ICO fines company for sending spam texts
The Information Commissioner’s Office (ICO) has fined a company £100,000 for sending unsolicited spam texts attempting to solicit leads for financial services institutions. The ICO found that between May to December 2015, the company sent 1,132,149 unsolicited texts to individual subscribers for the purposes of direct marketing.
The government has recently transferred the function of maintaining, and of keeping the Telephone Preference Service and Fax Preference Service (the registers) up to date, from Ofcom to the ICO. This transfer will allow the ICO direct control over how the registers are maintained and direct access to the information they contain. As a result, it is hoped that complaints arising from nuisance calls and faxes will be dealt with more efficiently.
For an overview of the key data protection issues a business should consider when carrying out direct marketing, please continue reading below.
This business development briefing just provides an overview of the law in this area. You should talk to a lawyer for a complete understanding of how it may affect your particular circumstances.
It highlights the key data protection issues a business should consider when carrying out direct marketing. It explains how the business should collect information about its customers (including individual customers, named individuals within a business and businesses themselves) and how to communicate information about the business’ products and services to existing and potential customers.
What are the penalties for failing to comply?
- Serious financial, commercial and reputational issues for the business, including possible criminal penalties.
- A negative impact on the ability of the business to use databases for marketing purposes.
- Reputational loss and the potential to be barred from trade bodies.
What customer data needs to be protected and secured?
- Any information about a customer that is held on computer or in an organised filing system that could identify them (for example, names, addresses or email addresses).
Collecting customer data for marketing purposes
- Generally, a business can only collect information if it has a good reason for doing so (for example, the business wants to market new products to the customer contact).
- A business must make sure that people are aware when the business collects their data that it will be used for marketing and other purposes. The most effective way is by issuing a privacy notice (also known as a fair processing notice (FPN)). A privacy notice is a notice given to an individual to explain who will be using their personal data and what the business will use their personal data for (for example, the notice may say that the business will pass the personal data to third parties (and preferably, name the organisation or the type of organisation) for marketing purposes).
- If a business has a website and intends to collect data using it, the website should include a prominent privacy notice.
- Always take legal advice if the business is planning to collect bank or credit card details, as there are security implications.
Storing customer data for marketing purposes
- Businesses should keep records of their compliance to enable them to provide evidence in the event of a complaint or an investigation by the Information Commissioner’s Office. For example: note the individual’s preferences to receive marketing by fax, telephone, automated calls or post; record when and how they obtained consent and whether this was opt-in or opt-out; record whether the customer is an individual or a business, as different rules apply; have separate databases to distinguish between those individuals to whom the business can and cannot send marketing emails (for example, maintain a suppression list of individuals and businesses that have opted out); or check databases against the relevant preference service regularly and comply with the preference.
- Businesses must ensure that personal information is kept secure at all times (for example, data stored on mobile devices should be kept to a minimum).
- Regularly review databases to ensure that data is accurate and up-to-date.
- A business must make sure customer data is only stored for the purpose it is collected and only for as long as it is required (for example, do not keep an event delegate list for marketing purposes unless delegates were aware that their details could be used for marketing purposes and were given the opportunity to opt out).
Opting in and opting out
- A business must ensure that people are always given the opportunity to opt in or out of receiving marketing from the business. The business should make this as simple as possible (for example, clicking an unsubscribe link in an email or “Text STOP to 12345”).
- Retain details of any opt-out requests the business receives, so that the individuals who have opted out in the past are not contacted in the future (this is known as “suppressing” the details). If a business simply deletes their details, the business may obtain their data later from another source and will not know that they have opted out of marketing contact.
- Avoid contacting someone who has opted out, unless they are being contacted for another purpose (for example, sending a bill). In this instance, it would be acceptable to include a message from time to time stating that the business would like to send them marketing material and invite them to opt back in.
- It is not generally acceptable to include pre-ticked opt-in boxes or to rely on silence as an indication to opt in. Positive action is required from a customer (for example, returning a form).
Sending solicited marketing
- If an individual or company has contacted a business requesting marketing material, the business can send it out even if they are included in an opt-out list or have registered with a preference service. A preference service holds the details of people who do not wish to receive direct marketing material.
- Individuals and businesses can register with preference services to indicate that they do not wish to receive direct marketing by a particular means (for example, by fax (the Fax Preference Service (FPS), mail (Mail Preference Service (MPS)) or telephone (Telephone Preference Service (TPS)).
Sending unsolicited marketing by post or telephone
- A business can contact individuals and companies on its databases by post or telephone, unless they have stated that they do not wish to receive direct marketing.
- Before sending out marketing, the business must check whether an individual or company has opted out or signed up to the TPS (it is a legal requirement to do so). It is good practice to also check the MPS.
Sending unsolicited marketing by automated calling system, SMS, fax or email
- A business will generally need specific prior consent from individuals (including named individuals at a company), but not businesses, to send unsolicited marketing by SMS, fax or email.
- Before sending out marketing to individuals (including named individuals at a company) the business should check that the individuals have given their specific prior consent to a particular type of marketing and that they have not opted out or signed up to a relevant preference service.
- Before sending out marketing to a company, the business must check that they have not opted out or signed up to the FPS (it is a legal requirement to do so). It is also good practice to check the MPS.
- If a business has collected a customer’s SMS or email details when selling something to them or negotiating to sell something to them, the business can use those details in future to market the same or similar products to them without prior express consent. This is known as the “soft opt in”.
Using external databases
- A business should always take legal advice if it is considering purchasing an external database to make sure that it gets the rights the business needs to use it effectively.
- Before a business can use the data, the business must introduce itself to the new customer and explain how it intends to use their data (for example, by issuing a privacy notice). In cases where the business requires specific prior consent for marketing purposes (automated calling systems, SMS, email and fax marketing to individuals) the customer must give consent. The purchaser must make careful checks to ensure that the seller has properly informed the individuals and that the consent given to the seller covers such disclosure and use.
- Always check whether any of the customers on the database that the business purchased have signed up to any preference services.
- The business should also check the details on the new database against existing databases to see whether anybody has opted out.
- Although the business may agree with the supplier that it will not supply the bought-in data to any other party, there is generally no way to prevent others from collecting the same data themselves or from sourcing them from somewhere else.
- Bought-in data may not be appropriate for use in targeted marketing campaigns or when data mining.
Selling databases to a third party
- A business may be able to sell or transfer a database if it has all the customers’ consent or it is in the business’ legitimate interest (for example, if it is part of a merger).
- Always take legal advice before selling a database. A business will need to put a formal agreement in place as the business will still be responsible for protecting the data.
Allowing third party access to data held by the business
- A business may want to allow a third party to manage data it holds (for example, using a fulfilment house or a call centre).
- Always take legal advice before allowing a third party access to the data. The business will need a formal agreement in place to deal with confidentiality and security of the data. This applies even if the third party is a group company.