Knowing the difference between a service message and one that is marketing to your customers could save your business from ending up on the wrong side of the Information Commissioners Office (ICOThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.).
As the ongoing scenario surrounding Covid-19 creates even more distance between businesses and their current and prospective customers, the drive to increase efficient and effective marketing campaigns continues to intensify. This can be a very difficult area of privacy law to navigate as there are multiple interconnected areas of legislation governing such activities. Aside from the GDPR, there are four other letters which often fill marketers with apprehension. These anxiety inducing letters are PECR, which stand for the Privacy and Electronic Communications Regulations. After all, it is PECR that requires companies to establish consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. (or use the narrow exception of the “soft” opt-in) for any business to consumer electronic direct marketing they wish to undertake.
As most marketing professionals will readily admit, gaining consent to send promotional messages is no easy task, often with very small percentages of people actually agreeing to receive marketing material. This mountain has become even harder to climb since the advent of the GDPR, which has raised the threshold for adequately collecting such consents.
What is marketing?
The question we often get asked is what constitutes marketing material? Well if you look to either PECR or GDPR you are going to be disappointed because neither of them defines marketing. So, we have to look at our own regulator in the UK, the ICO, for some guidance. In its recent draft Marketing Code of Conduct it defines marketing as covering any advertising or marketing material, as well as anything that promotes the aims and ideals of the organisation.
Aside from understanding what constitutes marketing, we’re often asked if service messages require the same consent as these promotional contacts? The simple answer is that controllers do not require consent under PECR to send genuine service messages to applicable consumers. Unhelpfully, neither piece of legislation defines what constitutes a service message. Again, we can look to the ICO for a definition of service messages, which it defines as a ‘communication sent to an individual for administrative or customer service purposes only’.
Considering the absence of a need for consent, and that the difference between a marketing and service message can be subtle, the question is when does a service message become a marketing message? Clearly anything that is advertising goods or services is going to be a marketing message rather than a service message.
If we look at a recent ICO enforcement action against EE, who wrote to all its customers telling them about the existence and details of their online billing appAn application, downloaded by a user to a mobile device.. This was a service message, as it was informing customers how to use its existing service better. Essentially, the customer would suffer detriment if they did not have the information and EE is not attempting to increase its revenue or promote its ideals in simply informing the customer of this service. Crucially in this case however, it then went on to add in the same message, that if customers upgrade to the app they could receive a deal on a new phone.
Clearly, at this point EE is trying to sell phones, which is a promotional activity, and elevated the entire communication into a marketing message. Unfortunately for EE it did not have consent to send marketing messages to most recipients, and as such, it was fined for sending unsolicited marketing communications.
Whilst that example is noticeable, even subtle promotion of an organisation can turn a service message into a marketing message. For example, a children’s charity sends out a report to its supporters detailing child poverty in the community, this in itself is a service message. However, if the charity then goes onto say it is working to eradicate poverty through its wonderful programs, it can turn the whole report into a marketing message. Why? Because the charity is promoting its aims and ideals. It doesn’t matter if it’s a 100-page report with only one mention of activity which details its aims and ideals, it still turns the entire report into marketing and consequently requires all of the formalities demanded by the PECR in this circumstance.
Another limb of consumer contact which does not require these PECR formalities, but often falls foul of the temptation to discretely promote to consumers, is market research. Approaching consumers for such purposes is not excluded under the PECR, however the act of covertly applying promotion during such research (known as “sugging”) or attempting to drum-up fund raising (“frugging”) is strictly prohibited. If the researcher is simply enquiring about the desired features and benefits or thoughts on a particular product, this is reasonable. However, if the researcher begins to detail the key features of a product and covertly selling the benefits to the research participant, their actions will constitute marketing activity.
It is highly tempting for a business to use the information gained during their research programmes to directly market future products and services in-line with the insights they have gained during the interactions with participants. It’s important to note that even in the absence of overt sales messages present during the research interaction, the intended future use of personal dataInformation which relates to an identified or identifiable natural person. for such direct marketing will constitute “sugging” and therefore constitute a breach under the PECR (and not to mention the disregard of the principles of data processing under the GDPR).
What are the conclusions that we can draw from this? Firstly, the rules created by PECR are here to stay, albeit in a brand-new E Privacy Directive that the UK may well still sign up to even though it is unlikely to be introduced into EU law until after the UK leaves the EU. Regardless whether the PECR will be engaged or not, the controller will always need to respect their obligations under other areas of the law, not least the requirements of the GDPR.
As the examples above demonstrate, there can be very subtle differences between activities such as market research, service messages and marketing, of which different requirements apply. It is crucial to build privacy in from the very start of the planning processA series of actions or steps taken in order to achieve a particular end. to avoid breaching your obligations under data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data.. Mapping how the contact data has been obtained, which laws and regulations will apply, how the information gained will be used and understanding the purpose of all proposed processing activities will be key to complying with the key areas of law discussed in this article.
The DPO Centre can provide the necessary support to ensure your compliance when marketing and promoting your business to your clients and prospects. Please contact us below for further information and support.
Fill in your details below and we’ll get back to you as soon as possible