In some previous blogs the Outsourced DPO considered the background to the PECR, how they interact with, compliment and “trump” the DPA and GDPR, and the general prohibition on unsolicited direct marketing via electronic communications systems and equipment. We looked at the definition of direct marketing and found it to be broad-based and, crucially, that the ICO’s opinion as to what constitutes best practice is enshrined in the law. In this blog the Outsourced DPO takes a look at direct marketing via telephone. Before diving into the detail we should first clarify a point about instigating direct marketing activities.
Instigating direct marketing activities
The Outsourced DPO was challenged twice recently as to what actions actually constitute instigating direct marketing activities. The challengers proposed that if they were to appoint a marketing agency to select candidates for a direct marketing campaign from a database of which the agency is data controller, and for the agency to actually execute the campaign by undertaking the direct marketing activity which promoted the challenger’s products, the challenger’s company is not technically instigating the direct marketing activity.
This is an interesting point to consider as did the Court of Appeal recently in connection with an appeal against monetary penalty and enforcement notices issued to Leave.EU and Eldon Insurance Services by the ICO.
The Court of Appeal determined that to instigate direct marketing required some form of positive encouragement to transmit the direct marketing material. To urge or incite somebody to do something. The mere facilitation of direct marketing is not considered to fall under the definition of “instigating”.
Direct Marketing by telephone
The use of telephones for direct marketing purposes is long established leading to the emergence of the term “cold calling” – i.e. the practice of calling some out of the blue (a “cold” prospect) in order to sell them something or present an offer to them. The PECR rules apply to the use of telephones for unsolicited direct marketing purposes.
The PECR differentiates direct marketing by phone in to two principle practices and defines a set of rules for each:
- The use of automated calling systems to place calls and play a recorded message (governed by Regulation 19);
- The making of calls for direct marketing purposes (governed by Regulation 21).
Use of automated calling systems
In essence, no one is permitted to either transmit or instigate the transmission of communications comprising recorded matter for direct marketing purposes by means of an automated calling system except where the called line is that of a subscriber who has previously notified the caller that they consent to such communications being sent by the caller. In addition a subscriber is not permitted to allow their telephone line to be used in contravention of this rule.
The PECR defines what is covered by the terms “automated calling system” and “recorded matter” which to all intents and purposes is a phone system dialling telephone numbers in accordance with a set of programmatic instructions and transmitting sounds that are not live speech. This could be anything from a top-end auto dialler of the type you may find in a state-of-the-art contact centre, or a plug in to a VoIP or CRM system. The crux of Regulation 19 though is the playing of recorded messages once an automated calling system has placed a call.
Regulation 19 does not affect the use of auto-diallers for placing live calls where a system places calls and then connects a sales agent to the call for a live person-to-person conversation (although these types of calls are regulated by OFCOM as they can result in “silent calls” when the system makes a connection to a phone but can’t find an agent to connect it to and so drops the call. As an aside you can combat these types of calls by being silent yourself for 10 or so seconds when you pick up the phone as the automated dialler is fooled into thinking that the call is not going to be answered by anyone.
The purpose of Regulation 19 is to restrict the use of technology to place calls and leave messages. The cost of these systems is relatively low and the ability of them to place millions of calls a day is very real. Imagine if you received 30 calls a day all of which were pre-recorded messages. Or collecting your voicemail took 10 minutes because 29 out of the 30 messages was a pre-recorded sales pitch. How irritating and intrusive would that be?
In summary Regulation 19 says that automated diallers must not be used to place calls and play recorded messages UNLESS the “targets” of the calls have consented to such communications. The concept of consent is looked at later in the blog post, but let’s stop to briefly consider what this means in practice. When personal data are collected, the data controller must obtain consent specifically to use automated diallers and play pre-recorded messages. The Outsourced DPO cannot ever recall seeing a privacy notice incorporating a consent statement for this kind of activity but it might be worded as below:
[_] I consent to you using automated diallers to leave me pre-recorded direct marketing messages promoting your products and services similar to those I purchase from your web site.
I guess if you were a member of some sort of club or scheme where there is a high degree of trust between controller and data subject, it may be that individuals would be happy to consent to this kind of activity and actually see it as beneficial if they spend long periods of time in environments where they have no phone or phone signal and would prefer to receive pre-recorded messages either directly or to voice mail. It could be an automated dialler for a sailing club for instance pushing out opportunities for crewing, training, or race entries.
In March 2020 the ICO issued a fine of £500,000 to CRDNN for placing automated calls and playing interactive messages whereby the recipients of the calls were invited to press 5 for more information or 9 to be removed from the calling list etc.
In the next blog the Outsourced DPO looks at live person-to-person calls made by agents.