Opt-in, opt-out, shake it all about

Data protection compliance is a minefield. Too many direct marketers have failed to keep abreast of the legislation and are, says Jenny Moseley, risking prosecution. Getting it right will keep you on the right side of the law, help foster a culture of best practice within your organisation and even lead to better response rates for your promotions.

By Jenny Moseley

Once upon a time there was an opt-out box. In fact once upon a time there was no opt-out box, and though we seem to have been living with data protection for ever, it is really only twenty years ago that managing the communications preferences of our customers in a compliant manner first became an issue for direct marketers and publishers.

Yes, there had been rumblings about privacy both in the UK and in the rest of Europe, but the Data Protection Act 1984 gave rise to the increased need to learn how to differentiate customers and to know whether on not they had objected to their data being processed for marketing purposes for third party use. There was no specific need then to offer a preference for marketing to clients and prospects for a company’s own use.

So, unless we had written a data protection statement which narrowed our opportunities by being too precise, we could write to or telephone our subscribers to our heart’s content.

But that did not satisfy the regulators in Europe, hence the EU Directive of 1995. Thus began the arduous journey to the Data Protection Act of 1998, which, apart from a few straggling issues, became law in October 2001.

There were a number of changes to the 1984 Act and of particular concern is the requirement to offer an opportunity to the individual to opt-out of further marketing messages from the company itself. I call this ‘first party’ marketing to differentiate it from ‘third party’ marketing, and it horrifies me to see that there are publishers still who are, by the wording on their subscription forms, and by the single preference box on their database, precluding themselves from communicating with their own customers.


And so the story continues; one opt-out option became two opt-out options, for two media channels, paper-based or phone and then in 2003 the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR - which came into force a year ago) turned two options into dozens.

With the introduction of PECR covering all electronic communications and subsuming other legislation including specific law on the use of telemarketing, we are now working in an entirely different environment.

Both pieces of legislation, the Data Protection Act 1998 and the PECR, took account of the fact that technology was accelerating, (Moore’s law – double the capacity at half the price) and tried to visualise new marketing channels coming on stream which this legislation should cover. At the same time, the principles have been written with a broad brush and whilst guidance has been published, the interpretation of how the legislation affects marketing communications is somewhat unclear, until such time, perhaps, as case law clarifies the position. But who wants to be the test case?

That’s why it is important to think about preference management in a different way and adapt systems to identify which of our subscribers said what, on what day, and for which channel to market. As new technologies are introduced, the very fact that they are likely to be electronic means that they will be specifically covered by PECR, with data protection legislation running in the background.

We now find ourselves having to offer multiple choices of preference in multiple channels for multiple types of audience and we need to flag and date the database and then map future marketing messages accordingly.

Consumer and B2B

And we need to think about dividing our audiences between consumers and business-to-business for electronic communications. In the past it was widely (though incorrectly) thought that B2B was exempt from some of this legislation, but the PECR clarified that position, and if an individual can be identified from the data held, then that individual is included in one of two ways for future electronic marketing communications.

Firstly, PECR also introduced a new permissioning concept with "soft opt-in". Secondly if the individual works for a PLC or a limited company, then the preferences related to a company can apply, but if an individual is a sole trader, or in a partnership, then they should be treated as if they are consumers. (If you’re reading this article in Scotland, or you have subscribers who live there, then there are some additional definitions to make your life more complicated).

Additionally the soft opt-in cannot be used in a non-commercial environment, so industry sectors like charities have to adapt totally to the opt-in environment for electronic marketing messages.

Over the past two years, I have spent an increasing amount of time consulting on data protection and the PECR and actually I have been somewhat disappointed at the lack of knowledge about data gathering practices. As a judge in many annual awards in publishing and direct marketing, it pains me to see beautiful creative packages, ads, inserts, emails and websites which have pulled terrific responses, but which include an application or registration form which shows that the clients or agencies entering these awards just do not understand what they can and can’t do. Some of that hard won data cannot, therefore, be legally used.

There are three areas (of many) in the legislation that I want to draw your attention to: data gathering, data storage and data usage. If you get these wrong, particularly the gathering of data, then you are in breach of the first principle of the Data Protection Act 1998, at the very least. You’re immediately at risk, both legally and commercially.

The right words

I spend a lot of time drafting data protection statements in the most appropriate wording and tone for the brand, and data flagging systems to capture the responses. Marketers need to be given the best chance of communicating effectively with their subscribers, not only using the preferences of the subscriber (who can be quite fickle) but in a compliant and best practice environment with a commercial reality check; I call it ‘interpreting data legislation through the marketing lens’.

It would be wrong of me to generalise and give a global solution, because every advertiser’s circumstances are different, so the best advice I can give is to get it right at the beginning of the data cycle, and store the data efficiently and securely. As far as the end use of the data is concerned, marketing folks will be thankful to have a compliant data pool from which to select individuals who should respond better and who also cost less to convert to a sale.

Ten preference flags

I am going to give you an example of data management in one channel to market – email marketing. In this category, for an advertiser who has B2B and B2C customers, and who wishes to collect data for both ‘first party’ and ‘third party’ email marketing, I have some ten preference flags on my matrix relating to the types of permissions and objections that customers may have given. Why so many?

I want to know whether the permission to communicate by email has been given in an active way – eg. someone who has physically ticked a box to opt in. But I also want to know if that person has only bypassed a soft opt-in or opt-out, which is a lesser form of permissioning. Similarly for those who have chosen not to receive emails from the company itself or from third parties, I want to know whether they have refused to opt-in, or have actively opted out by ticking a box on a soft opt-in.

That information may seem like overkill but systems can cope with it very easily these days and there are two benefits from being more precise. The first is to target better using the strength of the permissioning which the individual has chosen, and the second is to be ready in case of a change in the legislation sometime in the future. Admittedly the email channel is probably the most complex, but I use this type of flagging on all channels to market and write the data protection statements in an appropriate way so as not to disadvantage marketing efforts both in the short and the long term.

Ideally, when recording permissions and maintaining records, the following facts should also be captured:

Unique identifier. Unique reference numbers or customer numbers are commonly used but are important for permission management so that permissions are attached to the correct individual’s record.
Permissions gathered. The type of permission gathered could be important in the future, especially the difference between opt-out and opt-in.
Date/history of consent. The date the information was captured should always be recorded, together with the date of any amendment to the original permissions.
Statements used. If you are testing permission statements, the version used should be recorded. As the interpretation of the law changes, you may need to be able to identify when permission was gained and what was said to get it.
Data usage information. If the system permits, activity coding should be used in order to be able to identify drivers for suppression requests. Certain approaches may be found to cause more complaint than others.

This last point brings us on to suppressions, where three areas of suppression should be considered:

* A house file of suppressions which, when matched against the marketing file, will take out those prospects who just get mad and make a fuss when you market to them (which you may do innocently if you are renting in permissioned data).
* The Mailing Preference Service, the Fax Preference Service and the Telephone Preference Service (both individual and corporate) when undertaking unsolicited marketing approaches.
* External suppression files. There are a number of great products on the market which support the principles of best practice whilst saving money, particularly in the direct mail environment.

The consumer is getting smarter by the day, and those companies that will succeed in the future will be the ones who have gained the trust of their customers and prospects in a brand that is valued by both the customer and the company itself. Complying with the legislation may seem onerous, but it is really only best practice – treating the consumer the way we would like to be treated ourselves.