One of the questions businesses ask frequently is how the GDPR will affect their direct marketing activities. For most businesses that means electronic marketing (emails and texts).
In fact, the rules on electronic marketing are not contained in the GDPR. Marketing is still a form of data processing so you do still need to comply with the GDPR generally (including giving proper consideration to the processing and security of your contact databases) but in the UK, the specific rules that apply to electronic marketing are contained within the Privacy and Electronic Communications Regulations. A new European regulation to replace these was supposed to be coming into force at the same time as the GDPR but is now delayed, possibly until early 2019.
What’s the starting point?
The starting point is that you should only send electronic marketing to individuals with their consent. This is one area that has been impacted by the GDPR, as the meaning of consent has been toughened up significantly. Any consent to electronic marketing must be explicit, informed and freely given (i.e. not buried in small print). If you’re using a tick box to signify consent, then you must not pre-tick it.
What about marketing to businesses?
If you are contacting individuals at a limited company, LLP, local authority or government body then this is exempt from the restrictions on electronic marketing provided that you stop marketing to individuals at the organisation if they ask you to.
Sole traders and most partnerships (outside Scotland) are treated as individuals so the consent requirement does still apply to them and their employees.
What about former customers?
Where you’ve collected contact details from an individual in the process of selling goods or services to that individual (or in the process of quoting/negotiating for the sale of goods and services to that individual) you are allowed to send electronic marketing to them about your similar goods and services. But you must give them the opportunity to opt out at the time you collect their contact details, and you must give them an “unsubscribe” opportunity on each email you send to them.
This is known as the “soft opt-in”.
What about bought-in lists?
Be very careful with bought-in lists. An individual can only consent to electronic marketing if that consent is clear and informed, including from whom the marketing will be received.
For example, an individual’s consent to their contact details being shared with “carefully selected partners” for marketing purposes is simply too vague to be valid. Any consent must name your business explicitly or must be for a precisely-defined category of organisations/businesses which clearly includes your business.
You should do full due diligence on any bought-in lists and ask for evidence of the consents obtained. If you are already carrying out regular electronic marketing using bought-in lists then you may want to ask all your contacts to consent explicitly to you continuing to market to them. You should ideally do this before the GDPR comes into force on 25th May 2018.
What will the new rules be for electronic marketing?
The replacement European regulation is still going through the legislative process but commentators expect the new rules to be similar. However, it’s likely that the soft opt-in will only apply to actual customers, rather than simply people you’ve quoted to.
In addition, it’s possible that the exemption for limited companies and LLPs etc will not survive under the new rules.
We’ll post further updates once the final draft is approved.
What about other forms of marketing?
If you’re sending postal marketing then you should screen your marketing addresses against the Mailing Preference Service (www.mpsonline.org.uk) to ensure you exclude any individuals who have opted out of postal marketing.
If you’re carrying out (non-automated) telephone marketing then you should screen your telephone number database against the Telephone Preference Service (www.tpsonline.org.uk) and the Corporate Telephone Preference Service (www.tpsonline.org.uk/tps/whatiscorporatetps.html) to exclude any individuals or businesses that have opted out of telephone marketing. (The exception is if you have explicit consent to market to those people, e.g. because they are your customers and have consented as part of a registration form, in which case that overrides their TPS registration.)
Provided you comply with the above requirements, then the regime for postal and telephone marketing is more relaxed. You don’t need explicit consent but you must remove people from your marketing database if they request it.
The rules on automated telephone calling are very strict and you should only make automated calls to those who have explicitly consented.
How can BHW help?
We can advise you on all aspects of compliance with the GDPR and the direct marketing rules. We can also help you put together the documentation required by the GDPR and can provide training to you and your staff (whether bespoke training on your own procedures or more general training on the GDPR or direct marketing).
If you want to discuss any aspect of the GDPR or direct marketing, please contact Matt Worsnop at [email protected].