Shortly before Christmas 2003 the Data Protection Act (DPA) hit the headlines. Around the same time, new regulations on privacy and electronic communications came into force. This issue I am looking at how these pieces of legislation affect the collection of data and its use in marketing.
The DPA 1998 covers the collection, security, manipulation and supply of personal data. It gives "data subjects" the right to see what information we hold about them, correct it, or ask for processing to cease. ("Data subjects" include subscribers, readers, visitors, prospects, contributors, employees, suppliers, advertisers, all the people on all our lists.)
The DPA also identifies "sensitive personal data" and sets tighter rules for handling these. The closest a publisher gets to sensitive data is generally the personal identifier supporting reader requests. This year's ABC PIQ is "the first two letters of the town of your birth" - the actual town name is irrelevant, and this avoids the sensitive area of ethnicity.
The first of the eight Data Protection Principles in the DPA requires fairness in the way we collect data - telling the data subject how we are going to use it. The DPA allows us to vary the use, so long as we inform the data subject in advance. As periodical publishers, we have a regular opportunity to do that.
But it is better to think through all the uses you might make of the data you collect and describe these at the point of collection. Uses come in three broad categories: use by this publisher, by other member companies in the same group and use by third parties - direct marketing clients.
Some organisations, principally retailers and professional bodies, make a point of stressing that there will be no third party data supply. Only this organisation will use the data.
Owners of free publications, events and websites can rarely afford to forego the revenues from third party use. Fortunately, there seems to be nothing in the regulations to prevent making acceptance of third party use a condition of free supply of a magazine or free website access.
PECR 2003
Later regulations sought to cover new uses to which data was increasingly being put. By early 2002 it was clear the public were unhappy with the status quo, and the European Commission issued a Directive on the use of data in various marketing channels. The result has been the "Privacy and Electronic Communications (EC Directive) Regulations 2003" (PECR), incorrectly referred to by some as the "anti-spamming law". It won't stop spam because it only covers the promotion of EC businesses. So if you are being pestered by sellers of drugs or improved body parts based outside Europe this law won’t help.
The PECR divides our audience into two types - Individual Subscribers and Corporate Subscribers (meaning "subscriber" to a communication service, rather than to a magazine). Individual Subscribers are given greater protection, but "individual" is defined more broadly than one might expect. Sole traders and partnerships are individuals, except in Scotland, where partnerships are deemed corporate.
The PECR then looks at three principal channels of marketing communication: telephone, fax and email (with SMS treated the same as email). It goes on to define whether data subjects have the right to opt-in or to opt-out of these different channels, but the rules for postal marketing are left to the original DPA. The result is shown in the table below:
Marketing Channel | Individuals / Partnerships | Corporates / Partnerships in Scotland |
Postal | OPT-OUT | OPT-OUT |
Fax | OPT-IN | OPT-OUT |
Telephone | OPT-OUT | OPT-OUT |
Email/SMS | OPT-IN | OPT-OUT |
This process must be dealt with as the data is collected (although data subjects have the right to opt out at any time). The ideal way to construct opting in and out questions is to put the form online, with a question worded:
Are you applying for this event/magazine/website as: [] an individual or sole trader [] a partnership in Scotland [] a partnership elsewhere [] a corporate / public body, charity, institution. |
This would be followed by a page tailored to offer the right combination of opting in and out for this contact, describing the uses to which you are going to put the data, with relevant tick boxes.
Suggested wording
However, much magazine and event promotion is based on flat forms, administered by telephone or online, which merely replicate paper ones. Given the risk that "individuals" will use the form, it is best to treat all contacts as if they have the rights of an individual. Here is a suggested wording and layout in which I have tried to draw attention to the question that requires active ticking. We need to get the right behaviour from people who would tick everything regardless, as well as from those who might tick nothing at all. Under these regulations neither approach is helpful to the list owner.
