What are the legal issues with direct marketing?

Kirsty Davey of the Corporate and Commercial team at Coodes Solicitors outlines what businesses need to do to ensure they comply with the law when carrying out direct marketing.

Collecting customer data

“Generally, a business can only collect customers’ information if it has a good reason for doing so, for example, to market new products. You must make people aware when you’re collecting their data that it will be used for marketing and other purposes. The most effective way is by issuing a privacy notice (also known as a fair processing notice or FPN), which you can also display on your website. This explains who will be using their personal data and what the business will use their personal data for.”

Storing customer data for marketing purposes

“Ensure that personal information is kept secure at all times – for example, data stored on mobile devices should be kept to a minimum. It is also good practice to regularly review databases to ensure that data is accurate and up-to-date.

“It is important that customer data is only stored for the purpose it is collected and only for as long as it is required. For example, don’t keep an event delegate list for marketing purposes unless attendees were aware that their details could be used for marketing purposes and you can clearly show that they gave unconditional and clear consent to opt in.”

Opting in and opting out

“In order to send direct marketing communications, businesses must always obtain clear consent and once set up, people must be given the opportunity to opt out and have the right to be forgotten. Make this as simple as possible – for example, clicking an unsubscribe link in an email or “Text STOP to 12345”.

“Retain details of any opt-out requests so that the individuals are not contacted in the future. You should avoid contacting someone who has opted out, unless they are being contacted for another purpose (for example, sending a bill). It is also very important that from the outset that people are told what their rights are how they may enforce those rights with the businesses.

“It is not generally acceptable to include pre-ticked opt-in boxes or to rely on silence as an indication to opt in. With changes to data protection rules due in 2018, businesses should be moving away from opt out to opt in as under the new GDPR businesses will need to be able to show that full unconditional consent has been given.”

Using external databases

“You should always take legal advice before buying an external database. Before a business may use the data, they must introduce themselves to the new customer and explain how they intend to use data, by issuing a privacy notice for example.

“Businesses should check whether any customers have signed up to any preference services – such as not receiving information by post or email. It is also important to scrutinise the details on the new database in case any of the customers have already opted out of receiving communications.”

Sharing your databases

“You may be able to sell or transfer a database if it has all the customers’ consent or it is in the business’ legitimate interest, for example, if it is part of a merger. You may want to allow a third party to manage your data, for example, using a fulfilment house or a call centre.

“Always take legal advice before selling a database or sharing data with another business. You will need to put a formal agreement in place as you will still be responsible for protecting the data.”

What are the penalties for failing to comply?

“If you fail to comply, you could face serious financial, commercial and reputational issues for the business. You could even face criminal prosecution. The key is to be cautious with direct marketing and seek advice.”

To find out more about new data protection rules, which are due to come in in 2018, see Kirsty Davey’s blog on getting ready for General Data Protection Regulation (GDPR).

For advice on these issues, please contact Kirsty Davey at Coodes Solicitors on 01326 318900 or kirsty.davey@coodes.co.uk