Winter 2017: Legal update

In order for any business to conduct direct electronic marketing it is first necessary to compile the details of the existing customers. This is governed by the Data Protection Act 1998 (“the DPA”). In a nutshell, the DPA requires a business to have a registered ‘Data Controller’ before that business can lawfully process any personal data about a customer. It is without doubt that any form of customer marketing database would fall within the scope of the DPA as the details collected would be stored in a system which makes individuals identifiable.

To ensure their compliance with the DPA, some practical points which business owners need to consider are: ensuring a Data Controller is appointed, registered and trained; only collating necessary information; keeping the information secure; ensuring the information is kept up-to-date; and responding to requests from customers to access the information.

It is extremely important that business owners make sure their business is complying with the DPA. Failure to comply with the DPA can not only lead to civil enforcement, including penalty fines, but also, in some cases, criminal sanctions.

In addition to the strict rules regarding storage of customer information, a business may wish to utilise the data by sending unsolicited marketing emails for promotional purposes. Here too, strict rules surround the use of such communication. Regulations 22 and 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) apply.

Regulation 22 of PECR restricts the sending of any unsolicited marketing material, unless the customer has opted-in by agreeing that such material can be sent to them. It is worthwhile noting that this does not just apply to email, but also to text, photo and video messages sent to a person’s mobile device. It is crucial that business owners ensure they implement a facility which enables the customer to ‘opt-in’ to such marketing material. It is possible for the customer to indirectly consent by way of a “soft” opt-in, but this should be approached with caution, as it applies only to the promotion of similar goods/services which they initially contracted with the business to receive.

Even where a customer ‘opts-in’, business owners must ensure that their business name and contact details are provided clearly in the electronic communication. This is to ensure that the customer has the opportunity to request they are removed from the mailing list by ‘unsubscribing’.

For further advice please contact Darrell Stuart-Smith, a Partner in our commercial team at our Dorchester office on 01305 251007.