© Crown copyright 2018
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/claims-management-companies-marketing-and-advertising-guidance/marketing-and-advertising-guidance-for-claims-management-companies
Chapter 1 – Introduction
This guidance note is intended to assist authorised claims management businesses to ensure that their advertising and marketing complies with the Conduct of Authorised Persons Rules 2018 (CAPR) and other relevant legislation. Businesses are advised to ensure that they are aware of the CAPR.
For further marketing advice, or business advice generally, businesses should contact us on 0333 200 0110 or email@example.com.
This guidance note gives a brief outline of relevant legislation for marketing and advertising including:
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (as amended by the Financial Claims and Guidance Act 2018);
This guidance is not exhaustive, and businesses are advised to contact the relevant regulator or organisation, or obtain independent advice, for further information about their obligations and compliance with the above legislation.
Chapter 2 – Content of Marketing
This chapter outlines some of the regulatory requirements surrounding the content of marketing. All marketing must comply with the CAPR in its entirety. This includes, but is not limited to the following rules, which have been selected because they relate to more common issues identified with marketing:
Client Specific Rule 1(c)
You must ensure that any information provided to existing and prospective clients is clear, transparent, fair and not misleading.
Common examples of misleading marketing include:
- stating that a specific amount of compensation is due to a client.
- advising that a claim will be completed within a specific timescale.
- failure to clearly explain fees.
- implying that your business is a firm of solicitors.
Client Specific Rule 2
All advertising, marketing and other soliciting of business must conform to the relevant code:
- The UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code); or
- The UK Code of Broadcast Advertising (BCAP Code).
Direct marketing communications fall within the CAP Code, whereas TV and radio advertising is governed by the BCAP Code. For the purposes of this rule a business’s website shall be deemed to constitute advertising, and must comply with the CAP Code.
Client Specific Rule 4
Cold calling in person is prohibited. Any marketing by telephone, email, fax or text shall be in accordance with the DMA Code and any related guidance issued by the Direct Marketing Association.
You must comply with the DMA Code and associated guidance even if you are not a member of the Direct Marketing Association.
Client Specific Rule 6(a)
In soliciting business through advertising, marketing and other means a business must clearly identify the name of the advertiser.
This includes telemarketing calls in addition to SMS, email and voice broadcast marketing. You must ensure that any trading names used in marketing have been declared to the Regulator in accordance with General 16(a) of the CAPR.
Client Specific Rule 6(d)
You must not imply that your business is approved by or connected to any government agency or regulator.
If you wish to mention in marketing that your business is authorised, you may only use the following words in their entirety:
Regulated by the Claims Management Regulator in respect of regulated claims management activities.
This applies to verbal representations made by your sales staff during telemarketing calls, and any statements made within SMS, email or voice broadcast marketing.
Client Specific Rule 7
The use of the expression “no win no fee” must be in accordance with the CAP Help Note on “No Win No Fee claims”. If you charge any fees in the event that a claim is unsuccessful, you must qualify your “no win no fee” statements accordingly.
Examples of when “no win no fee” statements should be qualified:
- The client will be charged a fee if they cancel their contract after the 14 day cooling off period, in accordance with Client Specific Rule 18 of the CAPR.
Client Specific Rule 8
Where business is introduced to a solicitor, the business must not act in a way that puts the solicitor in breach of the rules governing solicitors’ conduct.
This means you must not introduce claims, or details of potential claims, to a solicitor if these have been obtained via an unsolicited approach in person or by telephone.
Client Specific Rule 9
A business must seek to ensure that any publicity for its services issued by a third party and which is intended to solicit business for it complies with these rules.
You must ensure that any marketing conducted by a third party on your behalf complies with the CAPR and other relevant legislation. You must have procedures in place to monitor the marketing activity of the third party, and appropriate records to evidence the monitoring you have undertaken.
Chapter 3 General Data Protection Regulations
This chapter outlines what constitutes valid consent to comply with the General Data Protection Regulations (GDPR).
Further information can be found in the ICO Guide to the GDPR.
