Email Marketing & Due Diligence – Individuals

When it comes to e-mail marketing, many businesses are not fully aware of their data protection obligations. There are a number of substantial guides out there, particularly from the ICO (Information Commissioner’s Office) but these can be fairly hard to digest. In this post I have tried to gather together the basics to ensure that you have a solid footing on which you can build your email marketing campaign. We will look at your basic data protection obligations, privacy policies and the different types of emails and opt in options.

Knowing Your Obligations

Any business that holds or processes information about its customers is legally obliged to protect that information. The information must be kept secure, up to date, collected for a specific purpose and only held for as long as it is needed. The subject must also be allowed to see the information you hold about them on request.
ICOIf a company handles personal information (whether through an online shop account, newsletter etc.) you should notify the ICO as you may need to register with them as a ‘data controller’. Failure to do this could result in legal action.

In regards to email based marketing you must always disclose who you are (never conceal your identity) and include a valid unsubscribe link.

US advertising company Trancos Inc. were sued for $87,000 a number of years ago for not clearly identifying themselves as the sender of a range of marketing emails. Instead of being transparent they listed the sender as things like ‘Paid Survey’ and ‘Bank Wire Transfer Available’.

If your company has several trading names then you must make this clear at the data collection point. You should never assume that a customer will be happy to receive information from each entity. Similarly, when a subscriber opts out of your list this opt out applies to messages from all of your trading names.

Your Privacy Policy

At any point on your website where you collect data you must provide a clear link to your privacy policy. As well as helping you meet your legal obligations, your privacy policy will help you to build trust with your customers and should therefore be as user friendly as possible. A good privacy policy should include the following:

-A statement of exactly what data you collect
-An explanation of what you WILL and WILL NOT do with the data
-Your physical address
-A statement of how you handle/process data
-Names of group companies if applicable
-An explanation of how your website uses cookies
-Details on how a customer can obtain the data you hold about them (see subject access later in this post)
-Information on how you handle data security
-Information about what your privacy policy covers (i.e. you may link to other websites but are not responsible for their content).

Solicited Vs Unsolicited

A solicited email is one that the recipient has specifically asked to receive. This could be where a company offers a free guide on their site which is sent out by email and someone requests it to be sent to them.

An unsolicited email is one that the recipient has not specifically requested at that moment in time but is one that they do not mind receiving. For example this could be a newsletter or offers email.

opt in Vs soft opt inOpt In Vs Soft Opt In

Marketing e-mails can only be sent to recipients who have given you their permission to contact them or who have ‘opted in’. There is another type of opt in known as a ‘soft opt in’ which provides a number of exceptions to this rule. If you have obtained a person’s contact details through the discussion or completion of a sale and only plan to send them emails about similar products then you are allowed to do so without a strict opt in from them. However, you must give them opportunity to opt out at the point of data collection and in future correspondence. Opt out requests must be respected or the ICO may take action against your company if you continue to send mail to those who have opted out.

A few years ago two internet marketers working on behalf of Kodak were sued for ‘failing to offer an opt out method and failing to honour consumers rights to opt out’ after they sent a marketing email to over 2 million people with no opt out options.

Lists where a third party has collected consent do not meet the soft opt in criteria and so the recipient must actively state that they do not mind unsolicited emails from third parties.
Requests For Information.

As previously mentioned, customers and recipients can request to see the data that you hold about them. This is known as subject access. In your website terms and conditions and on your e-shot make sure that you state the relevant contact address for these requests. If you have a designated data protection person it may also help encourage trust and quick resolution if you also list their name. Once you have received the request you have 40 days in which to respond. You are allowed to charge a fee for processing a subject access request of up to £10.
Forwarding To Friends

Many companies will actively encourage their recipients to forward their e-shots to their friends. If you are going to do this you need to state that the recipient should only send it on to friends who they feel would be happy to receive it. If you offer an incentive to your recipients to forward it on and their friend is not happy about receiving the email then you are liable as the one who instigated the correspondence.

Hopefully this has been helpful to you and not too heavy going! These are just some of the main points when it comes to sending email marketing correspondence to individuals.

For more information please see some of the resources below:

ICO Marketing Sector Guide
ICO Electronic Mail Regulations
The Dot Mailer Guide To Email Marketing Law
Email Marketing Law & Anti-Spam Guide From Law Donut
The Ofcom Guide to E-Marketing