Direct Marketing Note – Blackstone Property ManagementINTRODUCTION
This note concerns the ways in which Blackstone Property Management (“BPM“) justifies any direct marketing activities it carries out (i.e. its “justification for processing”). As detailed below, direct marketing is justified in two ways: consent; and legitimate interests. This note does not, however, set out all requirements under the GDPR – for example, the requirement to keep a record of processing or any information-provision requirements.
2. WHAT LAW GOVERNS DIRECT MARKETING?
2.1 A number of regulations work together to regulate the way organisations can carry out direct marketing. The most important are:
2.1.1 The Data Protection Act 1998 (“DPA“), which will be superseded by the General Data Protection Regulation (“GDPR“), accompanied by a new UK Data Protection Bill (the “UK DPB“) on 25 May 2018; and
2.1.2 The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR“). PECR rules only apply to electronic communications (i.e. they are not relevant to direct marketing carried out by post).
2.2 The Information Commissioner’s Office (the “ICO“) is the overseeing regulatory body for direct marketing purposes in the UK.
3. WHAT IS DIRECT MARKETING?
3.1 The UK DPB defines direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. As you can see, this definition is very wide and would capture all kinds of communications – from phone calls and text messages, to emails and postal mail.
Solicited and unsolicited direct marketing
3.2 Generally speaking, solicited direct marketing (i.e. marketing material that the person has specifically requested) is permissible. The rules discussed in this Note are relevant only to unsolicited direct marketing.
BPM’s direct marketing practices
3.3 We understand that BPM only carries out direct marketing over email. Therefore, this note only focussing on emails.
4. IS THERE A DIFFERENCE BETWEEN BUSINESS-TO-BUSINESS AND BUSINESS-TO-CONSUMER DIRECT MARKETING?
What is business-to-business and business-to-consumer direct marketing?
4.1 Business-to-business (“B2B“) direct marketing is marketing from a business to a “corporate subscriber”. A corporate subscriber is any corporate body (entity with a separate legal status) who contracts for the use of the internet connection or other public electronic communications service through which a direct marketing email is received. This includes companies, limited liability partnerships, Scottish partnerships, and some government bodies. It would include, for example, the corporate subscriber Clifford Chance in respect of a marketing email sent to [email protected]
4.2 Business-to-consumer (“B2C“) direct marketing is marketing from a business to an “individual subscriber”. An individual subscriber is an individual who contracts for the internet connection or other public electronic communications service through which a direct marketing email is received. It would include, for example, the individual John Smith in respect of a marketing email sent to [email protected] In some cases, it may also include smaller businesses and organisations.
Why does the distinction between B2B and B2C direct marketing matter?
4.3 The GDPR makes no categorical distinction between B2B and B2C marketing – it regulates the processing of data relating to identifiable individuals, whether they are identified in their personal capacity or as representatives of corporate persons. The GDPR’s effect does vary according to the circumstances of processing, however, and will generally be less stringent in a B2B context. PECR, on the other hand, makes a categorical distinction between B2B and B2C marketing.
4.4 Companies involved in B2C marketing have to meet stricter requirements under PECR when it comes to obtaining permission to send email marketing messages to individual subscribers. B2C marketing generally requires “opt-in” consent. This is considered in further detail below.
4.5 B2B marketers, on the other hand, can engage in direct marketing activities without “opt-in” consent. They only have to comply with the GDPR, by showing that the way they use personal data is proportionate, has a minimal privacy impact, and the recipients would not be surprised by or likely to object to what they are doing (i.e. they have a “legitimate interest”).
Does BPM carry out B2B or B2C direct marketing?
4.6 The general rule is that all direct marketing emails to business email addresses (e.g. [email protected]) is B2B direct marketing. However, if BPM is emailing corporate subscribers with information which they know is of interest to the recipient (John Smith) in their personal, rather than business, capacity (for example, they are emailing a lunch offer for an on-site restaurant), it may want to consider treating this as B2C direct marketing (not B2B) in order to ensure compliance with the basic principle under the GDPR that processing must be fair. There is some risk, in our view, that the ICO will take the view that opt-in consent is necessary to allow direct marketing by email to individuals in their personal capacity, even where corporate email addresses are used. On balance, however, we do not expect this view to be taken.
4.7 To the extent that BPM is sending direct marketing emails to personal addresses (e.g. [email protected]) this would be considered B2C direct marketing under PECR. We understand that BPM targets the majority of its direct marketing at corporate subscribers and paragraph 5 below is drafted on that basis (please see paragraph 5.9 below).
- HOW SHOULD BPM BE JUSTIFYING ITS DIRECT MARKETING?
