At a glance
- Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, a common (but incorrect) myth which spread was that consent was required for almost everything
- A service message is a factual message that relates to the product or service you are providing your customers
- There are clear rules regarding service messages and what constitutes them, and they don’t require your customers’ consent
This article counts towards accumulating your annual CII CPD structured learning hours for Emerging Risks.
By reading this article, and correctly answering the three questions underneath, you will have achieved the following learning outcome: Identify key emerging risks and describe their main characteristics.
Visit the CPD Hub to log in and begin accumulating CPD hours.
Since the General Data Protection Regulation (GDPR) came into force on May 25, 2018, a common (but incorrect) myth which spread was that consent was required for almost everything.
The General Data Protection Regulation (GDPR) applies in the UK, tailored by the Data Protection Act 2018.
- The GDPR applies to ‘controllers’ and ‘processors’
- A controller determines the purposes and means of processing personal data
- A processor is responsible for processing personal data on behalf of a controller
- Both personal data and sensitive personal data are covered by the GDPR
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU
There are clear rules regarding service messages and what constitutes them, and they don’t require your customers’ consent.
What is a service message?
A service message is a factual message that relates to the product or service you are providing your customers. However, organisations need to take particular care when sending a service message and ensuring that it does not contain any information which could be deemed a direct marketing message.
The Information Commissioner’s Office (ICO) have made it clear what a service message is;
Routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide information they need about a current contract or past purchase (e.g. information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs).
The best way of working is to keep the two distinct communications completely separate. That way you ensure that customers who have opted out of marketing messages do not receive any communication that contains marketing/promotional content. However, they will still receive the necessary service messages.
There is also the Privacy and Electronic Communications Regulations (PECR) which sits alongside the Data Protection Act and the GDPR. They give individuals specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
The GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.
In June 2019, the ICO fined telecoms company EE Limited £100,000 for sending direct marketing messages to its customers, without consent. Even though EE stated that the texts were sent as service messages and therefore not covered by electronic marketing rules, the ICO found the messages contained direct marketing
Andy White, ICO Director of Investigations reiterated “The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply.”
Consent is central to the rules on direct marketing. You will generally need an individual’s consent before you send marketing texts, emails, faxes, make calls to a number registered with the TPS, or make automated marketing calls under PECR. If you cannot prove that you have valid consent, you may be subject to enforcement action.
In order for consent to be valid, it must be freely given, clear and specific. You should keep clear records of what an individual has consented to and when and how this consent was obtained. This is so, if you should be required to, you can demonstrate compliance in the event of a complaint.
What is a direct marketing message?
A marketing message is any communication where the aim is trying to generate more business.
Direct marketing is defined in section 122 (5) of the Data Protection Act 2018 as:
“the communications (by whatever means) of advertising or marketing material which is directed to particular individuals”.
The ICO provides an example;
A bank makes a telephone call to a customer about the administration of their bank account. However during the call the bank also outlines its mortgage products. Although the main purpose of the call is for administration because the call is also being used to promote other products and services it still falls within the definition of direct marketing.
To ensure that you avoid breaking the rules regarding direct marketing messages, it’s important to comply with both the GDPR and PECR. It is also important that you take steps to ensure that customers have the absolute right to object to direct marketing. Therefore you must ensure that you don’t send any messages that contain marketing/promotional material to an individual who has not given permission, or has previously opted-out.
Solicited and unsolicited messages
There is also a difference between what is deemed a ‘solicited’ marketing message and what is deemed an ‘unsolicited’ message. Organisations can freely answer direct queries from customers about the products/services they offer. There is also no restriction on sending marketing messages to an individual who has specifically requested you to do so. PECR only applies to unsolicited messages. This is where individuals have not directly asked for their information and will relate to your general marketing campaigns/activity.
The ICO has provided an example of the distinction between the two;
A customer submits an online form requesting a double glazing quote. Sending this quote to the customer is solicited marketing, but any further contact from the company would be unsolicited.
If you want to find out more information regarding the GDPR and PECR and to check whether your service messages may be falling into the direct marketing world, the below websites are worth visiting.
The Information Commissioner’s Office