Any processing of personal data, including buying, selling and direct marketing, must comply with the GDPR. Article 5 of the GDPR provides 6 data processing principles, the first of which states that personal data must be processed lawfully, fairly and in a transparent manner. Article 6 of the GDPR provides a number of lawful bases on which data can be processed. In the context of direct marketing, the only 2 bases that could apply are consent and (very occasionally) legitimate interests.
Article 4(11) of the GDPR defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Clients must be able to choose whether to provide consent. This must be a genuine choice and cannot be a result of undue incentives or coercion. Furthermore, the provision of consent must not be a condition of subscribing to a service or completing a transaction. If you purchase data from a third party, you must ensure that any consent obtained by the third party was freely given and meets all the other requirements of consent under GDPR.
|Good Practice||Bad Practice|
|A business collects client details via an online competition site. Clients are able to provide consent to their data being used for marketing purposes. They are also able to take part in the competitions without providing such consent. Consent in these circumstances would be freely given as the client is still able to use the services offered by the business without providing consent to marketing. The client therefore has a genuine choice and has not been unduly incentivised.||A business collects client details via an online application form. Clients are able to opt-out of receiving marketing communications by ticking an opt-out box. However, they are unable to submit the application form, and therefore subscribe to the service offered by the business, if they do this. This would not constitute valid consent as the client would feel obliged to consent to marketing proposes so that they could use the services offered by the business.|
Specific & Informed
Consent must be specific to the type of marketing and the organisation sending it. The organisation must be named, as must any third parties that will also rely on the consent. Specific categories of organisations that may send marketing communications are not sufficient for GDPR consent. Clients must be able to understand exactly what they are consenting to. When collecting personal data, you must clearly and prominently explain what their data will be used for. Such details should not be hidden in dense privacy policies or ‘small print’ which is difficult to understand or is rarely read. Consent must be separate for different processing purposes e.g. direct marketing, and different processing activities e.g. type of marketing. If you purchase data from a third party, you must ensure that any consent obtained by the third party was specific and informed.
|Good Practice||Bad Practice|
|By ticking the boxes below you agree to your personal information being shared with Business X who may contact you in respect to a mis-sold PPI claim: [SMS, Email, Telephone] Consent in these circumstances is sufficiently specific as it provides the name of the organisation seeking to rely on it and the method of marketing. Consent is also granular, as the client is able to provide consent to certain methods of contact and not others.||The opt-in statement says: “We may pass your details onto third parties for marketing purposes, including lead generators, direct marketing service providers, reference agencies and data validation experts.” This would not constitute sufficient consent as the business relying on the consent is not named. Furthermore, consent is not granular as there is only an option to consent to all or none of the third parties.|
|A business collects client’s details during a marketing call during which questions are asked on behalf of several third parties. After each question, the client is asked whether they consent to their details being passed to a particular business who may contact them by a particular method. This would constitute informed consent because the client is given granular options to consent to some and not all third parties. The provision of consent is separate and not hidden in the content of the call.||A business makes a marketing call to a client during which they are asked if they would be happy to receive marketing material from a named business. The client agrees and is then played an automated message that rapidly lists this business as well as several other named companies; this is extremely difficult to understand. This would not constitute informed consent because the client was asked to agree to marketing before they knew which business may contact them. The client was not given granular options to consent and so could only provide consent to all or none of the businesses. Furthermore, the client was unable to identify the business due to the speed at which the automated message was played.|
By a statement or by a clear affirmative action signifying agreement
Consent must be a positive expression of choice. You cannot assume consent from a failure to opt-out. Recital 32 of the GDPR states that consent should be given by a clear affirmative act such as a written or oral statement. This could include ticking a box when visiting a website or verbally providing consent during a phone call. Silence, opt-out, pre-ticked boxes, or inactivity do not constitute consent.
The easiest and clearest way to obtain consent is directly from clients. If consent was originally provided to a third party, as is the case when you purchase data, leads or referrals from another business, you must ensure that you were specifically named when the client provided consent. If you purchase data from a third party, General Rule 2(e) requires you to undertake professional diligence to ensure any referrals, leads or data have been obtained in accordance with the requirements of the legislation and rules. Such due diligence must be documented as required by General Rule 2(d).
