area where it has been tightened up and currently the EU is debating levying fines of up to five percent (5%) of the annual worldwide turnover of a brand owner for significant breach/non-compliance of the Regulations. On top of this there will be non-notice (‘on the spot’) investigations to ensure that brand owners are adhering to the new Regulations.

The Rights of Erasure (formerly known as ‘the right to be forgotten’)

This is a classic example of the gap between what the legislators want and what the technologists are actually able to deliver. Currently, no technology exists to remove all data, images and other information about an individual from the entire internet.

This technical limitation doesn’t deter the EU from creating a much tougher data protection regime that brands must follow.

At the same time, data subjects have increased legal rights:

Obtain from the data controller

• the erasure of their personal data
• the abstention from further dissemination of such data

Obtain from third parties the erasure of

• any links to the personal data
• copy of replication of such data

In the following circumstances:

1. The data are no longer necessary
2. The data subject withdraws consent
3. The data subject objects to the processing
4. A court has ruled that the data must be erased
5. The data has been unlawfully processed

 

TOP TEN TIPS FOR MARKETERS

1. Legitimate interest still applies
2. Consent must be explicit and opt-in
3. Consent has to be “first party”
4. Profiling info must be transparent
5. Not all profiling needs consent
6. Consent is purpose limited
7. Consent for children under 13 needs parental consent
8. Marketers should continue “seals” to strengthen confidence and reputation
9. Privacy policies need reviewing and simplifying
10. Brand owners should implement Privacy Impact Assessments (PIA) as standard

 

The following questions and answers came at the end of the Law and Marketing Legal Update 2014 seminar held on 26 March 2014 organised by the Law & Marketing Committee, Worshipful Company of Marketors, hosted by Speechly Bircham in association with Opt-4.

 

 

 

 

 

 

QUESTIONS & ANSWERS

Are there enough people being trained up to be Data Protection Officers (DPO) in the UK or is there a shortage of skills right now?

There appears to be a shortage of suitably qualified DPOs in the UK in order to comply with the forthcoming EU Regulations. What this means is that there are new employment possibilities for those interested to get trained as a DPO! This could rapidly become a highly sought after and well paid (£80,000pa) role although any breaches in relation to the EU Regulations could result in a custodial sentence!

Some providers, like Opt-4 are considering launching an outsourced service and offering training to would-be DPOs in order to bridge the shortfall in suitably qualified candidates.

Where should DPOs be based if they work for an international organisation?

The view of many lawyers is that the UK jurisdiction is preferable to many other foreign jurisdictions such as France and Spain where there may be a perceived ‘bias’ against big business when it comes to the use of personal data.

What happens if an organisation wants to employ a DPO but has failed to identify a suitable candidate and has used headhunters, advertised vacancies and other means?

This is happening right now and is a serious issue. This is likely to impact public authorities that will be processing data of more than 5,000 people unlike a typical small-medium sized business that employs less than 250 people and may not be processing data on that scale. There are likely to be exemptions for such companies. That said, the forthcoming EU Regulations will affect these companies should marketers use invasive technologies to gather lots of data on individuals.

There will be competition for DPOs amongst Government Departments, large multi-national companies and those companies that are driven by personal data information, such as list brokers.

Is outsourcing an answer for those organisations that can’t afford to employ a full-time DPO but need to comply with the forthcoming EU Regulations?

It’s partly the answer. There will still be a requirement for someone within the company or organisation that will need to oversee the outsourced service. That individual will have a compliance role to fulfil and their duties and responsibilities as well as the risk of a custodial sentence remains a very real one and can’t be outsourced to a third party provider. In addition, there are cost factors ti take into consideration which may tip the balance in favour of employing a DPO rather than using an outsourced service.

Many jurisdictions have already taken steps in the direction of getting DPOs in place, notably Germany and in France certain liabilities have been reduced on companies should they voluntarily agree to put a DPO in place now. Slovenia has passed legislation to make DPOs compulsory and in light of these developments the UK is definitely lagging behind.

Some major organisations in the UK are busy trying to keep pace with the current legislation and made need to accelerate plans to have in place DPOs by the end of the year.

So what are major organisations in the UK doing right now?

Many are ensuring that their data governance practices, such as the collection of consumer data, are up-to-date and making sure that their back-end systems are all properly organised so that they are collecting the right amount of data. This will be important for future compliance, for example, where they are profiling children and young people data and require date of birth in order to do that. However, many multi-national companies feel it’s too early to start to recruit DPOs although these organisations are likely to face a skills-shortage as a result further down the line.

