We commented recently on here about the new ICO Guidance document¹ and have suggested that it is compulsory reading for anyone engaged in bulk email marketing. Most of its thrust is towards consent and it is reasonable to conclude that this signifies tighter control, and a restricted view, on what consent constitutes. We cannot say that we have not been told.
Consent is defined as²:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
This was later modified³ to say that the receiver:
“has previously notified the [sender] that he consents for the time being to such communications being sent by, or at the instigation of, the [sender]”.
It is essential to have systems established in your business to ensure not only that you comply with the requirements of the legislation but, probably equally importantly, that you can demonstrate you have the necessary permission.
Customers are more than ever willing to complain if they believe that they have been the subject of bulk email marketing without consent. Your company may well be at risk unless you can produce full details of their subscription. It is up to you to prove consent rather than the complainant to prove otherwise.
In order to ensure you can show you have complied, it is advisable to retain:
1. The date of subscription to your email marketing list
2. The information you provided at the time and subsequently
3. The method that they used (i.e. online, on a business communication, at a trade fair, by phone, etc.)
4. Who obtained the consent if in person
5. What other information was provided by the customer when they subscribed
6. Records of any double opt-in or of any follow-up email sent after the original opt-in (this would be a substantial defence)
7. How many marketing emails had been sent to the customer previous to their complaint
8. If they opted-out before their complaint, records of the process you went through and whether any marketing emails were sent after you received their opt-out. Reasonable ‘slippage’ is allowed
As you have no doubt worked out, this is the sort of information you should be keeping in any case, so there would be little excuse for it not being available.
For consent to be valid you must prove is was:
A. Freely Given: There must have been a free choice, without undue pressure.
B. Specific: They must be fully aware of what kind of communication they have consented to: email, direct mail, etc.
C. Informed: It must be clear what you are going to do with the information they supply. No small print, no tortuous click-throughs, no waffle.
D. Agreement signified: Agreement cannot be assumed by a failure of the person to, for instance, unclick a box.
It is probably not an exaggeration to suggest that the legislators are likely to concentrate on consent for bulk marketing emails in future. It is not enough to just follow the rules. You need to be able to show you have complied: a significant difference.
¹http://www.ico.org.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/direct-marketing-guidance.pdf
² European Directive 95/46/EC
³ European Directive 2002/58/EC
The phrase “consents for the time being” is of note. This tends to suggest that consent is not forever in all cases.