If you are unable to ensure that consent meets the standard required by the GDPR, you should not use this data for direct marketing purposes. Where you are relying on data or leads supplied by third parties, you must also undertake and document sufficient due diligence on the third parties and the data obtained. Further guidance on due diligence can be found in the relevant section below.
If you are unsure of your legal obligations, or you require more general advice on the retention and/or processing of personal data, you should seek legal advice or contact the ICO.
Very occasionally, you may be able to rely on the legitimate interests’ lawful basis for direct marketing. Recital 47 of the GDPR states that direct marketing itself could be considered legitimate interest. If you intend to rely on this ground you must balance your legitimate interests against the rights and freedoms of the clients. If a client is registered to the Telephone or Mail Preference Services, you cannot rely on legitimate interests and can only process their data with their consent. Registration with these services is a clear indication that they do not want to receive marketing. Furthermore, if PECR states that you need consent to conduct certain marketing (such as SMS, email and automated calling), you must rely on consent as your lawful basis and cannot rely on legitimate interests. It will not be possible to rely on legitimate interests in the context of electronic direct marketing.
We are aware that some businesses are obtaining data from publicly available lists, such as Companies House or the electoral role, and are therefore unable to demonstrate that any consent has been provided. Again, it is unlikely that the processing of data in these circumstances would be fair and lawful and we would not expect you to use data obtained in this manner.
Chapter 4 – Live Telemarketing
This chapter outlines the regulatory requirements surrounding live telemarketing campaigns.
Further information can be found in the ICO Direct Marketing Guidance
Solicited and unsolicited marketing
It is a question of fact whether your marketing is solicited or unsolicited.
Solicited marketing is marketing that a client has specifically requested. PECR rules only apply to ‘unsolicited’ marketing messages, and the GDPR will not prevent you providing information which has been asked for. If someone specifically asks a business to send them particular marketing material, it can do so.
A client submits an online form with their details requesting information from X Business about making a mis-sold PPI claim. X Business receives this enquiry and subsequently calls the client to provide this information. This call would be solicited; however, any subsequent marketing calls would be unsolicited if they have not been specifically requested by the client.
When submitting the online form, the client also ticked a box opting in to receive information about future offers and services. A few months later, X Business calls the client to offer its mis-sold packaged bank account services. This is unsolicited marketing because the client has not specifically requested the call.
If the telemarketing calls you make are unsolicited you must ensure that such marketing complies with PECR: specifically regulations 21 and 24. Failure to comply with PECR would constitute a breach of General Rule 5 of the CAPR.
Referrals to solicitors
Client Specific Rule 8 of the CAPR states that a business must not act in a way that would put a solicitor in breach of the rules governing solicitors’ conduct. The Solicitors’ Regulation Authority (SRA) Code requires solicitors to satisfy themselves that any client introduced to them has not been acquired by way of an unsolicited approach by telephone or in person.
You must ensure that any telemarketing calls made to clients, who are subsequently introduced to a solicitor, are solicited. This means that you cannot contact a client by telephone unless:
(a) they have explicitly agreed to be contacted about making a claim; and
(b) their contact details were not obtained as a result of an unsolicited approach, in person or by telephone, by your business or any other third party.
The type of claim that the client has consented to receive marketing in relation to must be specific to the one that you are marketing. For example, if you intend to introduce clients to a solicitor in relation to a personal injury claim, the client must have agreed to be contacted about making a claim for personal injury. It is not permissible to approach a client that has agreed to be contacted about making another type of claim, such as mis-sold PPI, and market personal injury claim services to them instead.
If you purchase data from a third party, General Rule 2(e) requires you to undertake professional diligence to ensure any referrals, leads or data have been obtained in accordance with the requirements of the legislation and rules. You must ensure that you document this due diligence appropriately to comply with General Rule 2(d).
