Guy exiting building.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. New ICO guidance on direct marketing using live calls

SHARE:

New ICO guidance on direct marketing using live calls

Published on 23 December 2022

The question

What is the ICO’s new guidance on the use of live calls in direct marketing?

The key takeaway

The UK’s Information Commissioner’s Office (ICO) has released a new set of guidance on the use of live calls for direct marketing when the target “subscriber” is an individual. The guidance comes out at the same time as the ICO’s guidance on the use of electronic mail in direct marketing. The aim is to help organisations get a clearer view on what the regulator expects from them from a compliance perspective.

The background

There is already guidance in place on live calls in the form of the ICO’s Guide to the Privacy and Electronic Communications Regulations 2003 (PECR) as well as the draft Direct Marketing Code of Practice (DMCP). The new guidance supplements. While PECR and the DMCP looks at protecting both individual subscribers and corporate entities, the new guidance focuses on individuals. 
Remember that the marketing rules in PECR apply regardless of whether personal data is processed in live calls and so they sit aside in this perspective from the UK GDPR and the Data Protection Act 2018.

The development

The guidance takes a detailed look at live marketing calls, including explaining what they are, what the rules are and how to comply.

In general, organisations do not need prior consent to conduct direct marketing via live calls – noting that some exemptions apply (eg where direct marketing calls are made regarding claims management services and pension schemes). If you’re planning on conducting direct marketing via live calls (whether as the instigator – ie because you’re using a third party to make the calls for you - or as the caller yourself), you must adhere to the following conditions:

  • the individual or business must not have objected to receiving live marketing calls
  • the number must not be listed on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS). To comply with this requirement, you must check the phone numbers you wish to contact against the TPS or CTPS registers before making the call – if the number is listed, the organisation must not make a call. The only exception to this situation would be where the individual/business has specifically notified the potential caller that they do not object to the call. 

Although the rules around “opt-in” consent in the UK GDPR do not apply to live calls, the standard to negate TPS and CTPS registrations is on a par to the standard of consent required by the UK GDPR. As the guidance states, this means:

  • people must have a free choice to consent, meaning that they can refuse without detriment and must be freely given (so separate to, for example, terms and conditions
  • it must be clear that the consent covers your live marketing calls and you must give your name in the consent request (“specific and informed”)
  • you must have no doubt that the relevant person is consenting to your live marketing calls (“unambiguous indication”), and
  • they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity (“clear affirmative action”).
  • Callers are also subject to additional requirements:
  • they must display their phone number or a valid alternative number
  • they must be clear about their identity when introducing themselves
  • they must provide contact details should the individual ask
  • they must facilitate the subscriber’s ability to refuse or opt-out by either enabling a “one-click” opt-out option or at least providing a valid contact address to opt-out, and 
  • they must keep an up-to-date record of those who have opted-out.

Live calls may be made using third party information contingent upon compliance with the relevant PECR rules. It is best practice for the organisation and the third party to have a contract in place where their duties are clearly represented. However, if personal data is processed then it is a legal duty under the UK GDPR to have a contract in place. Any individual’s telephone number listed in a bought-in list or whose contact details are available publicly must be screened against the TPS/CTPS registers even if the third-party claims to have checked recently, as it may take up to 28 days for a new TPS/CTPS registration to become active.

Why is this important?

The guidance demonstrates that despite direct consent not being needed for making live calls, organisations have a responsibility to check the TPS and CTPS to ensure that a potential target’s number is not listed on these registers. This includes situations where a bought-in list is being used. In other words, the need to check against the TPS/CTPS remains even if the seller of the list claims to have checked the data already. 

Any practical tips?

The guidance helps give clarity to organisations on making or instigating direct marketing calls and is especially helpful while we await publication of the ICO’s DMCP, which remains in draft for now. If you’re reading this and your business is in any way involved in live calls, consider sharing the link to the guidance with the relevant teams in your business. We all know that live calls may not always be received that well by recipients having a busy or stressful day, so this is potentially a ripe area for complaints. Complying with the guidance should keep you safe. 

 

Winter 2022