Marketing as we once knew it is dead
Jamaicans have noted their distaste and are offended by the several unsolicited texts and or e-mail they receive from their mobile service providers and other third parties. Like many other countries across the world that have implemented similar personal data privacy legislation, this is a matter that has taken front and centre in the legislation. The impact of this is that businesses now have to reimagine how they generate customer leads. Failure to do this will attract serious financial penalties that can be imposed by the commissioner as opposed to a court.
In fashioning the Data Protection Act the legislators were very clear in their intention on the social and commercial impact they wanted the legislation to have. Legislators, in particular then Senator Robert Morgan and Opposition spokesman on technology Julian Robinson, in echoing the sentiments of the public, argued that focus should remain on protecting consumers and not the business interests of corporations and telecoms companies.
Morgan’s position was that he was not concerned with the “…corporation; the consumer is entitled to the protection of their data, regardless of what are the economic incentives or obligations that exist in a particular economy”. He further argued that, “Why is it that you are recommending that we allow telemarketing companies to take my information and push ads to me without consent, and then put the onus on consumers, who are, in many cases, of varying abilities and competencies to navigate these clauses? If you’re going to really give people control of their data no one should be allowed to use their data without their permission.”
Robinson agreed with the concern, insisting that consumers should be given the choice to determine whether they want to be bombarded with messages: “What happens now is that, without your knowledge or consent, your numbers are shared with third parties. I feel strongly that it should be the other way around; consumers should be given the option to opt-in, otherwise their data shouldn’t be shared or [messages] sent to them.”
Resulting from these deliberations the Parliament passed section 10 which states: “A data controller shall not process personal data of a data subject for the purpose of direct marketing unless the data subject consents to the processing for that purpose; or is a customer of the data controller. A data controller shall not approach a data subject more than once in order to request that consent. A data controller may only process the personal data of a data subject who is a customer of that data controller if the data controller has obtained the contact details of the data subject in the context of the sale of any goods or services; for the purpose of direct marketing of the data controller’s own similar goods or services; and if the data subject has been given a reasonable opportunity to object, free of charge, and in a manner free of unnecessary formality…”
If we were to follow the decisions being handed down in the UK, one would note that there have been several complaints made by data subjects, and, subsequently, many decisions have been handed down by the UK Information Commission. In 2019 alone the Office of the Information Commissioner (ICO) received 129,354 complaints about nuisance contact or unsolicited communications for direct marketing purposes.
One such decision was the decision against the telecoms company EE Limited. Here the ICO fined the company £100,000 for sending over 2.5 million direct marketing messages to its customers, without consent. The messages, sent in early 2018, encouraged customers to access and use the My EE app to manage their account and also to upgrade their phone. A second batch of messages was sent to customers who had not engaged with the first.
During the ICO investigation EE Limited stated the texts had been sent as service messages and were therefore not covered by electronic marketing rules. However, the ICO found the messages contained direct marketing and that the company sent them deliberately. Andy White, ICO director of investigations, said: “These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: If a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply.
“EE Limited were aware of the law and should have known that they needed customers’ consent to send them in line with the direct marketing rules.”
“Companies should be aware that texts and e-mail providing service information which also include a marketing or promotional element must comply with the relevant legislation.”
We take a deeper look at this case and its impact in our podcast Design Privacy Weekly.
The ICO’s guidance on electronic marketing, which is consistent with section 10 of our Data Protection Act, is clear that marketing messages can be only sent to existing customers if they have given their consent and if they are given a simple way to opt out of marketing when their details are first collected and in every message sent. People (existing customers) have a right to opt out of receiving marketing at any time, at which point it’s the organisation’s responsibility to stop sending them.
It should be clear by now that marketing as we once knew it is no more. This does not mean that one can no longer market products and services to potential customers. It simply means that it cannot be done in the same manner as was done before. The earlier companies embrace this reality is the better positioned they will be to avoid regulatory action and to develop marketing lists that comply with the Data Protection Act.
On the flip side, it would be interesting to see how our commissioner would prove offences in relation to sending unsolicited text messages. While the commissioner would be able to prove a text message was sent, how would he prove who sent it. The English Parliament gave the UK commissioner sufficient power to request the disclosure of relevant information from telecommunications service providers and other such entities that are not the subject of the complaint.
The Jamaican commissioner has not been given similar powers. In Jamaica the information commissioner’s arsenal includes the ability to issue enforcement notices to compel data controllers to take or refrain from taking certain action, assessment notices to enable a determination as to whether a data controller is complying with the data protection standards and information notices requiring that specific information be furnished from data controllers. But what if the data controller has neglected to maintain records properly, or has even gone as far as to destroy records, would the commission be able to compel a communication service provider to provide the requisite information to prosecute a claim.
The Court of Appeal treated with a similar issue raised by the Independent Commission of Investigation (INDECOM) when they sought to compel a telecommunications service provider to supply it with information which the Telecommunications Act and the Interception of Communications Act require the provider to keep secret and confidential. The court found that INDECOM cannot compel a provider of telecommunications services to supply information that falls within the purview of section 47(1) of the Telecoms Act.
Notwithstanding the ability of the commissioner to prove an infringement by a data controller, marketing as we once knew it is dead. The earlier businesses sensitise themselves about the data processing standards that they are obliged to comply with the faster they can re-engineer their business processes. Parliament has provided a two-year transition period. The rationale behind this is that there is a lot of work to be done to be compliant with the Data Protection Act.
Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, podcaster, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.