You should check the origin and accuracy of bought-in lists. You should screen call lists against the TPS, and only use bought-in lists for email, text or recorded calls with very specific consent.
For in-house marketing lists, use opt-in boxes wherever possible. Specify consent to marketing by email, by text, by fax, by phone or by recorded call. Ask for specific consent also if you want to pass details to other companies, and make sure you name or describe those companies.
Keep clear records of consent, and keep a ‘do not contact’ list of anyone who objects or opts out.
You can use bought-in lists to make live marketing calls, but you should screen against both the TPS and your own ‘do-not-call’ list of people who have previously objected to or opted out of your calls.
You must be very careful before using bought-in lists for recorded calls, texts or emails. You can only use them if all the people on the list specifically consented to receive that type of message from you. Generic consent covering any third party will not be enough.
If you are using bought-in B2B fax lists, you must screen against both the FPS and your own ‘do-not-fax’ list of people who have previously objected to or opted out of your faxes. You may only fax individuals [including sole traders and some partnerships] if they have specifically consented to receiving faxes from you.
You must make checks to satisfy yourself that any list is accurate and the details were collected fairly, and that the consent is specific and recent enough to cover your marketing.
For further information, see our guidance on direct marketing.
What’s the best way to compile our own marketing list?
You may want to compile your own in-house marketing list using details of people who have bought goods or services in the past, or who have registered on your website or made an enquiry. However, you should not assume that everyone is happy to receive marketing just because they have provided their contact details.
You should make it clear upfront that you intend to use their details for marketing purposes. The best way to get clear consent for your marketing is to provide opt-in boxes that specify the type of messages you plan to send [eg by email, by text, by phone, by fax, by recorded call].
You should record when and how you got consent, and what type of messages it covers. If possible, you should also record whether the customer is an individual or a company, as different rules apply. If this is not clear, assume they are an individual.
For further information, see our guidance on direct marketing.
Can we sell our marketing list?
As a general rule, you can only sell your marketing list if you have the consent of the listed individuals to do so.
Other businesses will only be able to use the list for recorded calls, texts or emails if the people on the list have specifically consented to receive that type of message from that company.
For further information, see our guidance on direct marketing.
Can we share our list with other companies in our group?
The same rules apply as for other third parties. If you intend to share the list within your group, you must have each individual’s specific consent to marketing from your group companies.
As always, the best way to get consent is to provide an opt-in box. You should list the group companies [you could do this online by providing a link]. You may even want to consider offering separate opt-ins for each company, to give the individual greater choice and to target your group’s marketing more effectively. You cannot show consent if you only provide information about marketing from your group companies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.
Can one company use one list for multiple trading names?
If you are a single entity trading under several different names, you should not assume that a customer opting in to marketing from one brand is consenting to marketing from all your brands. Consent must be informed, and customers may not even be aware of any connection between the brands. You may also find it difficult to rely on the soft opt-in, as this only applies to similar products and services.
If you want to use one list for all your trading names, you should list them all clearly when you obtain the opt-in.
If an individual opts out of marketing from one trading name, you should assume this opt-out applies to all your trading names unless they make it clear otherwise.
How should we respond to objections or opt-outs?
As soon as someone objects to or opts out of your marketing, you should add them to a ‘do not contact’ list. You should screen all your marketing against this list to make sure you don’t contact anyone who has opted out. You can send an immediate reply confirming they have unsubscribed, but you must not contact them at a later date even if this is just to ask if they want to opt back in.
You must not simply delete their details altogether, as you need to ensure they are not later put back on your marketing list by mistake [for example if you buy more leads that include the same details]. If someone asks you to delete their details, you should explain that you will need to keep them on a ‘do not contact’ list to make sure you comply with their right to opt out.
For further information, see our guidance on direct marketing.
How do the rules apply to our loyalty scheme members
If you operate a loyalty scheme, you should make sure your customers understand what messages they will receive if they sign up. They are likely to expect a periodic update on how many points or vouchers they have earned. In our view, under the soft opt-in rule, as long as you provide a clear opt-out when they sign up and in every subsequent message, you may also send them further electronic mail about other promotions unless they opt out.
If you operate a joint loyalty scheme with other companies, you must make sure customers are fully aware of the nature of the scheme and range of the promotions you propose to send. In our view, under the soft opt-in rule, as long as you do so and provide a clear opt-out when they sign up and in every message, the scheme may send electronic mail about incentives offered by any of the partners.
However, if a participating company wants to send additional marketing messages outside the loyalty scheme, it must have the individual’s clear consent to do so. If there are several partners in a loyalty scheme, you may therefore find it easier to provide specific opt-in boxes when people sign up.
Can we send marketing by post?
PECR do not cover marketing by post, but if you are sending post to named individuals you must comply with the Data Protection Act and the UK GDPR.
If you buy [or rent] a mailing list, you need to check with the supplier what rights you have to use the list for email marketing purposes.
If you are buying or renting a marketing list from a list broker or other third party you must make rigorous checks to satisfy yourself that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent and compliance with UK General Data Protection Regulation [UK GDPR]. You may consider undertaking a GDPR audit of the seller of the mailing list to ensure GDPR compliance before purchasing the list. This could take the form of a compliance questionnaire.
If the list includes individuals [as opposed to companies], they must have given their consent to receiving unsolicited emails. You must also ensure that you only send emails that match the consent individuals have given. For example, they may have consented to receive emails on a particular subject.
As with other email marketing, when you send marketing emails you must give individuals the right to unsubscribe or opt out from receiving further emails.
Databases without consent
If you buy a database where the individuals have not given consent, or if you wish to use it for a different purpose, you need to get their consent.
If you make your first contact with the people on the database by telephone or email, you should make sure that you comply with the privacy rules for electronic marketing. If someone doesn't respond to your initial contact, you can't assume that this implies that they consent to your using their personal information for unsolicited marketing, or any other purpose.
Data protection
Any personal information held on a database should be adequate, relevant, not excessive and should not be kept for longer than is necessary. If you are the new owner of a database, you should decide how much of the information you need to keep, and then delete any that's unnecessary. You should not retain personal information for future use. GDPR requires that you inform the data subjects of your privacy notice information at the latest upon first contact with them.
Online selling rules
When sending sales messages by email, the rules covering distance selling and online trading apply. See consumer contracts.
If you buy business email lists, you can be forgiven for thinking that you can no longer use them after Friday 25th May 2018, when the new General Data Protection Regulation came into force. But you would be wrong…
Much rubbish has been stated suggesting GDPR is the end of email marketing.
It does mean some big changes, most notably the tightening up of how people consent to their personal data being used. But this does not rule out cold B2B email marketing or using bought-in business mailing lists to generate sales.
After 25th May 2018, a person must actively consent for their data to be processed and used by the actual company using it. This means that mailing list companies can no longer sell data that is “fully opted-in”. To opt in, people have to opt in directly with the company using the data. Unless your company name was mentioned when the person’s email address was collected, you can no longer rely on consent as a reason to process personal data.
But consent is not the only reason to process personal data. There are six lawful bases for processing data under GDPR legislation. You need to show compliance with one reason.
The most useful for business-to-business direct marketers and email marketers is known as Legitimate Interests.
Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.
Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:
“the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control [i.e. consent] or bother them with disruptive consent requests when they are unlikely to object to the processing.”
Crucially for marketers, direct marketing is described in the GDPR as an activity that may indicate a legitimate interest.
You need to carry out a simple legitimate interest’s assessment and document this assessment. Then update your Privacy Policy to state that you are relying on Legitimate Interests as a lawful basis on which to process personal data. And finally communicate that you are using Legitimate Interests to the people whose data you are processing.
Legitimate Interests is not a new concept and data brokers and email list providers have generally always relied on legitimate interest as a basis for collecting and processing data. What is new is that GDPR requires us all to document how we are using data and to communicate this to users and data subjects. Which on balance, seems quite reasonable.
The new GDPR [General Data Protection Regulation] rules that if your mailing list is opt-in, consent to opt-in to receive marketing communications must be be “freely-given, specific, informed and unambiguous”.
The good news is that ICO guidance also states that:
“You don’t always need consent. If consent is too difficult look at whether another lawful basis is more appropriate.”
Credible list brokers and email database providers all build and maintain their lists on the lawful basis of “legitimate interest”. If you have a business interest in contacting a person, you may contact them without gaining their prior consent to do so. This applies across mailing, telemarketing and email, with some key restrictions.
NOTE: There are no restrictions on postal mailing. Direct marketing with envelopes and stamps is swinging back into fashion. It is expensive compared to email marketing but compares well with other forms of digital advertising.
Email marketing for business-to-business marketing is only restricted by your own list of individuals who have unsubscribed from receiving emails from your company.
This is a key point of difference between consumer email marketing which definitely does require consent. The reason for the difference is that email marketing is governed by a different EU directive, known as the Privacy & Electronic Communications Regulations [PECR]. PECR states that it is permitted to send emails offering business services to business people at their business email addresses, but if they ask you to stop emailing them, then you must remove them from your list and must not email them again.
So the bought B2C opt-in mailing list is dead. But email marketing for business-to-business communications lives on.
Let’s look in detail at this Lawful Basis For Processing Personal Data…
Consent is one of the six available lawful basis’, but Legitimate Interests is a more suitable reason for B2B sales and marketing.
You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
However, in order to be a legitimate interest, the direct marketing must be legal: as it is legal for businesses to market to individuals at other businesses by post, by email, by text and by phone [as long as the number is not registered with the CTPS], many businesses will be able to use legitimate interests as their basis for processing personal data for direct marketing purposes.
Here’s what you must do if you decide to use legitimate interests as your basis for processing personal data for direct marketing purposes:
As with much of the new Data Protection Regulation, much of the work that you need to do revolves around writing policy documents.
1. Carry out a legitimate interest’s assessment. Assess each part of a three-part test and document the outcome so that you can demonstrate that legitimate interests apply. The three tests are:
Purpose test – is there a legitimate interest behind the processing? In the case of direct marketing, yes there is a legitimate interest for your business in using direct marketing in order to promote itself.
Necessity test – is the processing necessary for that purpose? You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose. In the case of direct marketing, yes, it is necessary to use direct marketing to promote your business.
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? With regard to business-to-business marketing the Information Commissioner says: “business contacts are more likely to reasonably expect the processing of their personal data in a business context, and the processing is less likely to have a significant impact on them personally”. In the case of direct marketing and email marketing to business contacts, the legitimate interest is not overridden by the interests of the individual, who as a business person with decision making and budgetary responsibilities can reasonably expect to be contacted with marketing material relating to his or her professional role.
You must carry out these assessments and document these three tests.
2. Update your privacy notice to clearly say that you are relying on legitimate interests as your lawful basis and say what your legitimate interests are.
3. Communicate that you are using legitimate interests as a reason to process personal data.
The Information Commissioner has not offered any guidance on what it would accept as sufficient communication to the data subject that you are relying on legitimate interest as a basis to process personal data, but an email with this updated privacy message in the footer should cover it:
“As a GDPR compliant company, we would like to explain why you have received this email. We believe that you have a legitimate need for XXXXXXSERVICEXXXXXX within your business. From our research, or from information that you have provided, we have identified your email address: as being the appropriate representative to address within the organisation. We have deemed this to represent legitimate interest in line with the ICO’s guidance.”
While the advice on this page does not represent legal advice, you can read the Information Commissioner’s guidance on legitimate interests in full on the ICO website