|
Hazel
Grant of Bird & Bird looks at how data protection law affects the
ability of companies to market their products and services.
Direct
marketing has been, and continues to be, one of the key areas of focus
of data protection legislation. The Information Commissioner (and her
predecessors) have always paid particular attention to direct
marketing activities whether by phone or by mail. This emphasis shows
no signs of change with the development of e-commerce.
What
is Direct Marketing?
The
Data Protection Act 1998 helpfully defines direct marketing as 'the
communication (by whatever means) of any advertising or marketing
material which is directed to particular individuals'. This broad
definition could apply not only to correspondence but also telephone
and email marketing. In an e-commerce context, banner adverts should
not fall within this definition (banner adverts are those placed
around the 'window' containing the text on a website) as they are
unlikely to be directed to particular individuals.
It is
understood that the Information Commissioner would take a broad view
of direct marketing; it is not only marketing by commercial entities
which would be captured. 'Marketing' by political parties in order
to canvass votes or encourage individuals to join the party would also
be included.
It is
worth noting that there is no exemption for existing customers of a
business. Therefore, whether a business is marketing to existing
customers in an attempt to sell new products or whether the business
wishes to transfer existing customers' details to trading partners,
both types of activities fall within the ambit of the 1998 Act.
Notification
Businesses
holding customers' personal data must ensure that their notification
with the Information Commissioner is up to date and adequate. Under
the notification procedure a number of purposes need to be specified
to indicate the use to which personal data are being put. Relevant
purposes for direct marketing might include:
-
Advertising,
marketing and public relations;
-
Advertising,
marketing and public relations for others (e.g. host mailing and
list brokering);
-
Canvassing
political support amongst the electorate;
-
Fund
raising; and
-
Trading/sharing
in personal data (i.e. the sale, hire or exchange of personal
information).
The
First Principle
For
direct marketing the most significant part of the 1998 Act is the
First Data Protection Principle, which requires data to be processed
fairly and lawfully. Under this Principle businesses are required to
make certain information available to the individuals on whom they
will hold data. The information to be provided is:
-
The
identity of the data controller (i.e. the business holding the
personal data);
-
The
purpose or purposes for which the data are intended to be
processed; and
-
Any
further information which is necessary, having regard to the
specific circumstances in which the data are or are to be
processed, to enable the processing in respect of the data subject
to be fair.
This
final point is something of a catch-all which requires careful
consideration by a business in each situation where personal details
are obtained.
Broadly,
the above information must be made available when the business first
processes data or when the data are first disclosed. However, where
personal data have been acquired from a third party (e.g. brought from
a list broker) the business must comply with the obligation to provide
information but only where this does not result in 'disproportionate
effort'. Therefore it seems likely that where a list has been
purchased from a list broker, although there has been a disclosure, it
would be disproportionate effort to write to everyone on the list the
moment the list is disclosed. It would seem sufficient for the
purchaser to include this information when writing to everyone on the
list for the first time (note, however, that particular record must be
made of the disproportionate effort and why it applies in the
circumstances).
Under
previous legislation, the Information Commissioner's predecessors
considered (and in some cases brought tribunal cases on) the
prominence and type size of notifications. It is hardly surprising
that notifications made to minors should be of far greater clarity.
Non-obvious uses or disclosures should be properly described. Uses
such as cross marketing (i.e. from sister companies), host mailing
(i.e. placing inserts into mailings) or list rental would be likely to
require more prominent notification. Marketing of the business' own
goods and services, where these are not similar to goods and services
initially provided to the individual, may also require more prominent
notification.
The
Information Commissioner's predecessors recognised that a
relationship between a business and an individual customer may last
many years and develop. For example, relationships between banks and
customers may change over time as the banks' business develops. The
key issue is that these developments must be within the customer's
expectations for relevant marketing to take place. Otherwise specific
notification and some form of consent is likely to be required.
In some
cases, personal data are collected from an individual known to the
individual data subject. For example, a family member may pass on the
individual's personal data (this is relatively common in 'recommend
a friend' schemes). The data protection issues in this situation can
be extremely convoluted. Complications arise where the data concerned
are sensitive personal data (see further on this below) or where the
contact details passed are not simply the home address, but also the
work address of the individual. Although, strictly speaking, these
schemes may have a number of data protection problems, in practice
most businesses use such schemes and accept a risk of non-compliance.
The
Issue of Consent
The
First Data Protection Principle also introduces a requirement of
compliance with pre-conditions for processing. For any processing of
personal data, a business is required to comply with one condition
listed in Schedule 2 to the 1998 Act. The most relevant conditions in
that Schedule are:
-
The
individual has given his consent to the processing; or
-
The
processing is necessary for the purpose of legitimate interests
pursued by the data controller or by the third party or parties to
whom the data are disclosed, except where the processing is
unwarranted in any particular case by reason of prejudice to the
rights and freedoms or legitimate interests of the data subject.
In
practice, compliance with either of these conditions is likely to be
accomplished by similar steps, i.e. the provision of information and
obtaining implied consent.