Cold Call Ban
The Financial Guidance and Claims Act 2018 introduced a cold call ban for claims management by inserting Regulation 21A into PECR , effective from 8 September 2018. This prohibits businesses from making live marketing calls in respect to claims management services without the prior consent of the recipient. Such consent must meet the GDPR requirements, as set out in Chapter 3. Therefore, you can only make a telemarketing call to a client in respect to claims management services if they have actively agreed to receive marketing calls from you. You must ensure that such consent is recorded, as required by Generals Rules 2(e) and (d).
Caller Line Identification
Regulations 19 and 21 of PECR (as amended by Regulation 2 of The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2016) require businesses to display a valid caller line identification (CLI) when making live or automated marketing calls on which they can be contacted. In addition, Rule 2.2 of the DMA Code requires you to provide a valid CLI, to which a return call can be made, when making any outbound calls. Failure to comply with this Rule would constitute a breach of Client Specific Rule 4 of the CAPR.
Chapter 5 – Automatic diallers
This chapter outlines some of the regulatory requirements regarding the operation of automatic diallers. When using automatic diallers there are a number of requirements that you must comply with to ensure that you use the equipment correctly, and are not persistently misusing the systems.
If you operate an auto-dialler, you should be aware that the Office of Communications (Ofcom) has updated its policy statement on the persistent misuse of electronic communication networks and services. It sets out Ofcom’s requirements for the operation of automated dialling systems and their approach to enforcement action for non-compliance.
Ofcom considers both silent and abandoned calls to be misuse and are most likely to investigate these types of calls, although the statement does refer to other types of misuse as well. Silent calls are likely to be more harmful than abandoned calls because less information is provided to the recipient, who consequently may be more likely to find the call threatening and/or malicious. Previously, Ofcom advised that abandoned calls shall exceed no more than 3% of live calls over a 24-hour period. However, there is no longer any acceptable silent or abandoned call rate.
You must keep your abandoned call rate as low as possible and ensure that you play a recorded information message in circumstances where a live person is not available to speak to the client. Silent calls (calls in which no information message is played) are unacceptable. The information message must:
- identify you or the third party you are calling on behalf of;
- explain that you or the third party attempted to call the recipient;
- provide a basic rate number that the recipient can call to decline further calls; and
- not include any marketing content
Ofcom has powers under sections 128-130 of the Communications Act 2003 to impose penalties of up to £2 million for persistent misuse of electronic communications networks and services. You are reminded that you must observe all laws and regulations relevant to your business in accordance with General Rule 5 of the CAPR.
You must not make excessive marketing calls to clients, even if those calls are not answered. Persistent and excessive marketing calls can cause unnecessary stress and anxiety, particularly to more vulnerable clients. We are aware of a business that routinely attempted to contact clients for marketing purposes up to three times a day, every day for several months. This is unacceptable and constitutes a breach of Client Specific Rule 1(a) of the CAPR. You must act fairly and reasonably in dealings with your clients, including during your marketing campaigns. If you use an auto dialler you must manage it effectively to ensure that it does not result in excessive call attempts, call backs or otherwise unfair and unreasonable telemarketing practices.
Chapter 6 – SMS and email marketing
This chapter outlines the regulatory requirements surrounding SMS and email marketing.
Regulation 22(2) of PECR prohibits businesses from sending SMS or email marketing without the prior consent of the recipient. Consent must meet the GDPR requirements, as set out in Chapter 3. Therefore, you can only send SMS or email marketing to a client if they have actively agreed to receive such marketing from you. If you buy or rent a list of numbers or email addresses from a third party you cannot rely on assurances provided by that party that you have sufficient consent to send SMS or email marketing. If you send SMS or email marketing without sufficient consent you will still be in breach of Regulation 22(2) of PECR despite any assurances provided by the third party, and could be subject to enforcement action. You must therefore undertake thorough due diligence to ascertain whether your business has sufficient consent and retain documentary evidence as required by General Rules 2(d) and (e) of the CAPR. If you are unable to ascertain this, you must not use the data, leads or referrals to send SMS or email marketing.
