SaaS Agreements – Data Protection – Email Marketing and Consent

As a SaaS supplier you will undoubtedly be sending marketing emails in your own name to existing and potential clients to advertise your own products and services, or possibly as a SaaS service on behalf of a customer. In any event you should be aware that the Information Commissioner’s Office (ICO) has issued new guidance on direct marketing, with regard to complying with the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) both of which apply to sending direct marketing to consumers (BTC).

Consent

SaaS suppliers must obtain “extremely clear and specific” consent from individuals in order to conduct direct marketing via email or through any other form of electronic marketing i.e. text or via the telephone. SaaS suppliers cannot simply rely upon implied consent unless this is adequate.

Implied consent will not be adequate if:

  • it is obtained via acceptance of a privacy policy which is hard to find, difficult to understand, lengthy, or rarely read;
  • it must be given in order to subscribe to a service;
  • it is not freely given;
  • the individual is not specifically informed about what they are consenting to; and
  • it does not involve a positive action indicating agreement.

Specific Consent

A SaaS supplier must obtain specific consent to the type of communication in question.  For example, if an individual has consented to receive marketing texts a SaaS supplier is not permitted to send marketing emails and vice versa. Also, although a general statement of consent to receive marketing might be valid for email marketing, it will not cover telephone calls or texts as additional rules apply to these forms of marketing under the PECR.

Email Marketing Lists

The ICO guidance specifically refers to the issue of obtaining consent in relation to the use of third party email marketing lists. Often marketing lists are sold to a SaaS supplier or a SaaS customer where the seller claims to have obtained relevant consents from individuals. However, such third party consent cannot be relied upon by the SaaS supplier or the SaaS customer – unless the individual intended their consent to be passed on to the SaaS customer or SaaS supplier (whoever is actually doing the marketing).

SaaS suppliers should also be aware that other regulatory bodies have rules that apply to social media and digital advertising that must also be complied with. For example the Advertising Standards Agency (ASA), the Digital Marketing Association (DMA) and the Office of Fair Trading (OFT) have their own rules.

How to Obtain Consent

SaaS suppliers should use opt-in boxes in order to obtain explicit consent to direct marketing from individuals. Clear records should be kept of all consents, showing when and how such consent was obtained. These records can then be used as evidence if a complaint is made.

On-going Marketing

The context in which consent is obtained will determine whether SaaS suppliers can rely on consent to all future direct marketing via electronic messaging. For example, consent for a one-off message, or consent that is clearly only intended to cover a short period of time or a particular context, will not count as on-going consent for all future marketing messages.

Fines for Breach

The ICO can fine SaaS suppliers up to £500,000 for serious breaches of the DPA or PECR i.e. for sending unsolicited marketing emails, texts or live and automated marketing phone calls.

Therefore if you are a SaaS supplier offering SaaS services to consumers or you have a SaaS customer who uses your SaaS services to send marketing emails to consumers, you need to ensure that you follow the ICO guidance on direct marketing.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To learn more about SaaS and cloud computing join me at the Berlin CloudConf 2013 on 5th of December.

To register for my newsletter click here

______________________________________________________

Other related articles: