Guidance

Direct marketing guidance for claims management companies

Published 18 August 2017

This guidance was withdrawn on 1 April 2019

This page has been withdrawn because it’s out of date. Responsibility for the regulation of Claims Management Companies has been taken over by the Financial Conduct Authority.

1. Introduction

Tackling non-compliant direct marketing practices remains a key priority for the Claims Management Regulator (CMR). This guidance is intended to provide clarification on some of our rules, and to set clear standards for businesses to adhere to. Failure to comply with this guidance may lead to enforcement action being taken against you.

In addition to our risk based audit programme, we have further increased our capacity to undertake more proactive reviews of businesses in order to bring businesses to compliance and promote high standards of regulatory conduct. The CMR works closely with the Information Commissioner’s Office (ICO) and the Office of Communications (Ofcom), who remain the primary regulators in this area. We share intelligence to assist with the investigation of non-compliant businesses and take firm enforcement action as required.

2. Buying or renting data, leads and referrals

If you accept data, leads or referrals (“data”) from a third party, General Rule (GR)2(e) of the Conduct of Authorised Persons Rules 2014 (CAPR) requires you to carry out due diligence to confirm that:

1. they have been obtained compliantly; and
2. you have sufficient consent to use them for your marketing campaign.

The enquiries that should be made, as an absolute minimum, are set out in our ‘Marketing and Advertising Guidance’.

2.1 Provenance

In order to confirm that the data has been obtained compliantly, you should be able to verify its provenance. By provenance we mean the very beginning of the data’s existence; the point at which the client’s information was originally obtained and first entered the data chain. At the very least you must be able to satisfy yourself, and us if questioned, that your supplier has obtained the data in a compliant manner. You should also verify that any other businesses that have obtained the data prior to this did so in accordance with the applicable Rules and Legislation. This is particularly important if you suspect non-compliance, for example if you are aware that your supplier has obtained data from an unauthorised business or a business that has been subject to recent enforcement action. It is not acceptable to use data that has been obtained by your supplier, or a previous party, in breach of the rules.

EXAMPLE:

If your supplier obtains leads by conducting telemarketing calls, you must ensure that it had sufficient consent to make such calls in the first place. If your supplier is unable or unwilling to demonstrate consent, or you are aware that its telemarketing calls have generated complaints, you should not use the leads.

2.2 Opt-ins

In order to ensure that you have sufficient consent to use data for your particular marketing campaign, you must obtain and review documentary evidence of consent from your supplier. The easiest way to do this is to request a representative sample of ‘opt-ins’ with each order demonstrating what the client has agreed to, when, and in what context. When determining what sample size is appropriate, you should consider the volume and frequency of data accepted, the number of sources used, and whether your marketing has generated any complaints. You must interrogate the information supplied in order to confirm sufficient consent for yourself and not rely solely on what your supplier has told you, verbally or in writing.

EXAMPLE:

Rather than simply accepting a list of ‘opt-ins’ that were obtained on a website, you should visit the website and review the opt-in statement yourself. If the ‘opt-ins’ were obtained during a telemarketing call, you should listen to the calls yourself and assess the validity of the consent. If you are unclear as to what clients are being asked to agree to, it is unlikely that consent will be valid and you should not use the data, leads or referrals.

You must retain accurate records to evidence that such enquiries have been undertaken in order to demonstrate your compliance, as required by GR2(d) of the CAPR.

2.3 Affiliate marketing

We are aware that many businesses are engaged in affiliate marketing, whereby marketing calls, texts or emails are sent on their behalf by third parties using data obtained from various sources. This is a challenging marketing model to operate compliantly. Due to the number of affiliates involved and the fact that they generally use their own data, it is challenging to carry out sufficient due diligence on the data, leads and referrals generated by such marketing. It is also very difficult to sufficiently monitor the marketing of the affiliates and maintain accurate records to reflect this. As the instigator, the business named in the marketing would be responsible for any non-compliance and may be subject to enforcement action. We strongly recommend that you do not engage in such marketing practices unless you have sufficient robust monitoring, due diligence and record keeping procedures in place.

3. Supplying data, leads or referrals

If you supply data, leads or referrals (“data”) to third parties you must be registered under the Data Protection Act 1998 (DPA). GR15 of the CAPR requires that you comply with the obligations imposed by that legislation.

Principle 1 of the DPA requires all processing of data, including the referral of data to third parties, to be fair and lawful. Therefore, you must have sufficient consent to pass data to third parties. The definition of consent is outlined in our ‘Marketing and Advertising Guidance’, and must be freely given, specific and informed. You must also have regard to the other DPA principles when processing data.

Clients must understand exactly what you intend to do with their information. In the context of direct marketing, they must understand that their information will be passed to a specific business, or category of businesses, to be used for a prescribed type of marketing. If the manner in which you obtain consent is unclear or unnecessarily complex, then consent is unlikely to be sufficient. If you pass data to third parties without sufficient consent, you will be placing both yourself and the third party in breach.

In order for consent to be sufficiently specific, the opt-in statement must not contain a long list of different businesses or sectors, even if they are quite precise. It would not be reasonable for a client to anticipate receiving email marketing regarding PPI, for example, if they were also told that they may receive marketing communications via several different channels from a number of other specific industry sectors. You must ensure that, when collecting personal data, clients are able to anticipate what business(es) will be contacting them, by what means, and in relation to what services.

