I was recently attending a training session and a discussion started late in the afternoon about e-mail marketing and making the most of customer lists. There wasn’t much of the day left and after a brief chat, we made a joint decision it would be an ideal first topic for my blog. So a big thank you to everyone for the inspiration to get started!
Connecting with customers is hugely important for all kinds of organisations. Most of us receive lots of e-mails every day for a wide range of purposes including marketing as e-mail is quick, easy to use and can be a highly effective promotional tool.
Using e-mail for direct marketing activities is governed in the UK by the Privacy and Electronic Communications Regulations (the Regulations), regulated by the Information Commissioner (ICO). He is able to impose fines of up to £500,000 for breaching the rules, meaning that getting it wrong can be costly both in monetary terms and irritating your customers.
This blog has some hints and tips on staying compliant although exact practical requirements for your organisation will depend on your circumstances. Therefore it is essential that you read the ICO’s guidance and contact me for further help if required.
In terms of the legislation, marketing is not just the promotion of goods and services by commercial organisations. It also encompasses the communication of aims and ideals, and covers charities and not-for-profit organisations.
Most organisations are likely to undertake solicited and unsolicited marketing. Solicited marketing is where a customer has specifically requested information such as completing an on-line form to request further details about a particular product. The Regulations generally don’t apply here although remember there will almost certainly be other data protection obligations that are relevant.
Unsolicited marketing is where you send marketing material to people, who are perhaps on a client list or in a customer database, when they haven’t specifically asked for it. This will be covered by the Regulations and requires those that you are targeting to have given their permission to use their contact details (in this case their e-mail address) for marketing purposes.
The way in which you obtain consent is likely to depend upon how you are interacting with a customer. Best practice is to have what is called an “opt in” box, where customers have to take positive action (in this case, tick the box) to indicate they are consenting to receiving information. An example of text that could be used alongside an tick box would be:
“Tick this box if you would like to receive information about our goods and services by e-mail.”
The Regulations do not require explicit consent and therefore you can use “implied consent”, meaning it is reasonable from the context to assume people want to receive information. However, bear in mind that there are new EU regulations on the horizon and implied consent is unlikely to be compliant if they come into force in their current form. Note that implied consent is not considered to be the same as opting out, discussed below.
The next option is the “soft opt-in”. This is for existing customers in the following circumstances:
- Contact details have been obtained during the course of a sale;
- You are only marketing your own similar products or services; and
- People are given an opportunity to opt out of marketing both when details where first collected and in every message after that.
Again, it is questionable whether the soft opt in will comply with the proposed regulations once they come into force, therefore you may wish to consider changing your procedures to opt in if you are currently relying on the soft opt in.
The final option is an “opt out” box. An example of text alongside an opt out box would be:
“Tick this box if you do not wish to receive information about our products and services.”
It is generally recommended that this option is only used as part of a soft opt in. Relying solely on an opt out is unlikely to meet your legal obligations as not ticking a box does not necessarily indicate a person is consenting to receiving marketing information.
There are other requirements when using e-mails for marketing purposes. In every communication you must always tell people who you are, provide contact details, and a mechanism for people to unsubscribe from your marketing communications.
Also don’t forget about your other types of marketing, for example, by post, telephone (recorded or live), and fax, all of which are covered to some extent by the Regulations and may require consent.
Note that the Regulations only apply when sending marketing communication to personal e-mails although this includes sole traders and partnerships. To stay compliant, you may wish to consider having one policy for all e-mail marketing that follows best practice for personal e-mails. This will be particularly important for business to business marketing where organisational structure may be unclear from an e-mail address.
As always, you can contact me if you require further consultancy and advice on the practical implementation of data protection requirements.
Tkm Consulting is managed by Liz Taylor. Liz has helped organisations with managing information and records management for the past 20 years. Tkm offers a number of consultancy and training services, specialising in information-related legislation applicable across the UK. We offer data protection compliance audits and can also provide data protection officer (DPO) as a service.
Data Protection Consultancy Services
At Tkm we offer practical help through consultancy services ideally suited to a wide range of public and private sector businesses.
Tkm provides data protection consultancy and Data Protection Officer as a service. We also offer advice and consultancy on:
- information and records management
- information governance including information asset registers and records of processing activities
- for public sector organisations, help with complying with freedom of information legislation and environmental information regulations. Tkm can also assist Scottish public authorities with public records legislation and records management plans
- auditing data protection compliance and assessing current levels of data protection compliance
Data Protection Training
Tkm is highly experienced in the field of data protection as well as the design and delivery of training. Tkm is approved by a number of awarding bodies to deliver management-level qualifications in compliance, including the BCS, SQA, BIIAB and REHIS. For our courses in data protection, see our data protection training page.
The material contained on this site and in the blogs constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.