Regulation 22(3) of PECR allows the transmission of SMS or email marketing in limited circumstances if:
- you have obtained the contact details of the recipient during the course of the sale or negotiations for the sale of a product or service to that recipient
- the marketing is in respect of similar products and services offered by your business only
- the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for marketing purposes, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
Further information can be found in the ICO Direct Marketing Guidance
Chapter 7 – Automated calls
This chapter outlines the regulatory requirements surrounding automated calls (also known as ‘voice broadcast’ marketing).
Regulation 19(1) of PECR prohibits the transmission of voice broadcast marketing unless the recipient has consented to receiving such marketing. Consent must meet the GDPR requirements, as set out in Chapter 3. Therefore, you can only make automated marketing calls to a client if they have actively agreed to receive such marketing from you.
If you buy or rent a list numbers from a third party you cannot rely on assurances provided by that party that you have sufficient consent to transmit voice broadcast marketing to the clients. If you transmit voice broadcast marketing without consent, despite assurances you will still be in breach of Regulation 19 of PECR and could be subject to enforcement action. You must therefore undertake thorough due diligence to ascertain whether your business has sufficient consent and retain documentary evidence of this, in accordance with General Rules 2(d) and (e) of the CAPR. If you are unable to ascertain this, you must not use the data, leads or referrals to transmit voice broadcast marketing.
Chapter 8 - Consent timescales
Consent does not last indefinitely. Regulations 19, 21 and 22 of PECR state that consent lasts only “for the time being”. Therefore, you must ensure that consent is up to date and remains a current indication of the client’s wishes. How long consent remains valid will depend on the context. However, as a general rule you should not rely on consent provided more than 6 months ago. You should regularly review your consents to ensure that they remain up to date.
Chapter 9 – Suppression
Clients have the right to object to future marketing from you. If you continue to make telemarketing calls or send electronic marketing to a client after they have expressed an objection to receiving such marketing, you will be in breach of PECR. When sending SMS or email marketing, Regulation 23 of PECR requires that a valid address is provided, to which the recipient can send an opt-out request. This could be a postal or email address. Short code numbers (e.g. ‘reply STOP to opt-out’) can be used in SMS marketing, as long as they do not incur costs other than the cost of sending the opt-out message. Failure to comply with PECR constitutes a breach of General Rule 5 of the CAPR.
To ensure that further marketing is not sent to clients who have expressed an objection, you should enter their telephone number and / or email address into a suppression list, as required by Rule 1.2 of the DMA Code. You must screen all data against this list prior to making any marketing calls or sending any electronic marketing and cannot contact any number or email address contained within it. Failure to do so would constitute a breach of Client Specific Rule 4 of the CAPR.
Article 21 of the GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. An individual can make an objection verbally or in writing and you have one calendar month to respond to an objection. However, this does not mean that you need to erase the individual’s personal data completely, and in most cases it will be preferable to suppress their details instead. Therefore, you should only retain the minimal amount of data required to ensure that further marketing is not sent to the client i.e. a telephone number or email address. Failure to comply with the GDPR constitutes a breach of General Rule 15.
Chapter 10 – Third Party Marketing
This chapter outlines the regulatory requirements surrounding marketing conducted by third parties.
Client Specific Rule 9 states that you are responsible for any marketing undertaken by a third party which is intended to market the services of your business. This applies even if the third party carries out marketing in its own name rather than your name and/or the marketing is intended to market the services of other businesses in addition to yours.
In addition, Regulations 19, 21 and 22 of PECR make reference to the ‘instigator’ of the marketing. The ‘instigator’ is the business that brings about or initiates the marketing i.e. the business who instructs a secondary business to conduct telemarketing on its behalf. Both the instigator of the marketing and the business physically carrying out the marketing must comply with PECR and may be subject to enforcement action if any breaches occur. You must therefore undertake thorough due diligence to ensure that any marketing carried out on your behalf by a third party is compliant. Due diligence must be appropriately recorded in accordance with General Rule 2(d) of the CAPR.