EXAMPLE:

You operate a competition website that collects client information at the point of registration. Clients are asked to tick a box agreeing to your conditions and privacy policy. The privacy policy states:

“By entering into this prize draw you agree that selected third parties may contact you via electronic means with new products and services. The sectors you can expect to receive third party products, information, services or special offers from are – Entertainment, Aerospace & Engineering, Travel, Beverages, Cars, Charity, Debt Management, Educational Programmes, Fashion, Finance, mis-sold PBA, Food Retailers, Gambling, Health & Beauty, Home & Lifestyle, Mobility, Home Improvement, Life Insurance, Home Insurance, Legal Services, Competitions, Lottery, Gardening, Music, Pensions, mis-sold PPI, Publishing/Media, Retail, Sport, Telecoms, Toiletries/Cosmetics, Tobacco, Utilities”

As consent is required in order to register on the website, it is not freely given. Furthermore, it is difficult to anticipate exactly what type of marketing the client will receive as it merely states “via electronic means”, or what type of business will send it due to the number of different sectors listed. As it is difficult for clients to understand exactly what they are consenting to, consent is also unlikely to be informed.

We have identified some businesses attempting to rely on alternative conditions for fair processing when using or passing data for marketing purposes. Some have argued that the processing is necessary for the purposes of legitimate interests pursued by them or by the third party to which the data is disclosed. It is unlikely that this would be sufficient in the context of direct marketing, due to the potential harm this would have on the rights and freedoms of the data subjects. We would therefore require you to be able to evidence sufficient consent in these circumstances. If you are unable to do this, you must not use the data.

We are also aware that some businesses are obtaining data from publicly available lists, such as Companies House or the electoral role, and are therefore unable to demonstrate that any consent has been provided. Again, it is unlikely that the processing of data in these circumstances would be fair and lawful and we would not expect you to use data obtained in this manner.

Any communications in which you attempt to generate data or obtain consent constitute marketing and must also comply with the relevant Rules and Legislation. In particular, you must ensure that you have sufficient consent. The use of fair processing notices is also unlikely to satisfy the fair and lawful processing requirements set out on the DPA. If the notice is used as a mechanism to obtain consent for direct marketing, this would constitute marketing in itself and you would therefore require consent to do this.

4. Dialler management

4.1 Silent and abandoned calls

If you operate an auto-dialler, you should be aware that Ofcom has updated its policy statement on the persistent misuse of electronic communication networks and services. It sets out Ofcom’s requirements for the operation of automated dialling systems and their approach to enforcement action for non-compliance. This applies from 1 March 2017.

The forms of misuse that Ofcom are most likely to investigate relate to silent and abandoned calls, although the statement does refer to other types of misuse as well. Ofcom considers both silent and abandoned calls to be misuse. However, silent calls are likely to be more harmful because less information is provided to the recipient, who consequently may be more likely to find the call threatening and/or malicious. Previously, Ofcom advised that abandoned calls shall exceed no more than 3% of live calls over a 24-hour period. However, there is no longer any acceptable silent or abandoned call rate.

You must keep your abandoned call rate as low as possible and ensure that you play a recorded information message in circumstances where a live person is not available to speak to the client. Silent calls (calls in which no information message is played) are unacceptable. The information message must contain the following:

• Identify you or the third party you are calling on behalf of;
• Explain that you or the third party attempted to call the recipient;
• Provide a basic rate number that the recipient can call in order to decline further calls; and
• Not include any marketing content.

Ofcom has powers under sections 128-130 of the Communications Act 2003. You are reminded that you must observe all laws and regulations relevant to your business in accordance with GR5 of the CAPR.

4.2 Persistent calls

You must not make excessive marketing calls to clients, even if those calls are not answered. Persistent and excessive marketing calls can cause unnecessary stress and anxiety, particularly to more vulnerable clients. We are aware of a business that routinely attempted to contact clients for marketing purposes up to three times a day, every day for several months. This is unacceptable and constitutes a breach of Client Specific Rule (CSR) 1(a) of the CAPR. You must act fairly and reasonably in dealings with your clients, including during your marketing campaigns. If you use an auto dialler you must manage it effectively to ensure that it does not result in excessive call attempts, call backs or otherwise unfair and unreasonable telemarketing practices.

4.3 Calling Line Identification

CSR4 of the CAPR requires you to comply with the Direct Marketing Associations Code when marketing by telephone, email SMS and fax. Rule 2.2 of the Direct Marketing Association’s Code requires you to display a valid Calling Line Identification (CLI) on which a return call can be made when making any outbound marketing calls.

There is now a legal obligation on businesses in all sectors, including claims management, to do the same. The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2016 came into force on 16 May 2016. It amended Regulations 19 and 21 so that businesses are now required to display a valid CLI when making live or automated marketing calls on which they can be contacted.

In addition, Ofcom’s policy statement on the persistent misuse of electronic communication networks and services also details what they would deem misuse of a CLI facility. This includes withholding CLIs, displaying a CLI which is not authentic or is a controlled premium rate service number, and using multiple CLIs without any justified reason. You must familiarise yourself with these requirements and ensure that your telemarketing practices comply.

5. What’s next?

There are a number of forthcoming changes that you need to be aware of. They are likely to impact on the operation of your business and we suggest that you begin to make preparations for any changes.

5.1 General Data Protection Regulations 2018

The General Data Protection Regulations (GDPR) will apply in the UK from 25 May 2018; Brexit will not affect this. Although there are some similarities with existing data protection legislation, the GDPR also impose a number of new and additional obligations. The GDPR apply to any business that handles or processes any kind of data, so it is very likely that you will be affected by these changes. For further information please review the ICO’s website.

5.2 Digital Economy Act 2017

Section 96 of the Digital Economy Act 2017 sets out the ICO’s obligation to prepare a code of practice containing practical guidance in relation to direct marketing and best practice standards. The code is likely to provide more clarity to the rules regarding third party and aged consent, and impose additional statutory obligations on businesses.