We often get asked by organisations to clarify what they can and can’t do when it comes to postal vs electronic mail (i.e. email, sms, and potentially DM/IM messages) and direct marketing. We cover this in courses, and Daragh even wrote the guidance on this stuff back in 2011 for the (now defunct) Irish Direct Marketing Association.
It’s really simple (but there are some potential areas for complexity if people over think or try to play silly buggers), so we put together a decision tree for people to help. A few pointers are needed to help you navigate the Decision Tree flow.
Please note that this guidance page is for information purposes only and doesn’t constitute legal advice. If you want specific advice on specific issues relating to your organisation’s compliance with data protection rules relating to direct marketing, please get in touch.
Is what you are planning on doing Direct Marketing?
There is no real definition of Direct Marketing in the legislation. This is partly because if it was nailed down too explicitly then eventually some techbro or marketing dude would claim to have a magic widget that bypasses all of this. If you don’t believe us, just look at the hoops techbros have jumped through trying to claim that their new marketing technology doesn’t fall within the definition of the “cookies” rules when the technology is still reading data from or writing data to a subscriber device connected to a public telecommunications network.
However, those of us who have been at this a while will remember that in 1985 the Council of Europe issued a Recommendation on the question personal data and direct marketing that has a definition in it which is as good as any you’ll see. While not law, the recommendation carries a lot of weight.
“Direct marketing” comprises all activities which make it possible to offer goods or services or to transmit any other messages to a segment of the population by post, telephone or other direct means aimed at informing or soliciting a response from the data subject as well as any service ancillary thereto.
So, if you are informing people about things and are hoping to solicit some form of response from them (an “exchange of money, time, data, or first born child” as our Managing Director puts it), then you are engaging in Direct Marketing.
Other stuff, such as messages to tell the customer their parcel has shipped or that the technician will call to fix their phone some time between 8am and next Thursday, is more than likely NOT direct marketing. But if you include a message in it that is aimed at triggering a response, it definitely is. A lot of companies got caught out by that in the panic of 2018 as they were refreshing their marketing permissions because they sent a bland information email about permissions that the customer had given for contact, but included an incentive for people to opt-in.
For messages that aren’t direct marketing you will still need a clear legal basis for processing. If you don’t know the legal basis you are relying on… STOP!!!!
The “Opt-in is mandatory” myth
A common myth is that you need people to opt-in to any form of direct marketing. That’s not true.
- Recital 41 of GDPR recognises that direct marketing is in the legitimate interests of data controllers. So it can be done on that legal basis for postal marketing (i.e. letter mail). You need to ensure that the letter includes information on how to opt-out though!
- Any electronic mail (and the definition of that is broad) requires an OPT-IN consent, unless the conditions in the flow chart are met.