Last week, the Information Commissioner’s Office issued PECR guidelines with updates that are very much in line with the presentations they gave at the ICO conference on March 3rd. The changes impact marketing in two key areas:
Time Limits for Consent – the new guide states that there is “no fixed time limit” in relation to the validity of consent between consent being obtained and the first contact being made.
Essentially, the period between consent and first contact depends on two main areas
- the expectation of the customer
- the context under which consent was obtained.
The new PECR guidelines reflect this interpretation stating: “consent … will remain valid as long as it is still reasonable to treat it as an ongoing indication of the person’s current wishes.” At the conference, the ICO stated that, for example in the case of annual renewals, “it is reasonable that consent may be relied upon 12 months after consent was obtained”. However, during the same presentation the ICO categorically stated that they do not accept the concept of indefinite 3rd party consent. This position is included within the new guidelines by “…even if consent is not withdrawn, it will become less reliable as time passes.”
Third party mailing list – there is a tricky area within the whole area of use of a third party mailing list for emails, texts and automatic telephone calls. PECR requires that the customer has notified the data user that he or she consents specifically to the user’s message. Indirect consent, of course, does not meet that requirement as the consumer has not notified the data user – he or she has notified a third party.
Although it is best practice to send marketing texts or emails only where you have yourself obtained consent, the ICO has made it clear that use of third party mailing lists can be acceptable, as long as:
- the third party has made absolutely clear and transparent the use to which the data is to be put. “In essence the customer must have anticipated that their details would be passed to you and that they were consenting to messages from you. “
- you as the data user are cautious and carry out due diligence, seeking evidence that consent covers your organisation and the medium through which you want to communicate – email, text and automated calls each require specific consent for that specific communication channel.
Within the ICO, there is a small team investigating PECR breaches and taking appropriate complaint-based actions, which range from civil monetary penalties, enforcement orders, criminal prosecution, and publication of who has been prosecuted and why.
At the Conference, the ICO shared information on the number of PECR investigations which are taking or have taken place.
To date 296,000 concerns have been reported, as a result of which just 7 monetary penalty notices have been served. In addition, there have been 11 formal undertakings, 19 enforcement notices and – as at 3 March – there were 79 investigations ongoing.
It is clear from the seriousness with which the ICO treats PECR breaches, that the ICO, like the recently approved EU Data Protection regulations, is trying to put the individual back in control of their own data. And, for those of us who believe that targeted ‘one-to-one’ marketing is the way to the future, surely making sure that a prospect really wants to receive your message is not such a bad thing?
If you have any concerns over the changes to PECR guidelines, or would like to discuss your business’s personal data compliance and security, please call us on 01787 277742, or email email@example.com