Direct Marketing: To Spam or not to Spam?
Direct marketing consists of communications, often unsolicited and sent by email, with the sole purpose of trying to sell or market certain goods or services.
Direct marketing is a very advantageous business tool but if used carelessly can cause nuisance and inconvenience to individual recipients, and to businesses whose networks can be slowed down considerably.
As a result of this, companies are subject to stringent guidelines, involving several statutes, sets of regulations and voluntary codes of conduct, as Trainee Solicitor Bunmi Oduntan explains.
This article will explore, in respect of business-to-business marketing within the UK and EU, the legislation in place in the UK relating to direct marketing, how this applies to companies operating from outside the UK and EU, and the sanctions in respect of a breach of the applicable legislation.
The Data Protection Act 1998 (“the Act”) and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (“the Regulations”)
The rules that apply in relation to business to business marketing emails in the UK are contained in the Regulations and the Act.
The Act applies when personal data is processed (which includes collecting, handling, storing and disclosing), for example, where the company knows the name of the person that they are contacting.
The Regulations apply generally when unsolicited direct marketing emails are sent, and irrespective of whether or not the company processes any personal data or knows the name of the person it is contacting.
The main provisions, relating to business to business marketing emails, are that:
- Companies can send direct marketing emails to other companies without obtaining prior consent to do so.
- Companies do not need to give or be given the ability to opt out of receiving direct marketing emails. However, the Information Commissioner’s Office (“ICO”) recommends that it is good practice to offer an opt-out on each communication and to respect any request to stop.
- Employees whose business email address incorporates personal data (for example, firstname.lastname@example.org), can exercise their right to opt out of receiving direct marketing emails, as an individual.
- Companies must not conceal their identity and address in communications.
The Application of the Act and Regulations to companies incorporated outside the UK and EU
Currently, there is no legal framework to deal with direct marketing emails on an international level as the relevant rules differ significantly between countries. For example in the United States, under the US-Can Spam Act 2003, there is an opt-out provision for individual recipients, whereas UK legislation requires a potential individual recipient to specifically agree to the receipt of direct marketing emails on an opt-in basis.
However, for example, where a company knows the name of the person that they are contacting, the company may be required to register under the Act as processing personal information.
The registration provisions of the Act will apply if either:
- The company is established in the UK and personal data is processed in the context of such establishment; or
- The company is not established in the UK or in any country in the European Economic Area but uses equipment (e.g. computers) in the UK to process personal data.
The following are regarded as being established in the UK:
- an individual who is ordinarily resident in the UK;
- a body incorporated under the law of, or of any part of, the UK;
- a partnership or other unincorporated association formed under the law of any part of the UK; and
- any person who does not fall within paragraphs (a), (b) or (c) but maintains in the UK:
- an office, branch or agency through which he carries on any activity; or
- a regular practice.
Unless the company falls within the above provisions, they are not required to register under the Act as processing personal information. Therefore, they will not be subject to the implications in respect of a breach of the data protection rules, as outlined below.
The sanctions enforceable by the ICO in respect of a breach of the provisions relating to direct marketing emails, as provided for in the Regulations, include to:
- issue an undertaking committing the Company to a particular course of action in order to improve its compliance;
- serve an enforcement notice or ‘stop now’ order where there has been a breach, requiring the Company to take specified steps to comply with the law. Failure to comply is a criminal offence;
- issue a Monetary Penalty Notice, requiring the Company to pay up to £500,000 for serious breaches;
- apply to the court for an order under section 213 of the Enterprise Act 2002 requiring a person to cease conduct harmful to consumers;
- prosecute if the breach also involves a criminal offence under the Act, or if an organisation fails to comply with an Enforcement Notice; and
- report to Parliament on issues of concern.
Presently, there is no provision in the Regulations for directors of companies to be personally liable for breaches committed by their companies. However, in an announcement on 23 October 2016, the Department for Culture, Media and Sport of the UK Government confirmed that it will amend the Regulations to hold directors personally responsible for breaches of the legislation relating to direct marketing contained within the Regulations. This is likely to come into force by Spring this year.
The ICO currently does not have the power to take enforcement action against companies based outside the UK and the EU. However, the question of whether it is possible to seek redress against a foreign company does not appear to have been tested before the English courts in relation to the compensation rights under the Regulations, and private actions for damages may be unfeasible. However, the European Commission has put forward the General Data Protection Regulation (“the GDPR”), which will replace the Act on 25 May 2018. The GDPR expands the scope of EU data protection regulation to subject all businesses that control or process personal data relating to the offer of goods and services to individuals in the EU, whether those companies are based in the EU or elsewhere, to the full jurisdiction of the EU regulation.
If you have any questions please feel free to contact the Company and Commercial department at Silverman Sherliker LLP on +44 (0)20 7749 2700 for more information, guidance or assistance.