Direct marketing and the Data Protection Act

Home

Members

Services

News & Info

Entertainment

Help

Content Starts Here

Direct marketing and the Data Protection Act

Data Protection Act 1998

The Data Protection Act 1998 ('the DPA') regulates the use of personal data for direct marketing purposes. Personal data must be processed lawfully and fairly and the consent of the data subject is required unless processing can be said to be in the data controller's 'legitimate interests'. Personal details given for one purpose, such as handling a customer's order, should not be passed to third parties for direct marketing purposes without the customer's consent 'Sensitive data' must not be processed without explicit consent.

Under the DPA an individual has an express right to object to the use of his or her personal data for the purposes of direct marketing. This usually means that an 'opt-out' must be given for direct marketing, and sometimes an 'opt-in' is required.

The Privacy and Electronic Communications (EC Directive) Regulations 2003

The Regulations protect personal data in all kinds of electronic communication, including e-mail and the Internet as well as voice telephony, fax and text messages. The requirements of the Regulations are in addition to those under the DPA.

What is covered by the Regulations?

The Regulations prohibit:

the use of unsolicited calls for direct marketing purposes where (i) the called line is that of a subscriber who has previously notified the caller that such calls should not be made on that line, or (ii) the number is listed on a recognised opt-out register;

the use of unsolicited faxes for direct marketing purposes where the called line is that of (i) an individual subscriber, unless the subscriber has previously consented to such communications, or (ii) a corporate subscriber who has previously notified the caller that such communications should not be sent on that line, or (iii) an individual or corporate subscriber where the number is listed on a recognised opt-out register;

the use of an automated calling system for direct marketing purposes where the called line is that of an individual or a corporate subscriber, unless the subscriber has previously consented to such communications;

the use of unsolicited e-mails (including text messages) to individual subscribers for direct marketing purposes unless (i) the recipient has previously consented, or (ii) the sender obtained the contact details in the course of a previous dealing, and the email concerns the sender's similar products and services only; and unless the recipient is given a simple means to opt-out of such emails;

unsolicited communications by e-mail (including text messages) to individual or corporate subscribers for direct marketing purposes where the identity of the sender is disguised or concealed, or no address is given to which the recipient can request that such communications cease.

Implications for Marketing Teams

A business that uses direct marketing methods must (a) make sure of the source of any database it uses; (b) have a system for obtaining any necessary consent; (c) delete from its database the details of individuals who have asked not to receive direct marketing communications, or have registered with an opt-out register; (d) check with the relevant opt-out register on a regular basis; (e) provide the required information in connection with all direct marketing; (f) provide an opt-out where required.

Enforcement

Failure to comply with the Regulations can result in payment of compensation to the person affected or enforcement proceedings as set out in the Data Protection Act 1998.

This document reflects the law as at January 2004. It does not purport to be comprehensive or a substitute for specialist legal advice in individual circumstances.

Download a copy of the full guidelines in PDF format