5.1 Under the GDPR, BPM can carry out direct marketing (B2C or B2B) if it has justifiable grounds for doing so. BPM will have justifiable grounds for direct marketing emails when it either: (i) has the consent of the recipient; or (ii) has a legitimate interest in sending direct marketing emails to the recipient, which are not outweighed by associated prejudice to the recipient’s privacy. Under PECR, subject to a limited exception (see paragraph 5.8 below), BPM can only carry out B2C direct marketing by email with the consent of the recipient. PECR does not set out a similar rule regarding B2B direct marketing over email.
5.2 As explained in paragraph 4.6 above, while – strictly speaking – much of the direct marketing carried out by BPM is B2B direct marketing, it may be prudent for BPM to nevertheless treat the direct marketing as B2C. As a result, when it comes to ensuring compliance with law, there is a medium risk and low risk option available to BPM (we note that neither of these options is considered particularly risky – just one is less risky than the other). We set both options out below, for the sake of completeness, but note that BPM has centrally taken the decision to obtain the recipient’s consent. Where you believe there is a strong business case to follow the medium risk approach, please email [email protected] with details.
5.3 In addition to the below, when sending any direct marketing emails BPM should ensure that it: (i) does not act in a way which could be construed as an attempt to conceal its identity; and (ii) includes a valid contact address which recipients can use to opt out or unsubscribe (enabling recipients to reply directly to the email, and unsubscribe by following a link, is good practice).
5.4 The low risk option would be to treat the direct marketing as B2C for the reasons set out in paragraph 6 above. Where this is the case, BPM would only have justifiable grounds to carry out direct marketing to the extent it has the recipient’s consent. To be valid, a recipient’s consent must be: (i) freely given; (ii) specific; (iii) informed; (iv) unambiguous; and (v) a clear affirmative action.
5.4.1 Freely given. The recipient must have a genuine choice over whether or not to give their consent. This means not unduly incentivising people to consent, or penalising those who refuse.
5.4.2 Specific. Consent must be specific to the type of marketing communication in question (e.g. email) and to BPM. It must be distinguishable from other matters and cover BPM’s name, the purposes of the processing and the types of processing activity.
5.4.4 Unambiguous. The way the consent is collected should leave no room for doubt that a data subject has given their consent.
5.4.5 Clear affirmative action i.e. ‘opt-in’. The GDPR specifically bans pre-ticked opt-in boxes. There needs to be a positive indication of agreement by a person to their data being processed.
5.5 Clifford Chance can review any language you draft in order to obtain consent. Please email [email protected] with your suggested language.
5.6 The medium risk option would be to treat the direct marketing as B2B. Where this is the case, BPM could either rely on consent or, alternatively, could use legitimate interests as its justifiable grounds. BPM will have a legitimate interest for processing where: (i) it believes it has a legitimate interest to carry out direct marketing; (ii) it can show that direct marketing is necessary to achieve that legitimate interest; and (iii) it has balanced the legitimate interest against any impact its direct marketing activities will have on the recipient’s interests, rights and freedoms.
5.7 Limbs (i) and (ii) are relatively straightforward to satisfy. BPM’s legitimate interests are its business interests and sending email seems an appropriate and necessary way of achieving these. Limb (iii) is less clear. However, there is a viable argument that sending direct marketing emails to a targeted group of recipients (i.e. persons working on the relevant estate) with information BPM can reasonably expect they are interested in and is of benefit to them (i.e. information relating to on-site facilities) balances out well against the presumably minimal impact on the recipient’s interests, rights and freedoms (particularly since emails are sent to a work address). That being said, this argument is not water-tight and, for that reason, BPM’s standard position will be to obtain consent.
5.8 Under PECR, BPM would be allow to send direct marketing emails to recipients to the extent that the recipient is an existing customer who bought a similar product or service from BPM in the past (and BPM gave them a simple way to opt out both when it first collected their details and in every message it has sent since). We assume that, given the nature of BPM’s activities, this exception will not be relevant.
Personal email addresses
5.9 Where BPM is sending direct marketing emails to personal email addresses (e.g. [email protected]) this is clearly B2C. It will be necessary to obtain consent as per paragraph 4 above.
- ANY QUESTIONS
6.1 If you have any questions relating to the above, or would like to seek further guidance, please email [email protected].
 Any information-provision requirements should be satisfied by the new GDPR compliant website privacy notice which you should be uploading as part of the GDPR implementation project (a template notice has been provided separately). Any communications should link through to this privacy notice and explain that the notice explains how / why BPM processes their data. We assume the business keeps a high-level record of processing as part of its pre-GDPR data processing arrangements.
 The Commission has proposed replacing PECR with a new ePrivacy Regulation (“ePR“). It was initially hoped that the ePR would be introduced at the same time as GDPR, however, this is no longer possible – a number of issues remain unsettled. Once the ePR is introduced, this note and BPM’s marketing activities will need to be reviewed again.
 This analysis may change to the extent that BPM’s email contained information which was not targeted in that way (e.g. contained marketing information relating to other sites or third parties not obviously connected to the relevant site).