If you or your organisation send out promotional material directly to individuals, chances are, you rely heavily on direct marketing to attract and target customers, ultimately enabling you to cultivate profitable business-to-consumer (B2C) relationships. Curating effective marketing and sales strategies is crucial to being able to reach your intended audience and tell them about your business and why they should be engaging with you, regardless of industry. However, it is essential to place your consumers’ privacy and their rights under data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data. at the heart of any marketing activities undertaken.
Regardless of whether you market Business-to-business (B2B) or B2C, if your business operates in, or processes the personal dataInformation which relates to an identified or identifiable natural person. of individuals located within the UK, you must comply with the following regulations:
In this blog, we will be delving into how to select the correct Lawful Basis, Legitimate Interest Assessments (LIA), and how to obtain clear consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. for B2C marketing.
Direct marketing is any type of advertising or promotional material aimed at a particular person. Done correctly, it’s an important aspect of developing and growing any business as it allows you to further your aims, connect with your customers, and ultimately increase trust in your brand.
If your organisation uses direct marketing, the rules will apply if you contact your customers about:
Direct marketing can come in many forms, including electronically via email, SMS, and via telephone calls, or via more traditional postal methods. The important thing is that a direct marketing message a) promotes the organisation in some way and b) is being sent directly to an identified individual, such as via someone’s own email address, phone number, or home address.
Furthermore, it’s important to note that direct marketing is not just about sending messages to a customer. It can include a multitude of activities that will either enable or support you in sending direct marketing – but more on that later.
Before your marketing team devises a sensational campaign idea, it’s important that you consider how you’re going to direct market responsibly. You should consider these four key areas when conducting direct marketing:
At this stage, your organisation needs to identify whether or not what you want to do is considered direct marketing. As previously mentioned, it includes all the activities you do with people’s information that lead up to, directly enable, or support your direct marketing messages. You need to consider why you are doing something as opposed to just what the activity itself is.
Nine times out of ten, it will be apparent to you whether what you intend to do is direct marketing. If you are still unsure, you should think about why you want to use the information, why you want to communicate with people, and whether the content is promotional.
Do direct marketing rules apply to service messages?
When communicating with your customers, telling them about important information that they need to know as part of their relationship with you (e.g. to inform them that their monthly payment failed, of disruptions to service, or about your updated opening hours), the rules around direct marketing do not apply. But, if you are processing personal data in order to send these messages, the normal rules enshrined in the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and DPA 2018 will.
At this stage, a data protection by design approach is essential. Planning your direct marketing before you start means you can ensure that you are complying with the law. This is where you need to establish your lawful basis for your direct marketing and how you will ensure that the information you processA series of actions or steps taken in order to achieve a particular end. is accurate and not kept longer than you need it.
With regards to lawful basis, you have the choice of two: Consent or Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
If you want to rely on Consent as your lawful basis, you must ensure that it is:
Freely given – You must give your subscribers choice and control over whether or not they choose to consent to receive direct marketing. You must provide a clear and easy opportunity for your subscribers to refuse consent without detriment. Even if your subscribers choose to freely consent, you must still continue to provide them with the option to withdraw their consent at any time.
Specific and informative – You need to clearly explain in plain terms what the subscriber is giving their consent for, who wants to rely on consent (either your organisation or a third party) and how people can withdraw their consent.
Unambiguous – In order to lawfullyIn data protection terms, it must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. obtain consent, a deliberate and specific action must be taken by an individual indicating they agree. Remember that pre-ticked boxes do not show consent.
If you are conducting B2C direct marketing that falls under PECR (electronic methods of marketing such as email, text, and automated phone calls), the general rule is that you need consent in order to send such marketing messages.
If your direct marketing activity doesn’t require consent under PECR, then you may be able to rely on legitimate interests if you can show that the way you use people’s information is:
If you wish to rely on legitimate interest as your lawful basis, then you will need to conduct a Legitimate Interest Assessment (LIA).
The best way to ensure your LIA is conducted appropriately is to ask yourself the following three questions:
Legitimate interests can be relied upon for B2C marketing that is carried out through non-electronic means such as via post or live telephone calls and is therefore not subject to PECR. In addition, in limited circumstances, organisations can rely on legitimate interests to send B2C electronic marketing where the following criteria are met, known as the ‘soft opt-in’ exception:
When collecting personal data to be used for marketing purposes, it must be collected fairly and transparently. You must tell your customers the reasons you are collecting their personal data and how it will be used. You must be clear about what you want to do, and your privacy notices must be easy to understand. Being transparent about what you’re doing with personal data is a key aspect of data protection law. Under the UK GDPR, you must as a minimum:
Following on from Step 3 which requires you to inform data subjects of their rights, organisations must then ensure that they respect these rights and have mechanisms in place to do so. Individuals have an absolute right to object to or opt out of direct marketing at any time, so you need to provide a clear way for them to do so. For example, having an unsubscribe link at the bottom of every marketing email.
Furthermore, when an individual unsubscribes from receiving marketing, they should not be deleted from your CRM. Rather, they should be added into a ‘do not contact’ list. This will allow you to screen any future marketing email recipients against this list to ensure you don’t send any future direct marketing to them by mistake.
If your organisation relies heavily on direct marketing and you would benefit from some further advice on how to remain compliant with UK data protection law, fill complete the form below and a member of our team will be in touch.
Fill in your details below and we’ll get back to you as soon as possible