Data Protection Guidelines: Email Do's and Don'ts

Gary DavisDeputy Data Protection Commissioner

Irish Internet Association28th October 2009

Presentation Outline• Marketing – what do people think? • Data Protection – what is it?• Direct Marketing – the Rules• Best Practice

50

35

28

20

20

14

11

10

10

Personal Experience of Privacy Invasion

Received unsolicited post, addressedto you personally

Yes%

Received unsolicited text messages fromcommercial organisations

Received unsolicited emails from commercialorganisations

Had excessive personal information soughtfrom business/public sector organisations

Had a virus/spyware on personal computer

Disclosures of your personal informationto others without your agreement

Had information, images or footage of youposted on the internet without your consent

Had personal information being withheldfrom you without explanation

Inappropriate access to personal informationheld about you within an organisation

Any experience

65%

35

29

28

23

27

21

28

23

41

45

43

43

33

34

46

52

12

14

9

9

8

6

8

7

4

4

4

3

2

2

4

2

20082005

Not at all happy

(1)

The post

E-mail/the internet

The telephone to your home

SMS/Text messages(to your mobile phone)

Not very happy

(2)

Very happy

(4)

Fairly happy

(3)

8 9

16 22

30 37

13 16

Don’t Know‘08 ‘05

Attitude Towards Unsolicited Mail or Offers…

% %

Unhappy

(%)

Unsolicited mail via telephone or post remain the approaches the public most dislike. However, irritation with text or e-mail contact has significantly increased since 2005.

76

74

71

66

60

55

74

75

No notEntitled

%

6

6

5

6

7

21

46

71

71

71

70

58

40

22

YesEntitled

%

Don’tKnow

%

To get a copy of any information about you heldby any organisation

To have any inaccurate information aboutyou corrected/deleted

To have your name removedfrom junk mail lists

To have your telephone number removedfrom direct marketing lists

To have any of your medical records deleted

To claim compensation through the courts ifpersonal information held about you is misused

To get personal information about other people

23

23

23

24

35

39

32

Q.7 – Awareness of Rights

Complaints to DPC 2008

• 1031 formal complaints• Many more enquiries dealt with informally

* Mainly electronic (SMS etc). Direct Marketing accounted for 57% of complaints in 2007

TYPE %

Direct Marketing*

35

Access Rights 30

Disclosure 16

Accuracy 2

Other 17

Unsolicited Marketing – DPC Annual Report Case Studies• Unsolicited Text Messages (12/2005;

5/2006 – deletion of database ordered)• Unsolicited Faxes (20/2008)• Unsolicited e-mails (8/2008; 17/2008 –

database deleted and marketing suspended)

• “Cold-Calling”/Failing to respect right to “opt-out” including via NDD (11/2005 (prosecution); 1/2006; 2/2006; 4/2007 – order to suspend marketing; 11/2008)

• Postal Marketing (15/2007: supermarket)

Case Studies 2008 : Direct Marketing• 123.1e (insurance)• Interactive Voice Technologies• Buy-as-you-Fly• Celtic Water Solutions• Matrix Internet• Dell • 2 Cases where we found in favour of DC

Presentation Outline•Marketing – what do people

think? •Data Protection – what is it?

•Direct Marketing – the Rules•Best Practice

Data Protection: a Human Right

• Part of Right to Personal Privacy• Personal Privacy: necessary in a

Democratic Society (but not absolute)• Un-enumerated right under Irish

Constitution• Explicit right under European

Convention on Human Rights: ECHR Act 2003

EU & Irish Legislation• Data Protection

Directive 95/46/EC• Electronic Privacy

Directive 2002/58/EC

• EUROPOL etc

• Data Protection Acts 1988 & 2003

• EC Electronic Privacy Regulations 2003 (SI 535/2003) and 2008 (SI 526/2008)

• Corresponding Acts• Good Friday Agreement• Disability Act 2005

Rights and Obligations• Rights of “data subject” (= identifiable,

living individual) to control the use of their “personal data” (very broad definition)

• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

The Data Protection Rules1. Fair obtaining &

processing• Consent

2. Specified purpose3. No disclosure

• unless “compatible”

4. Safe and secure

5. Accurate, up-to-date6. Relevant, not

excessive7. Retention period8. Right of access

Presentation Outline•Marketing – what do people

think? •Data Protection – what is it?•Direct Marketing – the Rules

•Best Practice

Direct Marketing Legislation

• The Data Protection Acts 1988 and 2003 Mainly Section 2

• SI 535 of 2003 European Communities (Electronic Communications Networks and Services) Data Protection and Privacy) Regulations as amended by SI 526 of 2008 Mainly Regulation 13 (Unsolicited

Communications)

• Other Legislation: Consumer Protection, E-Commerce, Financial Regulation etc

Direct Marketing Definition• “direct marketing” includes direct mailing

other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office;

Direct Marketing – the Golden Rule of Consent• Only market willing customers• Strong Irish customer resistance to “junk

mail” or “spam”• Failure to respect consumer choice is

against the law Criminal offence where electronic means

used

email• Non- Customers (Individuals)

Recipient must have opted-in to receipt of message from you

Consent given to third party marketing etc not acceptable. The consent must be informed and explicit

Email must include the name of sender Email must include valid and cost free means to

opt-out Opt-in to send email must be in the last 12 Months

or refreshed within that period

e-mail Continued• Customer (Individuals)

You must have told the customer that you intend to use their email address for this purpose and provided an opportunity to object at the point of collection

Email must include the name of sender Email must include valid and cost free means to opt-out Consent to send email must be in the last 12 Months or

refreshed within that period Email must only relate to your own Similar or Related

Services

email continued• Businesses

Do not need opt-in consent Must respect any opt-out request Email must include the name of sender Email must include valid and cost free means to

opt-out

Penalties

• Electronic mail Criminal Offence: €5,000 per message, up to

10% of turnover 350 prosecutions gone or going through

Courts

Presentation Outline•Marketing – what do people

think? •Data Protection – what is it?•Direct Marketing – the Rules•Best Practice

Best Practice (1)• Treat Consumer with Respect

Respect their right to be “let alone”

• Marketing that respects the Consumer’s preferences is more likely to be successful

• The more intrusive the marketing, the more likely Consumer will be upset

• Don’t abuse public information

Best Practice (2)• Our Guidance (

http://www.dataprotection.ie/viewdoc.asp?DocID=905&ad=1)

• Keep a record of any consent on which you are basing your direct marketing emails. Without it you cannot prove that you have a consent and onus is placed on sender

• Have a foolproof method of respecting opt-out requests

Conclusion• Do tell the recipient at the

time of collection that you intend to use their email details to market them and either get their opt-in or allow them to opt-out

• Do identify yourself and provide a valid means of opt-out in each message

• Do keep a record of the consent for sending the message

• Don’t buy third party marketing databases

• Don’t send any messages where you have had no contact for over 12 months

• Don’t ignore requests to opt-out

• Don’t attempt to put in place a “difficult” means of opting out

DPC Contact DetailsOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231

057 8684800Fax: 057 8684757Email: info@dataprotection.ieWebsite: www.dataprotection.ie