By Rob Masson, CEO of the DPO Centre.
With the COVID-19 pandemic creating increased distance between businesses and their customers, the drive to produce efficient and effective electronic marketing campaigns continues to intensify. Now that it is doing much of the heavy lifting when it comes to cultivating profitable B2C relationships, email marketing has never been a more valuable tool for businesses.
Although email is being used in ever-more new and interesting ways by businesses to market to their consumers, there are clear rules set by UK data protection law that put limitations on how it can be used to ensure that individuals’ privacy and data protection rights are respected. Marketers therefore must be aware of these limitations so that they do not find themselves on the wrong side of the UK Information Commissioner’s Office (ICO).
The line between marketing and service emails
Although UK data protection legislation does not define what constitutes marketing, the ICO has provided some guidance itself in its recent Marketing Code of Conduct. Here, it states that marketing covers any advertising or marketing material, as well as anything that promotes the aims and ideals of the organisation. This is a broad definition that covers everything from communications containing deals or discounted offerings, to the less obvious email newsletter. Essentially, any communication that is trying to get consumers to buy additional goods or services, or promote the organisation in any way, will constitute a marketing message.
Whilst the definition of marketing messages is broad, there are other categories that email communications sent out to consumers may fall into, the most common of which is that of service messages. Again, we have to look to the ICO for a definition: “a communication sent to an individual for administrative or customer service purposes only.”
A service email, therefore, should simply be providing the consumer with the information that you as an organisation are required to give them in order to fulfil your obligations under the contract between you and them. For example, providing a borrower with a schedule of repayments would be a service message.
Although this sounds like an easy distinction to make, it is often not so simple in practice. Despite this, it is one that as an organisation you need to get right because whether a communication falls into the marketing or service bracket has repercussions for your compliance requirements.
Why is this important?
Knowing the difference between marketing and service messages is important because to send B2C marketing messages you must have gained valid consent from the recipients, whereas for service messages this requirement does not apply.
The Privacy and Electronic Communications Regulation (PECR) makes clear that valid consent in the context of B2C marketing uses the same definition that is contained within the UK General Data Protection Regulation (UK GDPR). In other words, the consent must be specific, informed and freely given, and it must be possible to withdraw it easily at any time.
Now as any marketer will know, gaining consent for direct marketing can be somewhat of a challenge. It is perhaps unsurprising then, that organisations are keen to categorise communications as service messages rather than marketing to get around this requirement. Often promotional content is inserted into emails alongside service messages, in the hope that it will go unnoticed, for example, a schedule of repayments (service) alongside an offer for a credit card (marketing). It is important to note that if any part of a communication between your organisation and consumers constitutes marketing or promotional activity, you must gain consent under PECR, regardless of if the communication is partially a service message.
Another consideration when using communications with both marketing and service aspects is that organisations must have two versions of the same service message – one with and one without the marketing element – to accommodate for those individuals who do not give their consent to receive marketing materials but still need to receive the relevant service message. This also relies heavily on the relevant records of consent being kept up to date.
The exception: Soft Opt-in
Whilst consent is required for sending the majority of B2C marketing messages, the soft opt-in exception allows organisations to send marketing to existing customers about similar products or services without gaining explicit consent, provided that they are given the option to opt out.
What constitutes ‘similar products and services’ will depend upon context, and you must consider what the customer would reasonably expect to receive marketing from you about, given your existing relationship. It is clear, however, that the products or services marketed on the basis of soft opt-in cannot be the services or products of a third party. In the context of insurance, for example, where there are often intermediaries involved between the customer and the ultimate insurer, this will limit the applicability of this already narrow exception further.
If you are sending marketing communications, aside from the narrow soft opt-in exception, there is ultimately no way of getting around the requirement of gaining recipient consent. Whilst it may not always be easy to do so, gaining consent is the only way to absolve yourself of the risk of a fine of up to £500,000 for a PECR violation. Perhaps more damaging, however, is the reputational damage that can come from not abiding by data protection laws, particularly in the context of marketing. Data subjects are far more aware of their rights now than ever before and are much less tolerant of being subjected to unsolicited marketing messages, as seen by the huge rise in complaints of this nature being made to the ICO.
Whilst the line between marketing and service messages is not always clear, in disputes regarding PECR violations it is often a highly contested point that ultimately decides the case. Therefore, be clear on where the line is and tread carefully.