Navigating PECR, DPA 18 and the UK GDPR.
Data Protection within the UK is governed by 3 sets of legislation.
• UK General Data Protection Regulation (UK GDPR).
• Data Protection Act 2018 (DPA 18).
• Privacy Electronic Communication Regulations (PECR).
All 3 work in harmony. The UK GDPR sends you to the DPA 18 and PECR sends you to the UK GDPR.
For direct marketing and cookies, PECR is the primary focus with a little sprinkle of the UK GDPR and the 2018 act for good measure.
I think for this blog, it makes sense to split in to two. Go stick the kettle on, make a cup of tea, sit back and relax whilst I walk you through the considerations of direct marketing and cookies (no, not those ones).
Direct marketing is important. It helps businesses grow and progress, it can add value to the customer experience by providing them with information on new products and services that they may be interested in.
It is crucial to get direct marketing right in order to maintain these benefits, bombarding customers with direct messages can damage both your reputation and relationships with your customer base.
When done right, direct marketing can be used as a tool to generate a large percentage of an organisation’s revenue. However, done wrong and organisations could potentially be fined a serious amount of money.
The Information Commissioners Office (ICO) who are the supervisory authority in the UK can impose fines up to £500,000 for an infringement of PECR. The ICO can also serve criminal prosecutions, non-criminal enforcement and audits.
The ICO has published a 58-page code of conduct on direct marketing and although it is very useful, you may not have the spare time to read through the guidance. Hence why I have taken the time to write this blog for you!
What is Direct Marketing?
Direct marketing is defined under Section 122(5) of the DPA 18 as “communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.
Let’s break that definition down to try and help you understand what direct marketing is.
Communication (by whatever means).
This is any type of communication that you may use for the purpose of direct marketing. For example:
• Electronic messages (email or text messages)
• Phone calls
• Social media marketing
The ICO says that it can also cover any type of non-traditional or emerging types of communication or approach… with that in mind, I wonder if they consider letter in a bottle as direct marketing?
Advertising or marketing material.
This covers any advertising, promotions or marketing material including:
• Commercial marketing of products and services
• Promotion of aims and ideals such as fundraising, political campaigning or corporate initiatives that promote community or charitable work.
Directed to particular individuals.
The marketing materials must be “directed to” a particular person or categories of people. For example:
• Personally addressed post.
• Emails to a particular account.
• Calls to a particular telephone number.
• Advertising on social media that is targeted to a particular person.
Marketing is not “directed to” if it is indiscriminate blanket marketing. For example:
• Magazine inserts
• Online adverts shows to everyone who views a website
• Leaflets delivered to every house in an area;
The ICO warns that simply removing someone’s name from the marketing material doesn’t stop it from still being directed to that person.
Direct Marketing Purposes
Its wider than just sending someone a message. It includes all activities you do with people’s information that lead up to, directly enable, or support sending your direct marketing messages.
Within their code of conduct, the ICO says that the focus is on why you are doing something rather than the activity itself. For example:
• building a profile on someone with the intention of using this to target them with advertising.
• generating leads for advertising purposes (cold calling people).
• sharing data with third parties for them to use for their own direct marketing.
I mentioned previously that direct marketing is caught by all 3 data protection laws, I thought it would be worthwhile to give you a little more information on that.
Where direct marketing uses personal information, it is covered by the UK data protection regime set out in the DPA 18 and the UK GDPR.
On the other hand, where direct marketing is carried out using electronic messages it is also covered by PECR. As PECR can apply when an organisation is not using personal data, it has a broader application than data protection laws.
Solicited v Unsolicited Direct Marketing.
Solicited marketing is a type of marketing that is actively requested. For example, if I were to ask you to send me your monthly newsletter then you can send me your newsletter without worrying about PECR.
Please note that when you send solicited messages, you must state who you are, display your number when making calls and provide a contact address.
Unsolicited marketing is any message that has not been specifically requested. Even if the individual has ‘opted in’ to receiving marketing from you, it still counts as unsolicited marketing.
Opt-in means the individual agreed to you sending them future messages. However, this is not the same as someone specifically contacting you to ask for particular information.
It is worth noting that unsolicited marketing is not unlawful, there are just regulations that a company must abide by to do so. This is where PECR comes into play!
Marketing via telephone.
Regulations 21, 21A and 21B govern the rules on direct marketing through a telephone.
To summarise, you must not make unsolicited live calls:
• to anyone who has told you they don’t want your calls;
• for the purpose of claims management services, unless the person has specifically consented to your calls; or
• in relation to pension schemes unless you are a trustee or manager of a pension scheme or a firm authorised by the Financial Conduct Authority, and the person you are calling has
specifically consented to your calls or your relationship with the individual meets a strict criteria.
Calls to individuals.
You can call an individual if they have given you their consent to do so (I will run through the conditions for consent in a few moments time).
