Email has become a key marketing tool for many UK businesses. But whilst many businesses are aware of the requirements of the Data Protection Act 1998, fewer are familiar with the Privacy and Electronic Communications Regulations 2003 even though they apply specifically to direct marketing by electronic means. This article examines the Privacy Regulations and what they mean for businesses involved in email marketing.
The Privacy and Electronic Communications Regulations 2003 govern the sending of direct marketing messages by all electronic means including telephone, fax and email, as well as SMS and picture messaging. Direct marketing is defined quite broadly to mean any advertising or marketing material directed to a particular individual and includes not only the offer of goods and services but also the promotion of an organisation's aims and ideals.
Prior consent
The prior consent rule prohibits the sending of any unsolicited direct marketing communications by email to an individual subscriber unless that person has previously notified the sender that he consents, for the time being, to such communications being sent by, or at the instigation of, the sender. In other words, emails which have not been specifically requested can be sent only if the recipient has previously generally consented to receive emails from the sender. Even where an existing off-line relationship exists, the marketer still needs to possess a consent specifically covering email marketing.
Soft opt-in
This prior consent rule is subject to a limited exception (known as the soft opt-in) which covers situations in which the marketer has:
- obtained the recipient’s contact details in the course of a sale or the negotiations for a sale of a product or service to the recipient;
- carried out the direct marketing only in respect of goods or services similar to those already sold, or negotiated to be sold, to the recipient;
- given the recipient, at the time the data was initially collected, a simple means (free of charge) to refuse the use of his or her contact details for direct marketing purposes; and,
- included in each subsequent communication (sent only to those who did not initially refuse!) a right to opt out of future direct marketing emails.
It is worth noting that "in the course of the sale" includes situations in which a person has actively expressed an interest in buying a company's goods or services, for example by requesting a quote. "Similar goods and services" includes things about which the individual would reasonably expect to receive information.
Thus the soft opt-in is available only to marketers who collect their own contact information in the first place; it does not apply if the marketing database has been purchased or leased.
Individuals vs. corporate subscribers
The prior consent rule protects ‘individual subscribers’ but it does not cover corporates or employees using corporate email systems for personal purposes.
By "subscriber" the Regulations mean the person who pays the bill for the communications service through which the marketer is sending the marketing messages. An individual subscriber is thus "a living individual" or "an unincorporated body of such individuals", in other words natural persons, sole traders and partnerships. On the other hand, corporate subscribers include companies, Scottish partnerships, corporations sole (ie, legal entities consisting of a single incorporated office, occupied by a single person) and any other corporate body or entity which has a legal persona distinct from its members.
Solicited vs. unsolicited
Only unsolicited communications are caught by the prior consent rule. For an email to be classed as "solicited" the recipient must have specifically requested it. In practice the distinction between solicited and unsolicited can simply be a matter of semantics. For example:
"If you would like us to contact you by electronic means with information about our other goods and services please tick this box [ ]."
This wording would result in an unsolicited email because the recipient has not specifically requested the information but merely given a positive indication that they do not mind receiving it.
"I would like to receive information about Bloggs Limited's other products and services [ ]".
This wording would result in a solicited email because the recipient has actively invited the information.
Concealed identity or address
Any marketing email, whether it is being sent to an individual or a corporate subscriber, is prohibited if the identity of the sender has been disguised or concealed, or if it does not include a valid address to which opt-out requests can be sent.
Non-compliance
Whilst an initial failure to comply with the Privacy Regulations is not in itself a criminal offence, the Information Commissioner has the power to issue time-limited enforcement notices with which it is a criminal offence to fail to comply.
Also, someone who has suffered damage because of a breach of the Regulations is entitled to seek compensation. Individuals and organisations (competitors, for example) may bring claims. The handful of such cases which have been successful so far includes Dick v Transcom Internet Services Ltd (2006) in which damages and costs were imposed on a UK company for sending two junk emails to someone’s personal email account.
Best practice
So, how should your organisation proceed in order to avoid falling foul of the Privacy and Electronic Communications Regulations 2003?
Although you may sometimes be able to rely on the soft opt-in, if you intend to market by email and you want to be sure you are complying with the Regulations then always obtain prior consent.
Furthermore, give individuals an ‘opt-in’ box to tick so that they have the best possible control over their data and you, the marketer, have the clearest indication of their consent. By contrast, an individual’s failure to tick an ‘opt-out’ box will not generally be considered a clear indication of consent.
Other ways to obtain a clear, positive indication of consent include where an individual has subscribed to a service, clicked on an icon, or sent an email of their own to the marketer.
A marketer can even pass an email address to a third party for marketing purposes provided the subscriber has consented to this too. So, if this is your intention, remember to include an additional statement to cover it.
And finally, always identify clearly who sent the marketing material and ensure that, even where consent has previously been obtained, the email contains an easy-to-use 'unsubscribe' option.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
