Out-Law / Your Daily Need-To-Know

Third party data must be 'properly sourced, permissioned and cleaned' for use in direct marketing under new industry code

Out-Law News | 07 Aug 2014 | 11:25 am | 2 min. read

Companies buying personal data from third parties to use in direct marketing campaigns must "satisfy themselves" that data was "properly sourced, permissioned and cleaned", according to a new industry code developed by the Direct Marketing Association (DMA).

The trade body said its new DMA code, which its members will have to abide by from 18 August, has been developed to "address customer concerns about one-to-one marketing such as data sharing".

The DMA said the new code, which it has encouraged non-member companies as well as members to follow, requires companies to go above and beyond the regulatory obligations they face when engaging in direct marketing activities.

While the code stresses the need for companies adhering to it to comply with the Data Protection Act, Privacy and Electronic Communications Regulations (PECR) and other legislation relevant to direct marketing activities, it also includes a number of additional rules to moderate marketers' behaviour, including in relation to how they use personal data.

The code requires marketers that collect personal data during survey exercises or for research purposes to make it "conspicuously clear" to individuals where they also intend to use that data for another purpose, such as to marketing to that individual.

The code also explains broadly what marketers have to do when they want to use personal data collected by third parties for direct marketing purposes.

"When buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned," according to one of the rules under the new code.

Industry watchdog the Direct Marketing Commission will enforce the DMA code when it comes into force on 18 August. The Commission can recommend the suspension or expulsion of companies from membership of the DMA if it finds they are in breach of the DMA code and can refer complaints it handles to enforcement bodies such as the Information Commissioner's Office (ICO) which has the power to issue fines of up to £500,000 against companies that are found to have acted in breach of the provisions under PECR that relate to direct marketing activities.

DMA executive director Chris Combemale said: "We've taken a new approach to self-regulation that recognises the need to focus on principles that go above and beyond compliance with the law. It's perfectly easy to follow all of the details of regulation and yet fail to meet the expectations of the customer, such as how you use their data. Our code centres on five principles to inspire the industry to serve each customer with fairness and respect. Marketing with customers not at them is imperative to fostering trust and achieving commercial success.” 

PECR generally prohibits organisations from transmitting or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has notified prior consent for the messages to be sent or other limited exceptions apply.

The marketing companies also must not disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.

Companies can send direct marketing via electronic mail to consumers if they have "obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient", where the marketing is for "similar products and services only" and providing the recipient has a "simple means" to refuse the use of their contact details for that marketing "at the time of each subsequent communication". Recipients must not be charged when opting out other than what it costs them for the "transmission" of their refusal, according to the regulations.

Last year the ICO published guidance for businesses on how to comply with PECR when engaging in direct marketing activities. The watchdog told Out-Law.com earlier this year that those rules still apply after the DMA attempted to provide its own clarification to its members about the requirements they need to meet to ensure they have individuals' consent to direct marketing when their details have been sold to them by third parties.