Data Protection and Email Marketing

August 16, 2010

When a site stores personal details for subscriptions, memberships or the like, there are certain legal regulations it has to take into consideration to stay on the right side of the law.  The Data Protection Act sets out eight principles for the lawful processing of data. Generally individuals’ personal data such as name, phone number or address should be used in the way envisaged by these principles, and they have certain rights under the Act such as the right to ask and see the information a site holds about them – known as subject access requests. The body which presides over the Act and ensures compliance is the Information Commissioner’s Office (ICO) and provides a wealth of guidance materials for businesses.

Beyond the Data Protection Act there are a number of other laws which clarify and add to the obligations placed upon businesses when using data.

The Privacy and Electronic Communications Regulations seeks to regulate the collection and use of an individual’s contact details for marketing purposes. This would cover sending marketing emails to individuals after having obtained their email address in exchange for a newsletter or an eBook.

A key question here is whether the individual has to specifically opt in to receive certain types of communication, or is it sufficient to give them an opportunity to opt out of certain uses you may want to make of their data?

 For most forms of marketing, the general principle under the Regulations is that of ‘prior consent’, namely the individual should ideally give consent to the use of their details envisaged by the business before they can be contacted. In practice this consent can be sought by providing an ‘opt-in’ or an ‘opt-out’ tick box at the point of collection. The difference between the two is that of an individual expressly permitting or prohibiting marketing emails from the business.

An alternative means of showing consent under the Regulations are through ‘soft-opt-ins’. This is where essentially prospective customers or clients provide their details. Soft opt ins have a number of conditions attached, namely: the details should be collected in the context of a sale or negotiation of a sale to the individual; the marketing emails should relate to similar products and services only; the individual must be provided with an opportunity to opt out at the point when the details are collected and every time they receive a marketing email (this can be done by way of an ‘unsubscribe’ link in the email). For more details on best practice for email marketing see Direct Marketing Association’s guidelines.

For B2B marketing emails, however, the above restrictions do not apply. The opt-in restrictions in article 22 of the Regulations only apply to ‘individual subscribers’ and not ‘corporate subscribers’.  But beware of sole traders and partners who are effectively businesses in the guise of individuals. If there are any such individuals in your business database, they need either to be treated separately as individuals, or the whole database needs to provide the opt-out and other facilities required for individuals.

Obviously individuals from companies may, in practice, be providing their individual details, but where, for example, the marketing email is addressed to the company itself and the recipient’s email address is non-personal then no opt in provisions should be necessary. That being said every marketing email should always display the identity, contact details of the sender and, if sent by a company, contain the respective details of the organisation such as the company’s registration number.

In addition to this, any individual can at any time under the Data Protection Act request an organisation to cease or not to begin direct marketing to him. Such a request does not need to wait for the organisation to contact him. It must be complied with in a reasonable time. In practice it often takes time to set up the mechanism, so it may be worth sending him a brief email saying that his message has been received and will be acceded to, but that it may take a week or so to set this up, in which case it is just possible he will receive another direct marketing email in the mean time. It is good practice to keep all such requests in a Stop List, to be run against any future emailing before it goes out, so that if at some future date the organisation acquires his details again it does not start sending him more direct marketing material. This particular opt-out is not confined to emails but may apply to other types of communication.

An interesting point to flag up is that the legislation may set the threshold of what is acceptable in relation to email marketing, but the contract with the Email Service Provider may have even more stringent clauses. Some hosting companies may be contractually entitled to seek damages from customers engaged in unsolicited bulk mail. So as a rule of thumb the terms of business from a hosting service should always be reviewed before engaging in direct marketing.

In all, best practice for  ensuring compliance with legal requirements is by using  opt-in based marketing as much as possible, and stating how you will use  personal details (for example, by featuring a link to your privacy policy).

Ultimately, it depends on the business you are in as to how you comply with the requirements of the legislation.

Organisations must in any event provide individuals with information as to their identity, and the purposes for which the data is sought from the individual and other relevant matter (eg if the data is to be passed to a third party), and all this is usually wrapped up in the general Privacy Policy on which the Commissioner’s guidance can be found here . You can either link your Privacy Policy to the easy way for individuals to opt out of your emails, or you may wish to put both these requirements (Privacy Policy and Opt-out) in one web page.

However, if you intend to share data with third parties, or to sell the data then you do need to be careful how you set up your data collection facility, and ensure that the data stays ‘clean’.

Also it is important to have a good system in place for handling complaints about unwanted emails. Failure to comply with data protection regulations could prove embarrassing in certain situations, and could even lead to a criminal conviction.