Information Matters: The ICO updates its direct marketing guidance: consent clarified, charities challenged

The ICO's guidance (in this case, on the application of the Data Protection Act ("DPA") and the Privacy and Electronic Communications Regulations ("PECR") to 'direct marketing' activities) is important for organisations trying to understand their obligations under the law and for the ICO's promotion of good practice. As a brief reminder – or for the uninitiated – 'direct marketing', as defined by the DPA, is "the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals." That is, any correspondence – including but not restricted to email, text and phone calls – that is sent to particular individuals by an organisation in order to promote the organisation and/or its aims and ideals.

However, since many Information Matters readers will likely be aware of – if not familiar with – the ICO's direct marketing guidance, it is worth highlighting some new features of the updated guidance:

• Scenarios involving charities and other not-for-profit organisations are a notable focus in the new guidance. In particular, the guidance clearly emphasises that not-for-profit organisations are not exempt from the DPA or PECR; they must ensure their marketing activities comply with the same standards as apply to other organisations (including screening telephone numbers against the Telephone Preference Service, explaining to their supporters what their personal information will be used for and obtaining clear, specific consent for electronic marketing).

As before, the guidance contains "Example" scenarios in text boxes (a welcome relief from the main body of text, at times!) – and some new scenarios apply specifically to charities and not-for-profit organisations.

• More detail is provided surrounding freely given consent. The updated guidance emphasises the importance of obtaining freely given, specific and informed consent. Although the ICO have advised that it is good practice for organisations to go further and obtain explicit consent for direct marketing activities – such as a requirement to tick an 'opt-in box' for agreed, specific channels (e.g. post, email, phone call) – other forms of consent can still be valid. This is consistent with the previous iteration of the guidance (Version 1.1) but the point is made more clearly / more emphatically in Version 2.0.

The updated guidance is also more explicit that organisations should not make consent a condition of subscribing to the service, unless they can clearly demonstrate how that consent was freely given. This may now involve showing that: (a) consent to receive direct marketing is necessary for the service to function; and (b) consent cannot (feasibly?) be sought separately. Interestingly, in this context the ICO now recommends that "it is also relevant to consider whether there is a choice of other services and how fair it is to couple consent to marketing with subscribing to the service" and indeed whether the organisation's requirement of consent to direct marketing as a condition of using their service "creates an imbalance between the individual and the organisation".

• Further direction is provided around third-party consent. The updated guidance states that if organisations wish to sell or otherwise share their marketing lists with other organisations, their customers / supporters must have been made aware of this when their personal details were first collected (and so organisations are encouraged to think of obtaining consent for third party marketing as a "one-step process"). This requires a higher degree of transparency from the outset when obtaining consents on behalf of third parties. The ICO guidance says, "indirect consent could […] be valid if the consent very clearly described precise and defined categories of organisations and the organisation wanting to use the consent clearly falls within that description." In practice, says the ICO, "this means that the categories of companies need to be sufficiently specific that individuals could reasonably foresee the types of companies that they would receive marketing from, how they would receive that marketing and what the marketing would be."

In the inverse situation where an organisation is relying on a marketing list that it has bought from a third party, the guidance remains clear that if a list broker or other third party source cannot provide details of how and when consent was obtained, the 'receiving' / purchasing organisation should not rely on it.

Finally, the updated guidance recognises that there are situations where organisations may wish to contact their customers / supporters with marketing material relating to third parties (whether as a 'dual branded' exercise or simply acting as a conduit for that third party's marketing material). In such circumstances, the ICO recommends that the organisation should have obtained appropriate consents from its customers / supporters to receive direct marketing from the third party – even if the customer / supporter details always remain within the control of the organisation which is coordinating and sending the direct marketing on behalf of that third party. The ICO also recommends that it would be good practice for the organisation to screen against the third party's suppression list.

No doubt we can expect further revisions to the ICO's direct marketing guidance as and when the General Data Protection Regulation continues its journey towards the UK and European statute books. Until then, though, Version 2.0 of the guidance remains a key resource for organisations seeking to ensure compliance with the DPA and PECR.

If you require further information on anything covered in this briefing please contact Alan Baker ([email protected]; 020 3375 7441)  or your usual contact at the firm on 020 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, April 2016