What Is (or Not) Considered Direct Marketing Communication
Direct marketing communication usually involves an organisation (marketer) promoting a product or service by targeting an individual.
Direct marketing is governed by both the General Data Protection Regulation (GDPR) and Regulation 13 of the ePrivacy Regulations (SI 336/2011) (ePrivacy Regulations). The Data Protection Commission of Ireland (DPC) is responsible for enforcing and regulating direct marketing rules.
Interestingly, event promotion, the promotion of the ethos or culture of an organisation, group or body, the promotion of a ‘Yes’ or ‘No’ vote in a referendum, and even the canvassing of support for candidates standing for elective office is also considered direct marketing.
Types of direct marketing communication may include:
- Emails;
- Texts;
- Telephone calls; or
Where the direct marketing is not sought after or requested (a person has not provided their information at all or has provided it but for a purpose different than marketing), this is known as unsolicited direct marketing.
Direct marketing via postal mail is not covered by the ePrivacy Regulations (as mail is not an electronic communication),but remains subject to the requirements outlined in the GDPR. Unaddressed mail received at one's home or market surveys seeking people's views on say political matters or radio listenership preferences are not covered by data protection legislation as no personal data is used.
General Rule
The rules in respect of unsolicited direct marketing vary depending on the communication methods and the intended recipient. However, the general rule for direct marketing as set out under Regulation 13 of the ePrivacy Regulations is that a person shall not use any electronic communications to send to a natural person an unsolicited communication for the purpose of direct marketing by means of automated calling machine, facsimile or electronic mail unless the data subject has consented to receipt of such communication. This is commonly referred to as the Opt-in rule where the person has to actively consent to his/her data being used for marketing purposes.
The ePrivacy Regulations adopt the requirements for consent that are set out in the GDPR. Such consent must be given in advance, freely given, specific, and informed. A person cannot be forced to give you their consent, they must be told what purpose(s) their data will be used for and an unambiguous indication of their consent must be given through a statement or as a clear affirmative action i.e. by opting in. Furthermore, the individual has the right to withdraw consent and/or to object at any time to the use of their personal data for such marketing, including profiling.
Direct Marketing by Telephone
Importantly in relation to telephone calls, the ePrivacy Regulations do not distinguish between unsolicited telephone communications to individuals and those to companies (and all other persons other than natural persons). How they are regulated depends on whether they are calls to landlines, or to mobile phones.
Unsolicited marketing calls to landlines are permitted for the purpose of direct marketing provided the recipient has not notified the marketer that they do not consent to receipt of such a call, or the user has recorded its objection to the receipt of such calls in the National Directory Database (Opt-out rule applies).
Unsolicited marketing calls to mobile phones are prohibited unless the marketer has been notified by that user that they consent to receipt of such calls (Opt-in rule applies), or the user has recorded their consent such communication in the National Directory Database.
Direct Marketing by Email
Individuals – Opt-In Rule Applies
Unsolicited communication by electronic mail to an individual for the purpose of direct marketing is prohibited unless the individual has expressly consented. "Electronic mail” is broadly defined and includes any text, voice, sound or image message including an SMS message sent over a public communications network.
Regulation 13(11) sets out limited circumstances where a direct marketer may not require consent from the individual in respect of direct marketing emails when sent to an existing customer. This is commonly referred to as the Soft Opt-in rule. A person should not email a natural person for direct marketing purposes unless all of the following criteria are met:
- The contact details were collected in accordance with data protection law in the context of the sale of a product or a service to that individual.
- The product or service being marketed is the relevant company/person's own product or service.
- The product or service being marketed is of a kind similar to that supplied to the customer in the context of the initial sale.
- The customer is clearly and distinctly given the opportunity to object, in an easy manner and without charge, to the use of their contact details for direct marketing, both at the time the details are collected and also each time a direct marketing message is sent to that individual.
- The initial sale occurred within the previous 12 months, or that customer has been sent a compliant direct marketing message offering them the chance to opt out, which they did not take, within the previous 12 months.
Companies – Opt-Out Rule Applies
The same rules do not apply to electronic mail communications to companies. In respect of a body corporate, the use of automatic dialling machines, email or SMS for direct marketing is permitted provided that the body corporate has not recorded its objection in the National Directory Database (NDD) or it has not opted out of receipt of direct marketing communication.
There is also a soft opt-in for business-to-business emails, i.e. sending emails to an email address that reasonably appears to the sender to be an email address used mainly by the subscriber or user in the context of their commercial or official activity provided that the email relates solely to that commercial or official activity does not require such recipient’s prior opt-in consent.
Penalties
Under the e-Privacy Regulations, the penalties for sending electronic communications in breach of restrictions are:
- on summary conviction, a fine of €5,000; or
- on indictment, a fine of €250,000 where the offender is a body corporate or, in the case of a natural person, a fine of €50,000.
A court order for the destruction or forfeiture of any data connected with the breach may also be issued. Each communication that amounts to a breach constitutes an independent offence under the e-Privacy Regulations. Where a breach of the GDPR occurs in relation to marketing communications, the organisation may be subject to an administrative fine under the GDPR.
For more information, please contact Gergana Moran your usual Beauchamps contact.