Extravision Blogsblog

Recent Posts



Data Protection: Do your email campaigns comply?

August 1, 2008

Compliance with data protection is a complex business, here at Extravision we've put together a simple guide to the current legislation that should keep you out of court - and give you an idea of what is considered best practice. There are four EU directives and an Act of Parliament that cover data protection legislation. In this article we intend to concentrate on the current UK parliamentary legislation, the Data Protection Act 1998 (which repealed the 1984 Data Protection Act). For more information about EU directives and the way in which they could soon affect UK law please see our article 'EU Directive on Email Marketing'.

The Data Protection Act 1998

The new Data Protection Act 1998, which came into full compliance in October 2001, places the balance of rights on data protection and privacy issues firmly back in the hands of the individual. Under the Act companies are obliged, if requested, to provide more information about why they want to use personal data and must also reveal the source of their data. Importantly for marketers the Act also specifies ways in which personal data must be collected and stored.

What is personal data?

The act defines personal data as 'data which relates to a living individual who can be identified by that data'. Lists of email addresses clearly come under this definition as an email address can give strong clues to a person's identity [email protected] identifies a particular individual at a specific company. Not all email addresses give such clear personal detail of course; [email protected] for example is much less identifiable. We would advise companies to err on the side of caution and consider all email addresses to be personal data, even though the legislation does not give specific guidance on such contradictions.

Data Protection Principles

There are 8 data protection principles in the Act. The information commissioner has the power to issue an enforcement notice to any organisation found to be in breach of any these principles. Failure to comply could result in a £5000 fine in a magistrate's court, or an unlimited fine in a crown court. The principles are that personal data must be:
  • Processed fairly and lawfully
  • Can only be obtained for specified purposes and not used in a manner incompatible with those purposes
  • Should be adequate, relevant and not excessive for the purposes for which they are processed
  • Should be accurate and up to date
  • Should be kept no longer than necessary
  • Must be processed in accordance with the rights of data subjects under this act
  • Should not be open to accidental loss, destruction or damage
  • Must not be transferred to countries, without adequate levels of protection, for the rights and freedom of the subject.

Collection of data

One of the first steps in running an email marketing campaign is data collection - getting the right email addresses is essential to the success of the project. Marketers should not however be blind to the legal constraints within which such data should be collected. There are a number of different ways in which a company can acquire data email addresses to be used in a marketing campaign:
  • Direct collection from prospects via a telemarketing campaign
  • Direct collection from customers (for example via a Web site)
  • Lists prepared by third parties and
  • Collection from websites; such as public directories, newsgroups or discussion boards.
Email addresses collected directly are subject to some ambiguity under the Data Protection Act in terms of the level of consent legally required. Data protection guidelines say that it is good practice to get the individual's consent. Consent is not however clearly defined, although the guidelines do clearly state that 'It will always be necessary to get their consent where if the data is sensitive.' Sensitive data is defined as that which reveals 'racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life'. Under this definition some, but by no means all, email addresses may be classified as sensitive; for example [email protected] reveals trade union membership. The law is not clear on these issues and the guidelines do little to help. What is clear is that if a customer asks you to stop using his or her data for marketing purposes you must do so. We would also recommend that prospects/customers are always given the opportunity to opt-out of the use of his or her data for marketing. Where email addresses are collected for marketing purposes from a contact form on a website it is generally good practise to link to a 'Privacy Policy'. This should at the very least include: company contact details, uses to which the personal information will be put and details of how to opt-out of any mailing list. This serves as notice as to the purpose for which the information is being collected – and therefore it can be assumed that the individual has given appropriate consent when they submit their details. Companies that buy in lists of email addresses from third party organisations must check that they are legitimate and have been collected in compliance with the Data Protection Act. The legislation requires that an individual is informed of what happens to their data and that includes giving permission for it to be sold to a third party. If you are considering buying in a list we would strongly recommend that you only do so from a reputable company. Email addresses collected from a public space on the Internet and used for an email campaign could well be contravening the principle of 'fair processing of data'. The individual probably made their address public for a quite a different reason, for example participation in an online discussion group. We would not recommend that email addresses are collected in this way - as well as breaking the law, it is the collection method choice of spammers and is definitely out of the bounds of good practice.

The right to object

The rights of the individual are quite clearly defined in the Act – data subjects have the right to know whether information about him/her is being processed, who is collecting the information, the purposes for which the information was gathered and the source of the information. Even if an individual has previously consented to personal details being used for marketing purposes he can still request at any time that a company ceases to use or store personal information. Unsubscribe requests should therefore always be adhered to and names taken off lists speedily. Email can be a powerful tool for finding new prospects and developing good customer relationships. Keeping abreast of the legal implications is not always easy, but at Extravision we are committed to advising our customers of best practice – keeping you out of court and to make your emails welcome in your prospects' inboxes! If you would like more information please email us at [email protected] or call +44 (0)161 817 2929

Posted by Paul Latham

No comments

Comments are closed.

From the Blog

How to craft the perfect re-engagement email: Topshop example

In an ideal world, everyone on your list would be eagerly awaiting your email. They…

Jenni Malley
June 1, 2017

How To Get Your Perfect Email Template

If you send email campaigns then you probably use a template. Not every email campaign…

Jenni Malley
May 12, 2017

Latest Tweets

Get in touch

MediaCity UK
M50 2AB
Find us on Google maps

Main: +44 (0) 161 817 2929
Support: +44 (0) 161 817 2930
Email: [email protected]


Facebook IconTwitter IconVisit Our BlogVisit Our BlogVisit Our Blog