By Steve Wood, Head of Policy Delivery.
Little of the ICO’s work is more talked about than our regulation of marketing calls, texts and emails. From the Which? taskforce to the media investigations into charity fundraising, direct marketing is certainly a high profile subject.
More often than not, the focus is on our enforcement action against companies who flout the rules. That’s certainly the case today, as we issue another £225,000 of penalties to two companies in Swansea.
But while that remains in the headlines, it is our guidance on the law that proves so crucial to organisations. Today we’ve published an updated version, to ensure it can continue to enable organisations to understand how to comply with the law and follow good practice.
Our advice may yet offer more than that. At the recent Direct Marketing Association Data Protection Conference Baroness Neville Rolfe added her voice in support of issuing our guidance as a Code Practice with specific statutory recognition, which would allow it to be considered by the courts.
Such a move would need legislative change, as well as a full consultation. In the meantime the guidance remains a key document, both as a guide to how organisations can make sure that marketing calls and texts are made in line with the law, and to inform the ICO’s enforcement activity. And the updated version of the guidance we’ve published today will make sure it continues to meet these objectives.
For most, this will not be their first time reading the guidance, so let’s focus first on what’s new. The most notable addition for many will be a greater focus on scenarios involving not-for-profit organisations. It is important to remember that the law requires charities to follow the same rules as any other organisation, but the high-profile difficulties some have found in meeting that requirement has meant we’ve provided more advice to this sector within the guidance, including specific examples.
This sits alongside our ongoing work with the sector. We have an ongoing investigation into how charities have complied with the law, and we’re also working with charities who are keen to improve their approach. Last month we published an undertaking signed by British Red Cross, committing them to best practice around their fundraising calls, and today we’re publishing a similar agreement signed by Age International. Again, we’re pleased that we’ve been able to work with them on this.
More broadly, the updated guidance gives more direction around third-party consent. We’ve seen organisations getting this wrong, and facing enforcement action as a consequence. Our guidance makes clearer than ever that phrases like ‘are you happy to receive marketing from selected third parties’ will rarely be likely to demonstrate the law is being followed.
We’ve also included detail around consent being freely given. It isn’t within the law to unduly incentivise people to give their consent to marketing calls, nor typically to require consent to marketing as a condition of subscribing to a service.
I’ve no doubt some readers will have been hoping for more from the guidance. We know some people would like to see entire guidance documents dedicated to specific sectors, for instance, but this misunderstands the law. The Privacy and Electronic Communications Regulations apply equally to any and all organisations who are engaging in direct marketing activity via electronic means, regardless of their sector. To create several different strands of guidance for several different sectors would create a confused picture.
What’s more, we can only provide guidance that matches what the law says. So when we say that how long an organisation can continue to rely on consent depends on the circumstances, that’s because to give anything more concrete wouldn’t reflect the law. Similarly, while we understand some organisations want to be able to contact existing customers in an attempt to ask them to consent to future marketing calls, this also isn’t something the law allows.
Instead, what we’ve produced is updated, clear guidance, focused on the same principles and same law as the previous version. And as my colleagues in enforcement would point out, organisations should find reading the guidance far cheaper than fines for getting their marketing wrong.
We’re also working on other new guidance that will be useful to organisations undertaking direct marketing, such as the updated Privacy Notices Code, a checklist for selling and buying data and standard wording for organisations to use when collecting personal data for marketing purposes.
|Steve Wood‘s department develops the outputs that explain the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.|