You can also make live calls without consent to a number if it is not listed on the TPS – but only if that person hasn’t objected to your calls in the past and you are not marketing claims management services.
Calls to businesses.
The rules are the same as for calls to individuals. So, you can call any business that has specifically consented to your calls – for example, by ticking an opt-in box.
You can also make live calls to any business number that is not registered on the TPS or the CTPS, but only if they haven’t objected to your calls in the past and you are not marketing claims management services.
Telephone Preference Service (TPS)
The TPS is the UKs official do not call list. Individuals sign up as they have opted out of receiving live marketing calls. There is also a CTPS which is the Corporate TPS, it works the same as the TPS but for companies and other corporate bodies.
Organisations should screen telephone numbers against the relevant TPS and your own ‘do not call’ list. The ICO is responsible for enforcing the regulations and have been known to fine organisations up to £500,000 for breaches of the telephone preference services.
Marketing via electronic messages
The rules around direct marketing via electronic messages are a little different than that of the rules of telephone marketing.
Regulation 22 of PECR sets out the rules for direct marketing through electronic means.
An organisation must not send direct marketing via electronic means unless:
• An individual has specifically consented to electronic mail from you; or
• They are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
The ICO says you must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
By electronic, I mean email, SMS, picture messages, video messages, voicemails and direct messages through social media or any similar message that is stored electronically. It is defined as “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”.
What is valid consent?
It is a good question, luckily, Article 7 of the UK GDPR sets out the conditions for consent.
Consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the user must fully understand that they are giving you consent.
Consent only needs to be collected once – not every time you interact with someone. But it doesn’t necessarily last for ever – if you change the thing that the person consented to – you’d have to obtain their consent again.
When relying on consent, the user has the right to withdraw their consent at any given time pursuant to Article 7(3) of the UK GDPR, and it must be as easy for the individual to withdraw their consent as it was for the controller to attain. Typically, this is done through an opt-out link in an email or a cookie cog on the website. The cog allows users to alter their preferences in regard to cookies at any given time.
Opt-in v Opt-out.
This may seem like a fairly obvious thing to differentiate. However, I think it is worthwhile briefing you on the difference between the two as I get the impression that some organisations don’t seem to know the difference and the implications that using the wrong one can have on an organisation.
Opt-in means that someone has taken a specific step (for example, ticking a box or clicking a link etc.) to state that they want marketing.
Opt-out means a person must take a positive step to refuse or unsubscribe from marketing.
Some organisations think that they are able to pre-tick opt-in boxes on behalf of individuals. However, the conditions for valid consent under Article 7 of the UK GDPR states that pre-ticked boxes is not considered to be valid consent.
There are some circumstances when an organisation can send unsolicited direct marketing by electronic means without consent which is referred to as a “soft opt-in”.
Organisations can use the soft opt-in when sending marketing messages to offer similar goods and services to people who have recently bought or negotiated to buy things from you. For example, if a customer buys a pair of trainers from you and gives you their contact details, you would then be able to market to them a different item of clothing even if they have not specifically consented via the soft-opt-in.
You will need to give the individuals a clear chance to opt out when you first collected their details AND in every message you send.
Beware because at some point, if what you are promoting is not similar to what they previously bought, you would lose the ability to rely on the soft opt in. You also need to be aware that the ICO does not allow the soft opt-in to be used in relation to fundraising activities of charities and the like.
What is a cookie?
A cookie is a small text file that is downloaded onto terminal equipment (phone or a computer) when the user accesses a website. It allows the website to recognise the user’s device and store some information about the user’s preferences or past actions. Sorry, it’s not the edible kind.
Similar to Direct Marketing, the laws on cookies can be found in both the PECR and the UK GDPR.
Specifically, regulation 6 of PECR states:
“6(1) a person shall not gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent”.
Essentially, Paragraph 2(a) of regulation 6 means that organisations must inform users of what cookies they are using and the purposes for which they are used.
Paragraph 2(b) is the second part of the requirements for placing cookies. This one is a little easier to understand as it specifically states that an organisation must attain consent from the user before placing the cookies on the user’s device.
Consent under PECR is derived from the UK GDPR, the conditions are the same and can be found further up in this blog under ‘Marketing via Electronic Messages’.
Are there any exemptions?
In short, Yes!
Paragraph 4 of regulation 6 states “Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a)for the sole purpose of carrying out… the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
These are known as ‘essential cookies’ and they do not require consent to be attained before being placed. This is because they are vital to the running of a website.
Examples of essential cookies are:
• cookies used to remember the goods a user wishes to buy when they add them to a shopping basket.
• session cookies that provide security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services;
I know the question you are asking, “What about cookies such as google analytics?” I am afraid these are not essential and therefore you will need to attain consent before placing these cookies.
I know that the PECR rules can seem complicated – we have produced a flow chart to help you determine which bits of PECR apply to what marketing activities. We also run a PECR master class. Please contact us if you want a copy of our flow-chart, want to know about our training or have any other questions about the PECR.