3dataOne of the basic rules that apply to direct marketing is getting the consent of individuals to use their personal data for direct marketing purposes (opt-in), or at least granting the right to refuse the use of individuals’ personal data (opt-out) free of charge. Or in other words, good business practice in our industry usually means following the Regulation 13 of the Electronic Privacy Regulations that sets guidelines such as:

  • Provide a statement of use when you collect details and make sure you clearly explain what individuals' details will be used for;
  • Try to go for opt-in-based marketing as much as possible and always arrange for a simple and quick method for customers to opt out of marketing messages at no cost other than that of sending the message;
  • Have a system in place to deal with complaints about unwanted marketing - best is to suppress the individual or company details rather than deleting them when you receive an opt-out request for having a record of who not to contact;
  • Do not have consent boxes already ticked.

In general, any information that allows drawing conclusions about an individual is defined as personal data element, including the name, address and e-mail address, but also, for example, the IP address. Thus, companies that store such data must first of all be familiar with the privacy policies of their country to avoid problems. In most European countries, for instance, an explicit consent is needed before personal data can be saved. Further, it has to be ensured that all information can be deleted immediately, if desired, which means back-ups, data mirroring, and other types of data storage, too. Unless this data is stored in your own company, it is necessary to ensure that only people who have a legitimate interest can access these data.

In many Asian countries, and in the USA, the prevailing opt-out system requires only an unsubscribe button. However, if the data, for example, is stored externally in Cloud or SaaS applications, data must be subject to a special protection. With a so-called "order for data processing" companies have to ensure that the data can be deleted anytime - physically and electronically.

The countries of the European Union as well as a few selected countries, such as Canada, meet these statutory privacy policies. In these countries you can authorize any company problem-free with data storage, as long as they respect and guarantee the order processing of data. In other countries, the storage of personal data can be tricky from a legal point of view.

Only in the U.S. companies allow the storage of personal data, as long as a special privacy agreement, known as the "Safe Harbor" agreement, is given. But again, even when dealing with external providers it is important to ensure that only certain selected people have access to the data. That’s even more crucial when the company collects or processes personal information from several companies such as call centers, marketing agencies, or accountants.

When marketers talk about the storage of personal data, it is important to distinguish between:

  • Personal information such as name, address, e-mail etc.;
  • User behaviour data arising, for instance, from web page visits, the click on an email or submission of a form.

If behavior related data, such as an IP address, is stored along with personal data, you get a person related profile. Its storage is permitted only with explicit consent before the data is collected.

Some web tracking solutions save the IP address anonymously by not collecting the last three digits makin it sort of legally safe. Storage of the complete IP address without prior consent, however, does not comply with current regulations.

Even when communicating by e-mail, there are some things that have to be considered to protect privacy: it is only allowed to contact people who gave their prior consent via opt-in. The customer can consent electronically, for example by placing a check mark in the appropriate form. Or a confirmation email is sent with a special link that needs to be clicked to verify the agreement (double opt-in). This model is in particular suitable for documentation purposes and can be used for double protection. It is important that the prospective customers / clients give their consent actively by placing a tick, as the box in the form should not be pre-filled. In addition, the complete privacy policy of the company must be available via a link or as full text.

The company is responsible for the burden of proof for obtaining prior consent for e-mail communication - even if an agency triggers the email on their behalf.

In fact, there is no legislation which expressly prohibits purchasing email lists. However, if you are thinking of using such a list, you should only purchase it from a reputable company and you should ask for a warranty that the list has been lawfully collected and may be used as intended. Even then, you should think twice: targeted direct marketing, giving individuals information about products and services, is a perfectly legitimate activity – provided it respects the individual’s right to privacy. However, sending unwanted direct marketing is neither in your interests - it may harm your sender score and sender reputation - nor the interests of those receiving it.

By Daniela La Marca