Regulations 19, 21 and 22 of PECR prohibit the making of unsolicited telemarketing calls, automated calls, email and SMS marketing to any person that has expressed an objection to such marketing. These Regulations apply to both the caller/sender of the marketing and the instigator. If somebody expresses an objection directly to your business to receiving further marketing, both your business and any third party marketing on its behalf must suppress their details and cannot send any further marketing to that person, if such marketing is intended to promote the services of your business.
- X Business sends SMS marketing on behalf of Y Business to generate leads for mis-sold PPI claims. The SMS requests that the client responds ‘PPI’ if they are interested in making a PPI claim. Positive responses are then passed to Y Business to make telemarketing calls to interested clients.
- If a client tells Y Business that they do not wish to receive further marketing communications from them, Y Business must also ensure that X Business does not send any further SMS marketing to the client either. If X Business does send a further marketing SMS to the client, this would constitute a breach of Regulation 22 of PECR and X Business or Y Business could be subject to enforcement action.
Chapter 11 – Due diligence when purchasing or renting data, leads or referrals
This chapter outlines the regulatory requirements surrounding the purchase or rental of data, leads or referrals from a third party for marketing purposes. In particular, it addresses the requirement for data providers to be authorised and the minimum due diligence that should be undertaken when purchasing or renting data, leads or referrals from a third party.
If you accept data, leads or referrals (“data”) from a third party, General Rule 2(e) of the CAPR requires you to carry out due diligence to confirm that:
- it has been obtained compliantly; and
- you have sufficient consent to use it for your marketing campaign.
In addition, Article 7(1) of the GDPR states “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
Therefore, you must operate a procedure that verifies the source of any data, leads or referrals acquired from third parties and retain evidence to demonstrate that you have followed this procedure. For further information please read the Claims management regulation guidance note on the Conduct of Authorised Persons Rules 2014.
The following enquiries should be made, as an absolute minimum, when purchasing or renting data, leads or referrals from a third party:
Does the third party require authorisation?
The seeking out and referral of data, leads and referrals specific to the claims management sector, as detailed in Articles 4(2) and (3) of The Compensation (Regulated Claims Management Services) Order 2006, constitutes regulated claims management activity. If you wish to purchase such data, leads or referrals from a third party you must ensure that the third party is authorised by the Claims Management Regulator or otherwise exempt. Should you buy or rent such data, leads or referrals from an unauthorised business, you could be guilty of aiding, abetting, counselling or procuring the offence of providing regulated claims management services without authorisation.
For further information please see the Who Needs to be Authorised guidance.
Was the data obtained compliantly by the third party?
You must verify the method by which consent was obtained and ensure that this complies with the CAPRs and other legislation. You must also be able to verify the source of the data, where and how the data, leads or referrals were originally obtained and be able to demonstrate that this was done so compliantly. If you are unable to do this, you must not use the data, leads or referrals.
Have you verified the provenance of the data, leads or referrals?
To confirm that the data has been obtained compliantly, you should be able to verify its provenance. By provenance we mean the very beginning of the data’s existence; the point at which the client’s information was originally obtained and first entered the data chain. At the very least you must be able to satisfy yourself, and us if questioned, that your supplier has obtained the data in a compliant manner. You should also verify that any other businesses that have obtained the data prior to this did so in accordance with the applicable rules and legislation. This is particularly important if you suspect non-compliance, for example if you are aware that your supplier has obtained data from an unauthorised business or a business that has been subject to recent enforcement action. It is not acceptable to use data that has been obtained by your supplier, or a previous party, in breach of the rules.
Example If your supplier obtains leads by conducting telemarketing calls, you must ensure that it had sufficient consent to make such calls in the first place. If your supplier is unable or unwilling to demonstrate consent, or you are aware that its telemarketing calls have generated complaints, you should not use the leads.
Do you have sufficient consent to use the data, leads or referrals for your intended marketing campaign?
You must have consent to make live or automated marketing calls, or send SMS or email marketing to clients. Such consent must meet the GDPR standards as outlined above.
When was consent obtained?
Consent does not last indefinitely. You must ascertain when consent was obtained to ensure that it remains an indication of the client’s current wishes. As a general rule, you should not rely on consent provided more than 6 months ago.
