It can be an expensive business if you don’t stay within the law too, not to mention the potential damage it can cause to your own or your client’s reputation and brand.
Companies or its directors not meeting their legal obligations can potentially be fined up to £500,000 by the Information Commissioner's Office (ICO). Monetary penalties have been issued for making repeated marketing calls to numbers listed on the Corporate / Telephone Preference Service (C/TPS) registers and ignoring people’s objections to those calls including:
To understand your obligations fully, it’s a good idea to be aware of the two main pieces of legislation relating to making marketing phone calls and processing personal data.
The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies (which is covered by the Data Protection Act 2018). It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context. See The ICO's UK GDPR guide for more details.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sets out rules for sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using automated calling systems.
PECR also covers use of cookies or similar technologies that track information about people viewing a website or other e-service; security of public electronic communications services; privacy of customers using communications networks or services including traffic and location data, itemised billing, line identification services (e.g. caller ID and call return) and directory listings. See The ICO's PECR guide for more details.
PECR have been updated a number of times. Recent changes were made in 2018, to introduce personal director liability for serious breaches and ban cold-calling of claims management services. Then in 2019 to ban cold-calling of pensions schemes in certain circumstances (see below) and to incorporate the UK GDPR definition of consent.
The rules on live marketing calls are in regulation 21 of PECR. In short, you must not make unsolicited live marketing calls:
You must always say who is calling, allow your number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked.
So if you’re making live calls you must:
The rules on automated calls are in regulation 19 of PECR, and are stricter. You must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the person has specifically consented to receive this type of call from you. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls.
All automated calls must include your name and a contact address or freephone number. You must also allow your number (or an alternative contact number) to be displayed to the person receiving the call.
For further information, see the ICO’s guidance on direct marketing.
If you are calling purchased or rented lists of prospect data you cannot simply rely on the data seller to have complied with the law. It is your responsibility to make sure that the data is legally compliant. You will need to:
One way to ensure that the data that you’re calling complies with the legislation is to use data providers that are Direct Marketing Association (DMA) members. See www.dma.org.uk
Many people think that it is not necessary to screen against TPS or CTPS if the number being called is an existing customer:
An organisation might want to continue calling an existing customer who has registered with the TPS even though they have not specifically consented, because it is confident in light of the past relationship that they would not object. However, calls in these circumstances are in breach of PECR and could result in enforcement action. Direct Marketing, ICO
Even if you consider an individual or company to be a customer, you still need GDPR-level consent to make marketing calls them if they are TPS or CTPS-registered.
For further information, see the ICO’s guidance on direct marketing.
The content above is intended only to provide a summary and general overview on matters of interest. It is not intended to be comprehensive nor does it constitute legal advice. We attempt to ensure that the content is current but we do not guarantee its currency. You should seek legal or other professional advice before acting or relying on any of the content above.
Contact Us and see how we can help