Existing mailing lists
Where the College is involved in direct marketing to individuals we need to comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") in addition to the GDPR. PECR regulate marketing by electronic means such as email, phone, text or fax, and also include other rules relating to cookies, telephone directories, traffic data, location data and security breaches.
There are PECR rules that apply to business-to-business marketing but they are different from the rules that apply to marketing to individuals (which includes sole traders and some partnerships). In general, the rules on marketing to companies are not as strict.
What is direct marketing
What is ‘direct marketing’?
The concept of ‘direct marketing’ covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations – for example, it covers a charity or political party campaigning for support or funds.
The marketing must be directed to particular individuals. In practice, all relevant electronic messages (e.g. calls, faxes, texts and emails) are directed to someone, so they fall within this definition.
What is usually not ‘direct marketing’?
Genuine market research does not count as direct marketing. However, if a survey includes any promotional material or collects details to use in future marketing campaigns, the survey is for direct marketing purposes and the rules apply.
Routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide information they need about a current contract or past purchase (e.g. information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs). General branding, logos or straplines in these messages do not count as marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply.
For example: a charity makes an administrative telephone call to an individual who has set up direct debit donations with a high street fundraiser as they wish to confirm the individual’s bank details. If the call simply confirms the details then it will not be covered by the direct marketing rules. However if the charity uses this administrative call to suggest that the individual increases their donation or provides any other information promoting the charity’s work then this will mean that the call ceases to be purely administrative and the direct marketing rules will apply.
What is the 'right to object'?
Whilst marketing communications can be sent when in accordance with data protection legislation, individuals also have the right to object at any time to such processing with the Right to Object to marketing being absolute so you must stop processing if such a request is received.
Whilst it may not be possible to stop immediately (in cases where mass communications are already in transit), a period not exceeding 28 days to comply is expected, if not sooner.
What rules do we have to comply with?
There are different rules for live calls, automated calls, faxes, and electronic mail (this includes emails or texts). Most of the rules in PECR only apply to unsolicited marketing messages. They do not restrict solicited marketing. Put simply, a solicited message is one that is actively requested. So if someone specifically asks you to send them some information, you can do so without worrying about PECR (although you must still say who you are, display your number when making calls, and provide a contact address).
An unsolicited message is any message that has not been specifically requested. So even if the customer has ‘opted in’ to receiving marketing from you, it still counts as unsolicited marketing. An opt-in means the customer agrees to future messages (and is likely to mean that the marketing complies with PECR). But this is not the same as someone specifically contacting you to ask for particular information. This does not make all unsolicited marketing unlawful. You can still send unsolicited marketing messages – as long as you comply with PECR.
Detail on rules to comply with
PECR does not cover marketing by mail, but organisations sending marketing mail to named individuals must comply with the GDPR. If an organisation knows the name of the person it is mailing, it cannot avoid GDPR obligations by simply addressing the mail to ‘the occupier’, as it is still processing that individual’s personal data behind the scenes.
Marketing mail accordion
Are newsletters classed as marketing?
Newsletters are very likely to be classed as marketing. If the content is required to be provided as a service communication such as part of an agreed contract or activity then they may not be.
However, if they are used to advertise events, College news, products, fundraising campaigns etc. then they are classed as marketing and require a legal basis to be sent.
A Privacy Notice will also need to be provided to subscribers (if they include external members of public), so please be aware of the Newsletter privacy notice template [Word]. This is a shorter form template suitable for use where personal data is being collected for email newsletters subscription and distribution purposes.
What if communication is both a service and marketing?
If an email contains information classed as both marketing and service communications then they should be separated and sent individually.
This will ensure that data subject rights can be adhered to in cases where someone withdraws consent or objects to receiving such correspondence. The College also remains able to contact them regarding service communications where a different legal basis is utilised.
What if someone else is making the calls or sending emails on behalf of the College?
If the College pays someone else to do our marketing, we are both responsible for complying with PECR. Even if someone else actually makes the calls or sends the messages, the College is still responsible, as we are ‘instigating’ those calls or messages. If the ICO needed to take enforcement action, they would usually take it against the College as the instigator. We should make sure we have a written contract that sets out our contractor’s responsibilities. We may also want to ask our contractor to indemnify the College for any breach of PECR.
How long is consent valid for?
There is no fixed time limit after which consent automatically expires. However, consent will not remain valid forever. How long consent remains valid will depend on the context – the question is whether it is still reasonable to treat it as an ongoing indication of the person’s current wishes.
Remember that a data subject is entitled to withdraw their consent to receipt of marketing communications at any time.
Even if consent is not explicitly withdrawn, it will become harder to rely on as a genuine indication of the person’s wishes as time passes. Further, consent under PECR is expressly considered to be ‘for the time being’. This implies a period of continuity and stability, and that any significant change in circumstances is likely to mean that consent comes to an end.
How can we obtain valid consent where consent is necessary?
If you do need consent before you can send people a marketing message, then – to be valid – consent must comply with the requirements set out below.
Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.
Where there is a "clear imbalance" between the controller and the data subject (e.g., between an employer and an employee), consent is presumed not to have been freely given.
When assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract. Wherever possible, the College should avoid making the performance of a contract conditional upon the data subject's consent to the processing of personal data.
Clear and specific
It must cover both the College and the type of communication you want to use (e.g. call, automated call, fax, email, text) i.e. consent must be limited to a specific context (it cannot apply to an open-ended set of processing activities).
The nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language which does not contain unfair terms. Also, the data subject should be aware at least of the identity of the controller (i.e. the College) and the purposes for which the personal data will be processed.
Consent must take the form of an affirmative action or statement. Consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes. For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.
Distinguishable from other matters
If consent is given in the context of a written declaration or other terms and conditions which also concern other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
Capable of being evidenced
You should keep clear records of what a person has consented to, and when and how you got this consent, so that you can demonstrate compliance in the event of a complaint.
Capable of being withdrawn
Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it e.g. include an unsubscribe email at the end of each email communication.