In September 2013 the Information Commissioner’s Office (ICO) published a lengthy guide to Direct Marketing. The guide covers compliance with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR) in relation to the sending of unsolicited marketing. SaaS suppliers who are sending unsolicited marketing to SaaS customers and prospective customers should check their compliance with the guidance. Additionally, the Direct Marketing Association (DMA) has also published its own further supplemental guide which provides detailed guidance on how and when to obtain consent to marketing from individuals.
Marketing and the DPA
The DPA applies to marketing where a SaaS supplier is using personal data. For example: if a SaaS supplier is sending marketing emails to a named person i.e. firstname.lastname@example.org. When sends marketing emails to a named person a SaaS supplier must comply with the 8 data protection principles. In particular, the SaaS supplier must give the individual the right to object to any direct marketing (in writing).
Marketing and the PECR
The PECR complements the DPA. It sets out more detailed rules on electronic marketing i.e. email, text messages, fax and telephone calls. Unlike the DPA, the rules apply even if the SaaS supplier does not know the name of the person it is contacting i.e. email@example.com.
The rules under the PECR also vary depending on whether the marketing is sent to a consumer (B2C) or to a business (B2B).
Both the DPA and the PECR require that the recipient consents to being sent direct marketing. Such consent must be informed and must be freely and specifically given. Consent is only valid if:
- it is not a condition to subscribing to a service or completing a transaction;
- the information given is clear, prominent and not difficult to find (so that individuals understand what they are consenting to);
- it is relevant to the type of marketing being sent; and
- there is a positive indication of the recipient’s agreement to receive direct marketing.
This means as a general rule that pre-ticked “opt-in” boxes should not be used to obtain consent.
Marketing Emails and Texts
Where marketing messages are sent by email or text additional rules apply. Consent must be:
- notified; and
- specific to the type of communication.
No express consent is required where:
- a recipient’s details are obtained in the course of a sale (or negotiation of a sale) of a product or service of the SaaS supplier to that individual;
- the SaaS supplier is only marketing their own similar products or services; and
- the recipient had the option to refuse or “opt-out” of the marketing at the time their details were collected, and in every subsequent email.
In order to demonstrate compliance with the rules on consent, SaaS suppliers should keep clear records of:
- what, when and how consent was collected;
- who gave the consent; and
- the information provided to the individual about the consent being given.
In the UK SaaS suppliers must not make unsolicited marketing calls to numbers registered with:
- the Telephone Preference Service (TPS) in relation to individual B2C subscribers; or
- the Corporate Telephone Preference Service (CTPS) in relation to B2B subscribers.
Automated marketing calls can only be made to individuals who have specifically consented to receiving such calls.
Fines for Breach
Breaches of the DPA or PECR can result in a SaaS supplier receiving an enforcement notice from the ICO requiring remedial steps to be taken. Failure to comply with such a notice is a criminal offence. In addition, the ICO can also impose a fine of up to £500,000 for serious breaches.
The above is a general summary of the complicated rules applicable to direct marketing. Before launching any direct marketing campaign, specific legal advice should be taken, in order to check full compliance with the above laws and rules to reduce the risks of substantial fines being imposed for breaches.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
Speaker at the Berlin CloudConf 2013.
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – Update on new draft EU Data Protection Regulation
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – BYOD
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements