New ICO guidance on direct marketing and regulatory communications
When is a regulatory communication (ie a message sent in compliance with a regulator’s request) likely to be considered direct marketing?
The key takeaway
On 28 March 2023, the UK’s Information Commissioner’s Office (ICO) issued new guidance for those operating in a regulated sector. The guidance aims to help organisations determine when regulatory communications could be considered direct marketing, which should help them comply with the relevant rules.
Data protection laws (the UK GDPR and Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR) impose limitations on direct marketing carried out by organisations. Specific messages sent to people in compliance with a regulator’s request (referred to as “regulatory communications” in the guidance) are unlikely to count as direct marketing, unless such communications promote a particular product or service.
The guidance applies to organisations operating in regulated industries such as finance, pensions, communications, or energy. A regulatory communication is unlikely to be considered direct marketing if it is:
- conveyed in a neutral tone, without active promotion or encouragement
- solely for the people’s benefit
- against the interests of the sender, and
- only motivated by the need to comply with a regulatory requirement.
For example, a regulatory communication message that provides prior notice of changes to terms and conditions or reminds customers of contact information if they are struggling with payments is less likely to be direct marketing.
However, the ICO emphasised that it is important to assess the specific circumstances and details of the message rather than adopting a ‘one size fits all’ approach. If marketing is not the main purpose of communication but the communication contains elements of marketing, then it would still be deemed as direct marketing.
Why is this important?
Even though regulators consider people’s interests when requiring their sectors to send regulatory communications, the ICO guidance highlights that organisations have the responsibility to assess whether a message constitutes a direct marketing message and comply with appropriate rules. They must allow people the absolute right to opt out of communication and ensure that electronic messages comply with PECR provisions.
Any practical tips?
When delivering a regulatory communication, businesses must assess necessity and proportionality. They should consider if a specific purpose of the message can be achieved via “less intrusive means” such as displaying it on a website or social media. Additionally, organisations can choose to communicate the message to customers if they call their helpline, through television, radio or streaming services. The hypothetical examples are helpful in deciding whether a regulatory communication is likely to be direct marketing.