Data Protection and Direct Marketing
Reviewed May 2017
This Briefing Note considers the key data protection issues your business should be mindful of when it carries out direct marketing. It explains how your business should collect information about its customers (individual customers, named individuals within a business and businesses themselves) and how to communicate information about your products and services to existing and potential customers. This Briefing Note should not be relied upon as legal advice and you should contact us for advice on your specific circumstances.
What are the penalties for non-compliance?
- There are serious financial, commercial and reputational risks for your business, including possible criminal penalties.
- A negative impact on your business’ capacity to use databases for marketing.
- Reputational loss and the potential to be barred by trade bodies.
What customer data should be secured and protected?
- Any information held electronically or in a manual filing system that could identify a customer (such as names, addresses or email addresses).
Collecting customer data for marketing purposes
- In general, your business can only collect information if it has a valid reason for doing so (for example, to market new products to a customer).
- Your business must ensure that people whose data it collects are aware that it will be used for marketing and other purposes. The most effective way is to issue a privacy notice (also known as a fair processing notice or FPN). A privacy notice is given to a person to explain who will use their personal data and what the data will be used for. For example, the FPN may say that your business will pass their personal data to third parties for marketing purposes, preferably naming the organisation or type of organisation.
- If your business intends to collect data via its website, the website should include a prominent privacy notice.
- If your business plans to collect bank or credit card details, always take legal advice first, as there are security implications.
Storing customer data for marketing purposes
- Businesses should carefully document their compliance. This way they can provide evidence if a complaint or an investigation by the Information Commissioner’s Office arises. Some tips on documenting your compliance include:
- record each person’s preferences to receive marketing by fax, telephone, automated calls or post;
- note when and how you obtained consent and whether this was opt-in or opt-out;
- record whether they are an individual or a business, as different rules apply;
- keep separate databases for customers to whom you can and cannot send marketing emails.
- regularly check your databases against the relevant preference service(s) and where necessary update them to comply with the preference.
- Your business must ensure that personal information is kept secure at all times (for example, data stored on laptops and mobile devices should be kept to a minimum).
- Regularly review your databases to ensure the data is accurate and up-to-date.
- You must ensure customer data is only stored for the purpose it is collected and only for as long as it is required (for example, do not retain data from an event delegate list for marketing purposes unless delegates were made aware that their details could be used in this way and given the chance to opt out).
Opt in and opt out
- Your business must ensure that people are always given the chance to opt in or out of receiving marketing material. The business should make this as easy as possible (for example, asking them to click an unsubscribe link in an email or text ‘STOP’ to 07xxx xxxxxx).
- Keep details of any opt-out requests your business receives, and make sure those individuals are not contacted in the future (this is known as ’suppressing’ the details). If your business simply deletes their details, the business may obtain their data later from another source and will not know that they have opted out of marketing contact.
- Do not contact someone who has opted out, unless you are contacting them for another purpose (for example, to send a bill). It would be acceptable, however, to send them a message stating that your business would like to send them marketing material and invite them to opt back in.
- Generally, it is bad practice to pre-tick your opt-in boxes or rely on silence as an indication of intent to opt in. An indicative action is required from the customer (for example, returning a form).
Sending solicited marketing
- If a person or company has contacted a business requesting marketing material, the business can send it out even if they are included in an opt-out list or have registered with a preference service.
- People and businesses can register with preference services to indicate that they do not wish to receive direct marketing by a particular means. This may include by fax (the Fax Preference Service or FPS), mail (Mail Preference Service or MPS) and telephone (Telephone Preference Service or TPS).
Sending unsolicited marketing by post or phone
- Your business can contact people and companies from its databases by post or phone, unless they have opted out of receiving direct marketing.
- Before engaging in unsolicited marketing, your business must check whether a person or company has opted out or signed up to the TPS (you are required by law to do so). It is good practice to also check the MPS.
Sending unsolicited marketing by automated calling system, SMS, fax or email
- Your business will generally need express prior consent from individuals (including named individuals at a company), but not businesses, to send unsolicited marketing by SMS, fax or email.
- Before marketing to individuals (including named individuals at a company) you should check they have given express prior consent to that particular type of marketing and have not opted out or signed up to a relevant preference service.
- Before marketing to a company, you must ensure they have not opted out or signed up to the FPS (you are required by law to do so). It is also good practice to check the MPS.
- If your business has collected a customer’s SMS or email details during a sale or when negotiating a possible sale, it can use those details in future to market the same or similar products to them without prior express consent. This is known as the ‘soft opt in’.
- Your business should always take legal advice before purchasing an external database to ensure that it gets the rights to use it effectively.
- Before your business can use such data, it must introduce itself to the new customer and explain how it intends to use their data (for example, by issuing a privacy notice). In cases where the business needs express prior consent for marketing purposes (automated calling systems, SMS, email and fax marketing to individuals) the customer must give consent. As a database purchaser you must ensure that the seller has properly informed the individuals and obtained from them the consent for such disclosure and use.
- Always check whether any of the customers on the newly-purchased database have signed up to any preference services.
- You should also check the details on the new database against your business’ existing databases to see whether anyone has opted out.
- Although your business may agree with the supplier that it will not supply the bought-in data to any other party, this does not necessarily give you exclusive use. There is usually no way to stop others collecting the same data themselves or sourcing it elsewhere.
- Purchased data may not be appropriate for use in targeted marketing campaigns or when data mining.
Selling databases to third parties
- Your business may be able to sell or transfer a database if it has all the data subjects’ consent or it is in the business’ legitimate interest (for example, as part of a merger).
- Always take legal advice before selling a database. Your business will need to put a formal agreement in place as it will still be responsible for protecting the data.
Sharing your data with third parties
- Your business may want to allow a third party to manage its data (for example, by using a fulfilment house or a call centre).
- Always take legal advice before allowing a third party to access your business’ data. Your business will need to implement a formal agreement to deal with confidentiality and data security. This applies even if the third party is a group company.