Data protection and direct marketing

Communicating with customers is an important marketing activity for businesses. There are, however, legal requirements covering the collection and storage of personal data and its use in marketing. This blog just provides an overview, so you should take legal advice on your particular circumstances if you market in this way (or intend to). Failure to comply could lead to serious financial, commercial and reputational issues, including possible criminal penalties or potential barring by trade bodies.

Personal data: collection, storage and outsourcing

Any information about a customer held on computer or in an organised filing system that could identify them (for example, names, addresses or e-mail addresses) must be protected and secured.

Generally, a business can only collect information if it has a good reason for doing so (for example, to market new products to the customer contact). The business must make sure that the contacts are aware when the data is collected that it may be used for these purposes. The best way to do this is using a fair processing notice. When collecting data through a website, usually this notice will be in the website’s privacy policy.

Customer data should only be stored for the purpose(s) it is collected for and only for as long as it is required. It must be kept secure at all times (for example, data stored on mobile devices should be kept to a minimum). Databases should be reviewed regularly to ensure the data is accurate and up-to-date.

If you engage a third party to manage your data, you should take legal advice as you need a formal agreement between you, dealing with the confidentiality and security of the data.

Marketing: opting in and opting out

A business should ensure that people are always given the opportunity to opt in or out of receiving marketing from the business, for example using tick boxes on website forms and unsubscribe links in e-mails. When getting consent, it is not generally acceptable to include pre-ticked opt-in boxes or opt-out boxes. Positive action is required from a customer.

Details of any opt-out requests should be retained so that individuals who have opted out are not contacted in the future – simply deleting their details will not prevent them being contacted again if the data is later obtained from another source.

Preference services

A preference service holds the details of people who do not wish to receive direct marketing material. Individuals and businesses can register with preference services to indicate that they do not wish to receive direct marketing by a particular means.

Sending unsolicited marketing by post or telephone

A business can contact individuals and companies by post or telephone, unless they have stated that they do not wish to receive direct marketing.

The business must check whether an individual or company has opted out or signed up to the telephone preference service. It is good practice to check the mail preference service as well.

Sending unsolicited marketing by SMS, fax or e-mail

You will generally need explicit consent from individuals (including named individuals at a company), but not businesses, to send unsolicited marketing by SMS, fax or e-mail.

Before sending out marketing to individuals (including named individuals at a company) you should check that they have given specific consent and that they have not opted out or signed up to a relevant preference service.

Before sending out marketing to a company, you should check that they have not opted out or signed up to a relevant preference service.

If you have collected a customer’s SMS or e-mail details when selling something to them or negotiating to sell something to them, you can use those details in future to market the same or similar products to them without prior express consent, provided opt-out is offered each time.

Businesses are required by law to check databases against the relevant preference service regularly and comply with the preference.

Solicited marketing

Of course, if an individual or company has requested marketing material from you, you can send it out despite any previous opt-out or registration with a preference service.

Buying databases

Always take legal advice if you are considering purchasing an external database. You want to be sure you will be able to use it lawfully.

Before using the data, you must introduce yourself to the new customer and explain how you intend to use their data (for example, by issuing a fair processing notice by e-mail). Where you require explicit consent for marketing purposes (SMS, e-mail and fax marketing to individuals) the customer must give consent. You should check against your existing database whether anybody has opted out and of course the relevant preference services.

Charles Hylton-Potts