Marketing is a cornerstone of a company’s growth strategy and the techniques and technical capability continue to develop at a pace, but I must admit, I am no expert, far from it. I am though a data protection consultant and I do understand the requirements of the legislation as it applies to marketing. I also accept that in an evolving sector, the legislation, some dating back to 2003, is not always reflective of the world today.
I am sure we can agree that the life blood of any marketing activity is personal data, our identity, our contact details, our location as well as our spending habits or interests. Personal data is an extremely valuable commodity and has global appeal, but the exponential increase in the use of the internet and the globalisation of data has led to some abuse. It is the misuse of personal data that has driven the need to try and reset the balance of power between the man and woman on the street and the collectors and users of data.
So, there are two pieces of legislation that need consideration when it comes to marketing, firstly the Privacy and Electronic Communications Regulations 2003 (amended), or PECR for short, and the UK General Data Protection Regulation (retained 2016/679). PECR regulates electronic forms of marketing and will include email, telephone, SMS and facsimile (remember those!). The GDPR does not regulate marketing per se, but it has a lot to say about consent and it does concede that marketing is a legitimate interest activity. These two pieces of UK legislation need to be juxtaposed to get to a comfortable position.
In this piece, I will focus on the use of consent ‘opt in’ boxes on web forms because this seems to be a cause of some confusion. The PECR instructs that the use of unsolicited email marketing to individuals (including sole traders and loose partnerships) can only be undertaken by consent. There is a caveat to this, and it is called the ‘Soft Opt In’. To explain, soft opt in is where you already have someone’s contact details on your CRM or email contacts or whatever means you use, and you received those details during the course of a sale, or the negotiations of a sale with that person. You will not need to get consent providing you have provided them with the option to withdraw consent on each email you have sent.
The PECR is only concerned with individual people and is not interested in corporate entities, or ‘legal persons’. So, what about marketing to the corporations, limited companies, LLPs and other corporate bodies? Well, the UK GDPR regards this as a legitimate interest activity, and so even if you use personal data in the address, i.e., ‘Jon Doe@corporate.org’ then this is still something that can be done without consent, using the legal basis of, well, Legitimate Interest! There is a caveat to this too, in that you will need to conduct a legitimate interest assessment to ensure the balance of power is, you guessed it, balanced. Also, an individual has the right to object to marketing by legitimate interest and is effectively the reverse side of the consent coin.
To the point about opt in boxes on web contact forms. Remember under PECR, unsolicited contact is regulated, but if someone puts their contact details on your webform and requests a brochure, download or a call back, then that return contact is not unsolicited and therefore does not need consent. But should you wish to remain in contact and the person has not bought anything from you, then you will need consent to follow up. Consent must be freely given, informed and an affirmative indication of the person’s wishes. It has to be opted in, not opted out.
Hold on though, business to business marketing does not need consent, it is a legitimate interest activity! Yes, it is, but unless you have a sophisticated and fool proof way of segmenting your contacts, then how do you tell who is coming to the website and completing the form (other than email domains but that is pretty unreliable).
On balance it is much more straight forward to provide a consent-based approach to electronic marketing across the board for contacts from your website. Generally marketing platforms handle consent and consent suppression very well, keeping you on the right side of the law(s). Electronic marketing, it all its forms, create the bulk of complaints to the UK Regulator and in turn, they are most active in awarding significant fines to marketing companies who feel they can play fast and loose with people’s data.
It is complex, but it does not stop you marketing your goods or services. If you want some support and guidance to grow your business on the right side of the law, get in touch. email@example.com