What about the banks – are they taking a lead in this area?

The major banks are taking this very seriously as profiling of customer segments is key to the ability of the bank to lend money, offer credit and sell financial services. Any constraint on the profiling of potential customers will have a dramatic effect on retail banking, so this is a fundamental challenge facing High Street lenders.

As a result, many banks are moving away from outsourced systems and investing more in in-house capabilities which tends to be the direction of travel for most banks and financial services companies.

How does the new regime affect location-based services such as those on mobile phones and tablets which consumers use frequently in travel across the EU?

The short answer is that companies that deliver services on the mobile in return for knowing the consumer’s location and pushing advertising to them on their mobile phones without consent will be in breach of the DPA 1998 and the forthcoming EU General Data Protection Regulation (2014).

Does the new regime put the brakes on the rush for marketers to amass ‘big data’?

To some extent, yes it does!

The old economy model was for companies to amass as much data as possible in order to achieve a significant value on sale/exit. Those days are gone unless that data has been accumulated on a consent basis. Even then, such business would need to show that the data was up-to-date (given that consent isn’t forever and can be as short as six months) and given the increased requirements on the quality of the data held, it’s not likely that such businesses will become a ‘licence to print money’ in the future.

Will surreptitious tracking of consumers through mobile phones now become illegal?

Yes. Despite evidence that most under-30 year olds aren’t bothered that they can receive SMS text messages depending on their location, for example, when visiting a shopping mall, the EU legislators see this as an abuse of marketing and unless specific consent has been obtained prior to this marketing message being sent, there is a clear breach of the Regulations.

Is the ICO motivated to prosecute marketers for breaching Regulations or does it see itself in a different role?

The Information Commissioner Christopher Graham was previously a BBC TV executive in news. He’s on record as saying “I’m in the business of guiding and educating. I’m not in the business of enforcing and fining.”

This is a welcome approach but not necessarily shared with other Enforcement Authorities (EA) across Europe that may be entirely funded by levying fines, such as in Spain.

The ICO in the UK is likely to focus on large organisations – the big fish – that break the rules rather than focus on small-medium size firms – the small fish.

Do marketers need to think very carefully as to how they obtain consent from different customer segments to receive direct marketing?

The principle is to make it as simple as possible for everybody – and it will be mandatory to communicate with age-appropriate language dependent on the consumers that marketers want to reach. Privacy Policies will need to be re-worded to make them intelligible for 18-year olds, for example. This is where marketers can achieve a differential advantage over their competitors and where this can make a massive difference, for example, in the use of cartoons.

Conversely, multi-national brands with properties appealing to children need to take steps to ensure that they collect the minimum amount of data and the nature of choices is tailored to suit that audience needs and requirements.

This would apply in the context of collecting user generated content or a promotion/competition with young children where it is common practice to ask children for their date of birth, for example.

Where the child is under 12 years-old in the UK (145 years old in Spain) it’s common practice to ask for the parents’ email address and permission is then sought from the parents for the child to enter the competition/promotion. This is a practical, risk-assessment that regulators expect marketers to make based on the nature of the data collected.

Is it difficult to make those solutions run well across different territories?

Many multi-national organisations find it a struggle to make this work across say 17 EU territories by trying to set the highest standard of compliance across all markets as local conditions vary so much, for example, creating a ‘digital passport’ to access certain content can require a variety of consents and to comply with different regulations enforced by EAs.

Different regulators have different perspectives on the level of consent that marketers have to get and often different type of consents for different things. So from a practical perspective it can be near impossible to get one particular format that works across all those territories.

Do consumers welcome the myriad of opt-in and opt-out options?

Experience shows that this can be very annoying for consumers to the point where brand owners will try and avoid seeking consent and adopt a new approach that can avoid the need to get consent. What this means in practice is letting consumers set their own consent regime rather than constantly seeking consent from them. Taking such an approach has often led to reduction in the number of complaints made by consumers but also sharply reduced the number of consents given by consumers to receive marketing messages.

Is the impact of the law and regulations driving less opt-in consent to receive marketing?

There’s no getting away from the fact that where explicit consent is required, marketers will see a dropping off in terms of numbers of consumers giving that explicit consent. On the other hand, many marketers feel that opt-in actually increases response rates and gets rid of those who aren’t likely to respond anyway. You could argue that ‘small is beautiful’! From a marketing perspective, it’s probably more preferable to have a more engaged audience but this means marketers need to adopt more sophisticated techniques particularly in email marketing, whereas in the past they may have indulged in so-called ‘spray and pray’ campaigns in order to achieve results. And that means marketers need to focus on relevance of the marketing message.

