1. Legal Rules for Direct Marketing
– How to avoid the “Spamming”
label
mobileSQUARED Conference:
Permission Based Marketing:
3 October 2011
Nick Graham
Partner
SNR Denton, London
nick.graham@snrdenton.com
9196005.01 1
2. Overview
The legal rules
When does “customer data” constitute “personal
data”?
When do I need prior consent?
Do customers need to “tick a box”?
What is the “soft opt-in”?
When do I need to offer an opt-out?
Do I need consent for use of cookies?
Enforcement risk
2
3. About SNR Denton
SNR Denton is a client-focused international legal practice
delivering quality and value.
We serve clients in key business and financial centres from 60
locations in 43 countries, through offices, associate firms and
special alliances across the US, UK, Europe, the Middle East,
Russia and the CIS, Asia Pacific, and Africa, making us a top 25
legal services provider by lawyers and professionals worldwide.
SNR Denton offers clients premier service and a disciplined
focus in eight key industry sectors: Technology, Media and
Telecommunications; Energy, Transport and Infrastructure;
Financial Institutions and Funds; Government; Health and Life
Sciences; Insurance; Manufacturing; Real Estate and Retail and
Hotels.
3
5. Legal rules
EU law
– Data Protection Directive (95/46/EC)
– Privacy and Electronic Communications Directive (2002/58/EC)
UK law
– Data Protection Act 1998 (“the DPA”)
– Privacy and Electronic Communications (EC Directive)
Regulations 2003 (SI 2003/2426) (“the e-Privacy Regulations”)
Enforcement
– UK Information Commissioner’s Office
– The Regulator can serve Enforcement Notices and fine up to
£500,000 per breach
5
7. When do the rules apply?
The DPA and the e-Privacy Regulations apply if you send marketing or
advertising by electronic means such as by telephone, fax, email, SMS
or automated calling system
The DPA also applies to any processing of personal data by a data
controller. Any data from which customers can be identified constitutes
“personal data”
You assume legal risk for any breaches by marketing agencies or other
service providers
Special rules apply to use of cookies and location data
7
8. When do I need prior consent?
Channel Consent required?
Email Yes (unless the “soft opt-in” applies)
Telephone Collect consent or rely on a TPS
check
Fax Yes
Post No
Automated calling system Yes
(ie. sending an individual a recorded
message
Use of cookies Yes
(unless the limited exemption
applies)
Use of location data Yes
8
9. Does the Customer need to “tick a box”?
Consent means: “freely given, specific and informed
indications of the data subject by which the data
subject signifies his agreement to personal data
relating to him/her being processed”
ICO Guidance: data subject must “signify his/her
agreement for the consent to be valid
This is what the European law makers refer to as
“opt-in” (“opt-out” means proceeding without consent
until you receive an opt-out request)
You can obtain consent either by having customers
“tick a box” or using “alternative consent models”
9
10. E-marketing rules – the e-Privacy Regulation
Regulation 23: you must not transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of electronic mail
unless the recipient has previously notified the sender that he consents for the time
being to such communications being sent
Soft opt-in: you may, however, send, or instigate the sending, of electronic mail for the
purposes of direct marketing where:
– you have obtained the relevant contact details in the course of sale or negotiations
for the sale of a product or service to that recipient
– the direct marketing is in respect of your similar products and services only; and
– the recipient has been given a simple means of opting out (free of charge) both at
the time the customer data was initially collected and on each subsequent
communication.
A subscriber shall not permit his line to be used in contravention of the opt-in requirement
(call centres beware!)
10
11. When do I need to offer an opt-out?
Under Section 11 of the DPA, any individual is entitled to opt-out of any
processing of their personal data for direct marketing at any time
Section 11 of the DPA defines “direct marketing” as: “the
communication (by whatever means) of any advertising or marketing
material which is directed to particular individuals”
11
12. Use of Cookies
Use of Cookies
Article 5(3) of the revised e-Privacy Directive says that:
– Use of cookies is only allowed on condition that the subscriber or user has given
his or her consent (opt in) having been provided with clear and comprehensive
information about the purposes of such processing
– The UK Information Commissioner has given companies 12 months (expiring May
2012) “to put their houses in order” and;
• check what type of cookies/similar technology you use and how you use them
• assess how intrusive the cookies are
• decide what solution to obtain consent would be best in your circumstances
• you cannot rely on browser settings to establish consent
12
13. New EU Data Protection Laws in 2011
The proposal for the new EU Data Protection Laws is expected in November 2011
This will be subject to review and lobbying
This may include:
– Data breach notification rules
– Template “privacy information notices”
– New rules on consent
– New rules on geo-location and other sensitive data
13