The ICO released guidance on electronic mail marketing, to help organisations achieve compliance with the PECR.
Earlier this month, Aphaia reported on guidance published by the ICO for organisations regarding live phone calls made for marketing purposes, to help organisations to remain in compliance with the Privacy and Electronic Communications Regulations (PECR), also known as ePrivacy Regulations. The ICO has now released another instalment of key guidance for businesses and organisations, to help maintain compliance with the PECR. This time, on the topic of sending electronic mail containing direct marketing content. It is important to know and understand the PECR rules before sending out any direct marketing electronic mail to avoid not only damaging individuals’ trust and confidence in your organisation, as well as the organisation’s reputation, but also to avoid possible fines. Electronic mail, according to the PECR constitutes “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service” This definition is intentionally broad enough to include any new forms of messaging, as all types of electronic messaging is governed by the PECR. If your business or organisation sends any type of electronic mail, this guidance from the ICO will prove helpful.
The rules for direct marketing electronic mail may vary depending on whether a subscriber is an individual or corporate subscriber.
The DPA 2018 defines direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This very broad definition covers all advertising, marketing or promotional material. This includes both commercial marketing and the promotion of aims and ideals, like in the case of campaigns and charities. This excludes any electronic mail sent for administrative or customer service purposes. The rules governing electronic mail do not only cover electronic mail which involves the processing of personal data, and therefore it is not necessary that an organisation even has the name of the person to whom the electronic mail is being sent. While the marketing rules in the PECR are designed to protect all subscribers, some rules only apply to individual subscribers, and not corporate subscribers. Regardless of the type of subscriber however, the information which must be provided to them is applicable across the board. Every subscriber must be provided with a valid contact address for people and businesses to opt-out or unsubscribe. Regardless of the type of the subscriber the PECR dictates that an organisation must never disguise or hide its identity.
Both solicited and unsolicited direct marketing electronic mail can be sent, however if seeking consent, it must be valid under the UKGDPR.
Electronic mail marketing is considered solicited if someone specifically asks you to email them with marketing information. On the other hand, unsolicited electronic mail marketing means any marketing message that someone hasn’t specifically requested. While both solicited and unsolicited direct marketing emails may be sent, if seeking consent, it must be valid under the UKGDPR. The UKGDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Any consent being sought for the purposes of direct marketing via electronic mail must fit the criteria and the ICO suggests keeping record of consent given (particularly who, when and how etc) should be kept in order to prove the validity of consent. It must be easy for subscribers to withdraw their consent. No direct marketing electronic mail should be sent to anyone who has unsubscribed or withdrawn consent, and the ICO suggests having a clear process in place for handling subscribers who decide that they no longer want to receive direct marketing electronic mail. More in-depth explanations on exactly how consent works in the context of electronic mail marketing can be found here.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.