How can I check that the leads have been obtained compliantly?
To ensure that you have sufficient consent to use data for your particular marketing campaign, you must obtain and review documentary evidence of consent from your supplier. The easiest way to do this is to request a representative sample of ‘opt-ins’ with each order demonstrating what the client has agreed to, when, and in what context. When determining what sample size is appropriate, you should consider the volume and frequency of data accepted, the number of sources used, and whether your marketing has generated any complaints. You must interrogate the information supplied to confirm sufficient consent for yourself and not rely solely on what your supplier has told you, verbally or in writing.
Example Rather than simply accepting a list of ‘opt-ins’ that were obtained on a website, you should visit the website and review the opt-in statement yourself. If the ‘opt-ins’ were obtained during a telemarketing call, you should listen to the calls yourself and assess the validity of the consent. If you are unclear as to what clients are being asked to agree to, it is unlikely that consent will be valid and you should not use the data, leads or referrals.
You could also request the third party provide (this list is not exhaustive):
- call recordings to evidence consent if it was obtained during a telephone survey
- IP addresses and screenshots to evidence consent if it was obtained via a website or online survey
- date and time stamps on all data, leads or referrals purchased or rented
- written confirmation of the ‘opt in’ statement
- request screening reports from your supplier
The Data Guide which accompanies the DMA Code also states that businesses must:
- clarify opt-ins - when undertaking any data capture on third-party sites, ensure all opt-ins are very clear and ask to see all of the websites and places where the data will be collected
- check sign-up process - go through the process yourself to check that it is clear to your customer what they are signing up for and that they are not being forced into receiving marketing communications
- ask for a datacard on the lists you are considering buying or renting - the datacard is similar to an advertising rate card and will contain information such as when the datacard was last updated, whether the list has been cleaned against the appropriate preference service suppression file, how data has been collected and how it can be used
The Information Commissioner’s Office has produced a Direct Marketing checklist which may assist when undertaking due diligence.
The above is not an exhaustive list and there may be additional checks you wish to carry out to establish the legitimacy of the data, leads or referrals purchased or rented by your business. Ultimately, it is your responsibility to ensure that the data, leads and referrals are compliant, regardless of any assurances about the data you may have received. All of the above checks must be appropriately documented as required by General Rule 2(d) of the CAPR.
We are aware that many businesses are engaged in affiliate marketing, whereby marketing calls, texts or emails are sent on their behalf by third parties using data obtained from various sources. This is a challenging marketing model to operate compliantly. Due to the number of affiliates involved and the fact that they generally use their own data, it is challenging to carry out sufficient due diligence on the data, leads and referrals generated by such marketing. It is also very difficult to sufficiently monitor the marketing of the affiliates and maintain accurate records to reflect this. As the instigator, the business named in the marketing would be responsible for any non-compliance and may be subject to enforcement action. We strongly recommend that you do not engage in such marketing practices unless you have sufficient robust monitoring, due diligence and record keeping procedures in place.
Chapter 12 – Website compliance
This chapter outlines the regulatory requirements surrounding website content.
For further information please see the ICO Guide to Privacy and Electronic Communications Regulations - Cookies and similar technologies
The content of website marketing must comply with the rules outlined in Chapter 2 of this guidance note. It must also comply with the Electronic Commerce (EC Directive) Regulations 2002. The regulations require that any websites that offer a service include:
- the name of the business - if your business is a limited company you should provide the full legal entity name, if your business is a sole trader business you must provide your name
- the geographic address at which the business is established - PO Box numbers are permitted only in conjunction with an actual address
- the contact details of the business, including an electronic address
- the regulatory statement:
X Business is regulated by the Claims Management Regulator in respect of regulated claims management activities; its registration is recorded on the website www.gov.uk/moj/cmr
In addition, the Companies (Trading Disclosures) Regulations 2008 Limited requires companies to disclose certain information on their websites. This includes:
- the company’s full corporate name
- the registered office address
- the registration number and country of registration
Sole traders must disclose their name as the entity that is the authorised business, a trading name is insufficient.