The Privacy and Electronic Communications Regulations (PECR) govern specific privacy rights in relation to electronic communications. The regulations sit alongside the UK GDPR and Data Protection Act.
Direct marketing is “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. In practice this will cover all electronic messages, for example calls, emails, faxes, video messages, voicemails, direct messages via social media and texts.
Marketing Targeting Individuals
• You must not send electronic mail marketing to individuals, unless:
– the individual has specifically consented to electronic mail from you, e.g. by ticking an opt-in box; or
– ‘Soft opt-in’: where the individual is an existing customer who bought a similar product or service from you in the past, and you gave them a clear chance to opt out.
• In both cases, you must not disguise or conceal your identity, and you must provide a valid contact address so the customer can opt out or unsubscribe at any time.
• You must always ask for consent to pass an individual’s details to third parties for marketing and clearly identify those third parties when doing so.
Marketing Targeting Companies
• You can send marketing emails or texts to companies, i.e. any corporate body, including government body. However, it is good practice to keep a ‘do not email or text’ list of any companies that object or opt out.
• Remember though that sole traders and some partnerships are treated as individuals so the rules above for individuals apply instead.
What is Valid Consent?
• Consent is only valid where:
– It is knowingly and freely given, clear and specific;
– It covers both your organisation and the type of communication you want to use (e.g. email or call);
– It involves a clear positive action, for example, ticking a box or sending an email;
– the individual understands that they are giving consent. It is not enough simply to provide information about marketing as part of your privacy policy that is hard to locate, difficult to understand and unlikely to be read; and
– It can be withdrawn at any time. You must make it easy for people to withdraw consent and clearly tell them how to do so.
• The clearest way to obtain consent is often to ask the customer to tick an opt-in box confirming they are happy to receive marketing from you. A clear link to your privacy policy should be included at this point too. Note that pre-ticked boxes do not give valid consent under the PECR.
• You should keep a clear record of what a customer has consented to, and when and how this consent was obtained. This will help you to demonstrate compliance with the regulations.
• Obtaining consent can be onerous and so you may seek to rely on soft opt-in consent instead.
How do you ensure ‘soft opt-in’ is compliant with PECR?
• To ensure a compliant ‘soft opt-in’:
– you must have a pre-existing relationship with the individual targeted i.e. you have received the individual’s contact details where that individual purchased a product or service from you previously or showed a genuine interest in a product or service;
– your marketing communications must only concern products and services that are genuinely similar in nature to those that the individual has previously purchased or shown a genuine interest in purchasing;
– you must notify the individual in advance of your intention to send them marketing communications about similar products and services (this may be ensuring the customer becomes aware of your privacy notice during the purchasing process and stating therein that you intend to process the individual’s personal data to market similar goods and services to them in the future); and
– you must make it easy for the individual to opt out of receiving the electronic marketing communications, both when you first collect their details, and in every message you send thereafter.
• ‘Soft opt-in’ does not apply to prospective customers or new contacts, for example from bought-in lists that may have been purchased from a third party.
Future Changes to the PECR
Finally, please bear in mind that the EU is currently in the process of replacing the PECR with the new, more onerous, e-Privacy Regulation. It remains to be seen whether the UK will adopt this too or whether the PECR will continue to apply.
For further advice on how to ensure your organisation maintains compliance with data privacy laws, please get in touch.
Madeleine Rhodes mrhodes@redfernlegal.com