Out-Law / Your Daily Need-To-Know

Direct marketing body seeks to clarify confusion around consent to third party marketing

Out-Law News | 16 May 2014 | 5:00 pm | 3 min. read

Businesses that sell on consumers' data to third parties that use that information to engage in direct electronic marketing may not have to inform consumers of the identify of each of those third parties to comply with UK privacy laws, the Direct Marketing Association (DMA) has said.

The advertising industry body said it had consulted with the UK's Information Commissioner's Office (ICO) in a bid to clarify some confusion about how advertisers can practically adhere to guidance the ICO issued last year on direct marketing.

However, the ICO told Out-Law.com that whilst it welcomes the DMA's work "to make its members more aware of the rules around marketing calls and texts" it does not endorse the trade body's clarifications and added that its September 2013 guidance still applies.

“It’s important to remember that the guidance we produce is carefully worded to reflect the law we regulate, and companies shouldn’t think that because they find the law complicated, it doesn’t apply to them,” an ICO spokesperson said.

In the ICO's guidance, which was issued to help organisations understand their obligations under the Privacy and Electronic Communications Regulations (PECR), the watchdog said that third parties cannot claim to have the consent of consumers to the sending of electronic direct marketing messages unless the consumers had "intended for their consent to be passed on to the organisation doing the marketing" when they had engaged with the business that passed on their details.

However, the DMA has cited an example which suggests businesses may not need to list each individual advertiser it intends to share consumers' data with when informing those consumers about that data sharing activity and its purpose and given guidance as to the level of specificity required.

It said that advertisers often collect consumer data through surveys, or as a result of consumer queries about a product or service, and often incentivise the submission of this data by consumers by entering them into prize draws. It said, however, that businesses collecting the data may not always make it clear enough to consumers that they may share that data with third parties.

"If host mailings are not going to be used and the data is going to be passed to the third party for its use it can transpire that the consumer is not aware that their email/SMS data may be passed on to third parties because the wording isn't clear, or is buried in a long privacy policy or terms and conditions," the DMA said. "However, in these circumstances the solution is to place clear wording in a prominent position so that individuals are aware that their email and SMS may be passed on to third parties before they fill in their details."

"Here’s an example of how this might work: 'By registering and entering your details you consent to receiving promotional offers from XXXXX (name of organisation collecting the information) and other carefully selected reputable organisations and well-known high street names. You also agree to the terms conditions of the privacy policy (hyperlink) and the cookie policy (hyperlink) that govern how your information will be processed. A bad example would be where details of the prize are highlighted while the third-party consent wording appears below the section where consumers complete their details. This could result in a person not seeing the wording and unwittingly passing on their details to third parties," it said.

Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said the DMA's interpretation would be welcomed by organisations that seek to pass personal data on to third parties for marketing purposes.

"The key will be ensuring that the individuals are actually aware that their personal data will be passed on to the third parties – meaning that the wording cannot be buried in a privacy policy or behind a hyperlink, but must be a prominent part of the data submission process," Dautlich said. "The third parties should be specifically named where possible; although this guidance from the DMA offers a real-life example of a level of specificity used to describe a more general category of third parties. It will be interesting to see if the ICO issues further specific drafting guidance to help organisations ensure that they gather valid consent."

The ICO's direct marketing guidance said that "indirect consent" could be said to be valid and compliant with PECR requirements "if it is clear and specific enough".

"In essence, the customer must have anticipated that their details would be passed to the organisation in question, and that they were consenting to messages from that organisation," the guidance said. "This will depend on what exactly they were told when consent was obtained. Clearly, organisations cannot infer consent just because consent was given to a similar organisation, or an organisation in the same group. It must have extended to the organisation actually sending the message as well."

"Indirect consent may therefore be valid if that organisation was specifically named, or if the consent described a specific category of organisations and it clearly falls within that description. But if the consent was more general – eg to marketing ‘from selected third parties’ – it will be very difficult to demonstrate valid consent to a call, text or email if someone complains," the guidance said.

The DMA said that the ICO is to publish a blog on the subject of direct marketing in the coming few months to "address some of the questions raised by the industry" since it published its guidance and that it will review the existing guidelines in the autumn.