If a third party promoter acting for a brand is holding data on its behalf, where does the responsibility rest for the way in which a data request is handled?

The responsibility is shared between the promoter and the brand owner. From the promoter’s perspective it will be important to keep tabs on where you’ve got the data, how consent was obtained and ensuring that you comply with all obligations under the DPA 1998 and forthcoming EU General Data Protection Regulation.

By the same token, it’s important that promoters ensure that the brand owner is also keeping track of the data that they have given to the promoter.

What should brand owners do in such a situation?

They should have an absolutely clear record of every third party that holds data on their behalf. Typically, third parties tend to hold copies of data, so that brand owners know when applying for subject access requests, they can do it fully and therefore don’t have to access the copies that third parties are holding for them. Where data is being held by a promoter that the brand owner doesn’t have, that needs to be a built into the process for handling data requests.

Can marketers turn these requirements on their head and use them to create some form of competitive advantage?

Yes they can. The way in which brand owners present their privacy credentials is going to be increasingly important in terms of whether they are a trusted data controller. For example, this could transmit the message of being safe with that brand and in turn result in more opt-ins and maximising consent for data use.

It comes down to living the promises made in your Privacy Policy and ensuring that everyone within the business behaves according to those values. In classic marketing practice, it’s about taking the point of view (POV) of those whom you choose to engage with. They want to know, after all, that their data is safe with you, that they are very much in control, they won’t get bombarded with irrelevant marketing messages, and that you will respect their privacy.

Should the Worshipful Company of Marketors take a lead in creating some sort of marketing ‘trust mark’?

That’s an idea worth considering. It’s time for the marketing profession to stand up and be counted on ethical marketing practice. It’s about helping the customer more because they’ve asked for this.

 

FOOTNOTES

[1] Often referred to as DPA 1998

[2] Often referred to as PECR

[3] Speaking at the Direct Marketing Association Conference, March 2014

[4] http://ico.org.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/direct-marketing-guidance.pdf

[5] The Guidance Note contains 191 paragraphs, 265 uses of the word “consent”, 115 uses of the word “must”, 78 uses of the word “should” and five uses of the words “best practice” which tends to give the impression is mandatory rather than discretionary to follow the Guidance as set by the ICO

[6] February 2014

[7] “We have some great offers and promotions that we’d like to tell you about, but please tick the box if you would prefer not to receive them from The ABC Household Name”

[8] “The ABC Household Name Company would like to keep you up to date with the latest special offers and promotions. Please tick here if you would like to receive these”

[9] The consent would perpetuate if the use of the data hasn’t changed

[10] “The ABC Household Name Company would like to keep you up to date with the latest special offers and promotions. Please tick here if you would like to receive these messages by email ¨ by post¨ by telephone¨

[11] For example, they are separate Data Controllers who will also need to comply with the requirements of the DPA 1998 and PECR

[12] “The ABC Household Name Company would like to share your information with carefully selected companies who will send special offers and promotions…” 88% of respondents would not tick such a box, 8% of respondents would tick the box ‘travel companies’, 5% of respondents would tick the box ‘publishers’ and 5% of respondents would tick the box ‘financial services’

[13] See www.tpsonline.org.uk

[14] The Data Controller must inform data subjects and publish the reasons for believing its interests override the fundamental rights and freedoms of the data subject

[15] Exemptions will apply for small-medium sized organisations, although there are no precise details available at this time

[16] The DPO is similar to a Compliance Officer and would be responsible to the Regulator rather than the Board of Directors of the organisation. A company could look to outsource the role of the DPO.

[17] An employee will enjoy four (4) years protected employment and a service provider will enjoy two (2) years protected contract

[18] BCRs are a set of corporate rules which regulate the internal transfer of personal data between members of a corporate group to ensure that transfers of personal data outside of the EU satisfy the requirement for providing an adequate level of data protection. The BCRs must be approved by the applicable national data protection authority (“DPA”) before they are legally binding. BCRs for “data controllers” have been available for many years but they are only applicable in respect of global data transfers within a data controller’s corporate group and don’t extend to legitimising data transfers to third party data processors based outside the EU.

[19] The former US Attorney General Paul McNulty once said: “If you think compliance is expensive – try non-compliance”

COPYRIGHT 2014. WORSHIPFUL COMPANY OF MARKETORS. ALL RIGHTS RESERVED.