Data protection laws regulate how personal data is used. The UK principal legislation in this area is the Data Protection Act 1998 (“DPA“) which implements the EU”s Data Protection Directive. If you market or intend to market goods and/or services to customers by email, direct mail, fax, telephone, or on a website, data protection laws will be relevant.
For businesses based in the UK, the DPA applies if you (either by yourself or through agents or representatives), do anything which constitutes ‘processing” – whether the processing itself is done in the UK or elsewhere. So, for example, if you use a third party based in Australia or the USA to send out emails on your behalf they will be processing personal data on your behalf. So, you should ensure they can provide satisfactory guarantees regarding data protection.
Businesses intending to use personal data (“data users/controllers”) are generally required to notify the Information Commission by registering under the Data Protection Act. Failure to do so is a criminal offence. However there is an exemption for those who are advertising or marketing or promoting their business, or goods or services. You will therefore not be committing a criminal offence provided the processing is solely for advertising, marketing or promoting your own business. However, if the business is someone else”s, you will be committing a criminal offence if you fail to satisfy the notification requirement. Notwithstanding this exemption, anyone exempted must still comply with every other relevant provision of the DPA, and in particular, with all the eight data protection principles of the DPA.
When obtaining personal data and whenever you are doing any form of processing, ensure you do so lawfully; with the data subject”s consent; and only for a specified and lawful purpose or purposes. In particular, when you are using someone”s data make a point of informing them of the purposes for which the data is being obtained and do not use the data for any other reason. You should not deceive or mislead anyone as to the purpose for which you are obtaining their data.
Also, certain information must be given to the data subject at the time of obtaining the data. This includes details of the data controller”s or his representative”s identity, the details of anyone to whom the data will be disclosed and any further information necessary to enable the processing to be fair. If you are marketing by post, email or fax, this information should be given to the prospective customer when collecting their personal data, whereas for telephone marketing the information should be read out to them before you start collecting the data. If you are marketing via website this information should be provided on the same webpage as the personal data form – perhaps in a prominent link to the privacy and data protection policy containing this information. Better still, you can require the customer to indicate that they have read and understood the privacy and data protection policy by ticking a box on the form requesting their personal data.
Apart from giving this information, the data subject should also have a reasonable opportunity to consent or object to the use of personal data for any purpose. This may be achieved by allowing them to tick the appropriate box in a paper or electronic order or personal data form. Note however that the position, size of the print and wording of the opt-out box are relevant in determining whether the proposed uses of the data are made clear to the data subject.
You can, send unsolicited marketing emails to a previous customer to market your own similar products or services, provided you gave them a clear and distinctive opportunity to object free of charge in an easy manner, to such use at the time you obtained the personal data. You must do so every time you send a previous customer unsolicited marketing email. All commercial emails whether solicited or to previous customers, should be clearly identifiable as such and contain a return address.
Where personal data is obtained from third parties such companies or other individuals must be asked to provide evidence that they obtained the information with consent, that they have consent to disclose this to you and that necessary information was given to the data subject at the time they obtained the information. Also a system needs to have been put in place to ensure that you will find out if the data subject withdraws consent, so you stop using their information at once.
Prior consent is not necessary where personal data is obtained from public sources such as telephone directories, edited versions of the electoral register, court judgments, postal addresses obtained from the Post Office, lists of company shareholders, and the like.. Personal data obtained this way is the most frequent source of unsolicited marketing and is a great source of aggravation for most people. Certain controls have therefore been put in place to regulate the use personal data obtained from some of these public sources. Thus, it is now a criminal offence to use the full version of the electoral register for commercial purposes.
You cannot make unsolicited telephone calls to those who have opted out of the preference to receive marketing calls. Even where an individual has not opted out, you must make your identity and the commercial nature of the call clear at the beginning of the call.
Failure to comply the data protection regulations may lead to criminal conviction and other regulatory sanctions. You may also be liable to compensate the data subject for losses arising from unlawful processing.