Businesses often rely on direct marketing to attract new business so it is important to understand key data protection issues before carrying out any direct marketing activities.
There can be serious repercussions for any business that does not comply with data protection rules, including serious financial, commercial and reputational damage, possible criminal penalties, a negative impact on the ability of businesses to use databases for marketing purposes and the potential to be barred from trade bodies.
Customer data that needs to be protected and secured
A business must protect and secure any information about its customers held on computers or in organised filing systems which could identify them, known as personal data (for example, name, address or email address).
Collecting customer data for marketing purposes
Businesses should only collect information if they have a good reason for doing so. When personal data is collected, customers must be informed that it will be used for marketing and other purposes, this is usually achieved by issuing a customer privacy notice. Special rules apply if a business plans to collect customer bank or credit card details due to the enhanced security implications.
Storing customer data for marketing purposes
Businesses should maintain compliance records, detailing marketing preferences, consents obtained and customer designations (as either individuals or businesses). Customer information must be kept secure and databases should be regularly reviewed to ensure that data is accurate and up-to-date. Customer data must only be stored for the purpose it is collected and for so long as it is required.
Opting in and opting out
Customers must be allowed to opt in and out of receiving business marketing information and details of these preferences should be maintained. Care must be taken to avoid contacting those who have opted out, unless they are contacted for another purpose (for example, sending a bill). It is not generally acceptable to include pre-ticked opt-in boxes on websites or to rely on silence as an indication to opt in. Instead positive action is required.
Sending solicited marketing
If a customer has contacted a business requesting marketing material it can be sent out even if the customer is included in an opt-out list, or has registered with a preference service. A preference service holds details of anyone who does not wish to receive direct marketing materials. Individuals and businesses can register with preference services to indicate that they do not wish to receive direct marketing by a particular means, for example the Mail Preference Service (MPS), Fax Preference Service (FPS) or Telephone Preference Service (TPS).
Sending unsolicited marketing by post or telephone
Businesses can contact customers by post or telephone unless they have stated that they do not wish to receive direct marketing. Before doing so, businesses must check whether a particular customer has opted out or signed up to the TPS (it is a legal requirement to do so). It is also good practice to check the MPS.
Sending unsolicited marketing by SMS, fax or email
Businesses generally require specific prior consent from individual customers (including named individuals at a company), but not business customers, before sending unsolicited marketing via SMS, fax or email. Before marketing to individual customers, businesses must check that the relevant individuals have given their prior consent to the particular type of marketing and that they have not opted out or signed up to a relevant preference service.
Before sending marketing to a business customer, businesses must check that they have not opted out or signed up to the FPS as it is a legal requirement to do so.
If a business has collected a customer’s SMS or email details when selling something to them, or negotiating to sell something to them, the business can use those details in future to market the same or similar products to them without prior express consent.
Using external databases
A business should always seek legal advice when considering purchasing an external database to ensure that it gets the rights it needs to use the database effectively.
Before a business can use data contained in an external database, it must introduce itself to the relevant customers and explain how it will use their data. When prior consent for marketing purposes is required, customers must provide such consent. Purchasers must make careful checks to ensure that the seller has informed the relevant individuals, and that the consent given to the seller covers such disclosure and use.
Businesses should check whether any of its customers that have signed up to any preference services are on a database that it has purchased. They should also check the details on the new database against existing databases to see whether anybody has opted out from receiving marketing.
Selling databases to a third party
A business may be able to sell or transfer a database if it obtains customer consent to the same or it is in the business’ legitimate interests to do so (for example, if it forms part of a merger). Always take legal advice before selling a database: a formal agreement will need to be put in place in such circumstances.
Allowing third party access to data held by the business
A business may want to allow a third party to manage data it holds. Again, always take legal advice before allowing third party access to data: a formal agreement will need to be put in place to deal with issues such as data confidentiality and security.
The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.
