Note: This advice is given by the CAP Executive about non-broadcast advertising. It does not constitute legal advice. It does not bind CAP, CAP advisory panels or the Advertising Standards Authority.
Rule 10.9 explains that consumers should usually be informed who is collecting their personal information, why it is being collected (see ‘Database Practice: Purpose of Data Collection’) and whether the information will be disclosed to any third parties, in which case the relevant opt-out or opt-in should be given (for example a box for consumers to tick). If, after collection, a marketer decides to use that information in a way that is significantly different from the one originally intended, or if they want to pass data to third parties, they must first obtain consumers' explicit consent (Rule 10.12 and ‘Passing Data to Third Parties (Consent)’). Marketers have an obligation to protect the information they have obtained (Rule 10.1 and Earth Trade Water Inc, 15 June 2011) but may use published information, subject to database rights and copyright restrictions, provided they first run it against the relevant suppression file (Rule 10.8). Harvesting of e-mail addresses from websites is likely to be illegal.
All forms of direct marketing should contain enough information for consumers to tell the marketer that they do not want to receive more correspondence. For example, it should suffice for direct mailings to include the name of the marketer, a telephone number, business address or website where consumers can opt-out of receiving marketing communications. Specific and more burdensome opt-out requirements are placed on marketers who employ more intrusive media, such as text messaging and e-mail. See ‘Consent (General)’, ‘Consent (Explicit)’ and ‘Soft Opt-In’.
We understand that the Information Commissioner’s Office (ICO) considers it unacceptable to ask subscribers to call a separate number to request suppression of data.
Marketers transferring personal information to countries outside the European Economic Area (EEA)( i.e. the 27 Member States of the EU plus Iceland, Lichtenstein and Norway), should ensure that individuals are afforded adequate protection (Rule 10.2). More information can be found in the ICO’s Data Protection Good Practice Note Outsourcing, a guide for small and medium sized businesses, available from: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/outsourcing_-_a_guide_for_small_and_medium_businesses.pdf
Rules 10.10 and 10.11 state the extent and type of personal information obtained and held for any purpose should be adequate for, and relevant to, that purpose and should not be kept for longer than is necessary for that purpose. Neither the ASA nor CAP dictate how long marketers may retain data; we believe it is likely to depend on the nature of the marketplace. For example, it seems reasonable that a furniture, white goods or brown goods companies, operating in markets with a lengthy inter-purchase interval, should be able to retain data for longer than marketers operating in faster-moving markets. The ICO has produced very little guidance on that point.
Marketers should be aware that under the Data Protection Act 1998 they have to keep information accurate and up-to-date. Marketers who keep customer data for a long time should ensure they do so by, for example, screening it against relevant ‘Gone Away’ and ‘Suppression’ files.
Last modified : 05 August 2010
Last modified : 31 January 2012