Where
sensitive personal data are being processed then a further condition
in Schedule 3 must also be complied with. Sensitive personal data is a
new definition added by the 1998 Act. It is personal data which
relates to particular private areas of a person's life, for example
information relating to their health, religious or other beliefs,
criminal convictions or sex life. The most relevant sensitive personal
data processing condition to direct marketing is likely to be that the
individual has given his explicit consent to the processing of the
personal data.
Traditionally
there has been a debate in direct marketing circles over the use of
opt-in and opt-out consent (i.e. whether it is necessary to have an
individual tick a box and positively require themselves to be added a
list for marketing purposes, or whether it is sufficient to place on a
form a box allowing an individual to tick a box and be removed from a
marketing list).
Requirement
for consent within Schedule 2 and explicit consent within Schedule 3
makes no mention of opt-in or opt-out. Directive 95/46/EC, upon which
the 1998 Act was based, define consent as meaning 'any freely given
specific and informed indication of (an individual's) wishes by
which (an individual) signifies his agreement to personal data
relating to him being processed'. This highlights the importance of
some signifying action by the individual. For example, this might be
requiring an individual to read a privacy statement on a website and
then clicking on 'I accept' at the bottom before allowing the
individual to access services on the website. Alternatively, it might
require a clear note being provided in a form sent to the individual,
who then returns the form in order to obtain some services without
having marked the form to show that the individual objects to the
collection of data.
The key
issue is that it is not sufficient to rely on inaction by an
individual and thereby infer consent. The important point about
explicit consent seems to be the requirement for very clear
notification (perhaps in terms of location of the notification, size
of wording and clarity of language).
It is
not clear whether opt-in and opt-out will continue to be debated.
Further legislation may require prior consent (perhaps by opt-in) for
email marketing. (The EU is reviewing the present Telecoms Directive
97/66/EC and intends to expand it to ensure that it covers all
communications. This will encompass marketing by email and, if enacted
in its present form, will require opt-in for email marketing).
Preference
Services
These
exist at present for both postal and phone/fax marketing. The services
are operated by the Direct Marketing Association and allow individuals
(and in some cases companies) to opt out of receiving marketing
material. Under the Telecommunications (Data Protection and Privacy)
Regulations 1999 businesses are required to check with the phone/fax
list to ensure that they do not market a person on that list. There is
not, at present, an official email preference list, although the
Direct Marketing Association website does include a link to a
sponsored email list (see www.the-dma.org
).
Right
to Prevent Direct Marketing
The
1998 Act introduced a new right for individuals specifically addressed
to direct marketing. Under this right an individual is entitled to
require a business to cease, or not to begin, processing for the
purposes of direct marketing. The right must be exercised by notice in
writing and must specify a reasonable period to allow the business to
comply. One point to note is that under Directive 95/46/EC, which gave
rise to the 1998 Act, there is a requirement on member states to
ensure that individuals are aware of the existence of this right.
The
1998 Act does not make provision for this obligation.
Practical
Steps
As
businesses attempt to make more efficient use of their customers'
data there will be data protection implications. Customer relationship
management (CRM) software offers, in some cases, huge benefits for
businesses: it allows them to manage a number of different individual
databases as one and to operate efficiently using all the information
which is held about a particular customer. However, where data has
been collected on a customer for different purposes and at different
times, it is important that data collected for a particular purpose
are only used for that purpose. For example, data collected from an
individual in order to mail them some goods should not be used for
direct marketing by that company or another company of unrelated
goods, unless the individual has consented. It is therefore important
that data are appropriately tagged and marked with the purposes for
which they may be used.
When
collecting data, it is important that proper notification is given to
the individual of the purposes for which the data will be used. This
needs to take place by means of including text on paper forms, in
telephone call centre scripts and on websites. The information must be
clear and as broad as possible in order to benefit the business.
When
acquiring new customer details from a third party, a business must be
particularly careful about the basis on which the customers' details
have been collected. When 'buying' a list of customers the
business should ensure that it obtains adequate warranties on the
collection of names on the list and the purposes for which those names
can be used. Similar arrangements should apply where lists are
exchanged between business partners: each business partner will wish
to be sure that the other has collected the names in a fashion that is
compliant with the 1998 Act, and allows the other business partner to
market them.
Entities
in favoured positions, i.e. where an individual has little or no
choice but to disclose personal data, have to take care. An example of
a favoured entity would be an electricity company holding data on an
electricity customer. Further use of those data (beyond supply or
marketing of electricity) is likely to require consent.
Further
Developments and Conclusion
Direct
marketing continues to be an area in which there are a number of new
pieces of legislation and proposed legislation. The March 2001 issue
of Privacy and Data Protection contained an article on the relatively
new Telecoms Regulations. These Regulations include provisions
specifically relating to marketing individuals and companies by fax
and phone. The EU is considering a new Directive which will expand and
update the Telecoms Directive 97/66/EC (which gave rise to the
Regulations) to cover all forms of communication including email.
Apart
from such new developments, the basic understanding of direct
marketing and data protection continues to apply. In effect compliance
with data protection legislation should be a matter of common sense
and good customer handling. Every business should ensure its customers
know what information is collected on them and why.
Hazel
Grant - Bird & Bird
hazel.grant@twobirds.com
-end-
|