XYZ group companies may occasionally contact you about your renewal, our other products, events or services. Only tick this box [] if you prefer not to receive this information from us. From time to time we may allow selected clients to tell you about their products and services. Only tick this box [] if you prefer not to be contacted by our clients. Sometimes we, or our client, prefer to send you these offers by email. Please tick here to show that you agree to receive such emails from XYZ companies [] or from our clients []. |
Fax seems to be increasingly discredited as a marketing channel, but if it is important for you then slip in an additional sentence:
Sometimes we, or our client, prefer to send you these offers by fax. Please tick here to show that you agree to receive such faxes from XYZ companies [] or from our clients []. |
I predict reader resistance to such a lengthy question. But whilst it might be tempting to edit the email prompts in the original text to read "email/SMS/fax", you could then lose the right to communicate through any of the three channels because the contact objects to just one of them.
Managing older data
Many list owners changed their wording early in 2003. Even so, most of us still hold contacts who have not had the chance to answer these questions. So how do we deal with older data?
My advice would be to start by treating all contacts as if they were individuals. Set up a field on the database into which you put the letter "I". If the organisation name includes the words "Partner" or "Partnership" change the "I" to a "P" (we know their mailing address, so working out which are in Scotland is no problem). Finally, for any organisation name which contains a "corporate" type word, change that "I" or "P" to a "C".
Corporate words include plc, Ltd, University, Hospital, Committee, Federation, Institute, Association, Club, Charity, Trust - but not Company as these are not always Limited, nor words like Church and Chapel which can be surnames.
Flagged in this way it is clear which email addresses and fax numbers are available to use freely because the recipient is a Corporate who has not opted out, and which cannot be assumed to be corporate and can only be used if they have opted in.
This may also lead to the production of two versions of the online or paper forms, one for corporate contacts and one for the rest. Whilst contacts outside Europe cannot insist on being treated the same, it would certainly be best practice to apply these rules throughout the world.
There is a provision in the PECR to carry on emailing or SMS-ing individuals whose data was collected "in the course of the sale or negotiations for the sale of a product or service" and for your "similar products and services only".
This begs a couple of questions. Firstly, is negotiation for free supply covered by this exemption? We put in as much effort as we do to gain a subscription sale. But could we persuade the Information Commissioner or a court ? Secondly, what are "similar products and services" ? If we promoted a widget magazine last time, presumably we are allowed to market a holiday magazine this time - they are both magazines, even if there is some doubt as to the relevance of the product to the reader. But can we promote the European Widget Symposium ? It's about widgets, so it is clearly relevant to our reader, but it's not a publication. These questions will eventually be resolved by the Information Commissioner and the courts.
The PECR also includes a number of requirements previously viewed as "best practice" - ie, ignored by the less reputable. It is no longer permissible to disguise the sender of a promotional fax, email or SMS and a genuine opt-out route must always be shown. Marketing messages must always show the name of the organisation on whose behalf they are sent (not just the name of the product) and they must show that person's address or a "telephone number on which he can be reached free of charge."
The PECR covers a lot more, including the use of cookies, location data, automated calling equipment, the relationships between communication service providers, and the penalties for allowing one's equipment to be used to break the law.
The costs of getting it wrong could include fines, restitution to the complainant, management time lost preparing for court and legal fees (possibly of both sides). But there is also the possibility that an ISP, to protect itself from legal action, might switch off the offender's email service until they are satisfied that the organisation has adequate procedures to prevent employees committing further offences. Considering how much business could be lost in those days or weeks, it is worth checking your data procedures right away.
Relevant documents * The full text of the Data Protection Act 1998 can be found at www.hmso.gov.uk/acts/acts1998/19980029.htm * The current (eleventh edition) of the British Code of Advertising, Sales Promotion and Direct Marketing Practice at www.asa.org.uk/the_codes/index.asp * The Privacy and Electronic Communications (EC Directive) Regulations 2003 at www.hmso.gov.uk/si/si2003/20032426.htm |