How many times have you seen on a website the phrase “tick here if you don’t want us to pass your details to carefully selected partners”.  Under the new CPUT 2008 regulations this phrase would have to mean exactly what it says. But what does it mean in practice?

If, like me you are in the Direct Marketing industry and you get involved with purchasing lists here’s what it means in practice:

“we’re going to sell your details to anyone who gives us money”.

Under CPUT this would be a clear breach of the regulations – here’s what they say:

A commercial practice is a misleading action if it satisfies the conditions in either paragraph (2) or paragraph (3)

(2) A commercial practice satisfies the conditions of this paragraph—

(a) if it contains false information and is therefore untruthful in relation to any of the matters in paragraph (4) or if it or its overall presentation in any way deceives or is likely to deceive the average consumer in relation to any of the matters in that paragraph, even if the information is factually correct; and

(b) it causes or is likely to cause the average consumer to take a transactional decision he would not have taken otherwise.

A commercial practice is a misleading omission if, in its factual context, taking account of the matters in paragraph (2)—

(a) the commercial practice omits material information,

(b) the commercial practice hides material information,

In this case the omission is the fact that the consumers’ data is going to be sold. Yet this “commercial practice” is commonplace. Most mail-order companies re-sell their customer data, yet I cannot find a single one that admits that the data is actually sold. Now how many consumers do you think would give consent to their data being re-sold to anyone?

This constitutes a major problem for the entire list industry in the UK. And it is not a small industry. Each year over £200m worth of lists are sold in the UK.

Direct Marketing in the UK is heavily driven by marketing to new prospects and if Trading Standards Officers stark cracking down on these practices it is likely that we will see a dramatic decline in the availability of traded databases.

So if traded databases disappear then companies will have to work harder to get names they can use from both customers and potential customers. But the new regulations mean that much of the terminology that is meat and drink to marketers will have to be trimmed back.  For example: “tick here to receive valuable offers”. Valuable to whom exactly? Marketers will clearly need in future to be careful with their wording as the regulations do not permit any misleading either by commission or omission. It is, in my view, this that marks out the new regulations as being a major step change from the Data Protection Act.

The Data Protection Act requires “informed consent” as the benchmark in fairly using someone’s personal data. But the CPUT regulations set the bar much, much higher. The regulations state that it will be an offence if any statement:

“in any way deceives or is likely to deceive the average consumer in relation to any of the matters in that paragraph, even if the information is factually correct”.

We have always advised our clients not to use misleading language, but many do because they are so desperate to get or retain consent to market to customers or potential customers. Now the regulations make the risks of pushing the limits very much higher. And one of the areas where this may particularly be put to the test is in Privacy Policies. Interestingly there is of course no legal requirement whatsoever to actually have a Privacy Policy. But if you do and your wording is misleading will that land you in trouble? Maybe. The question would be to what extent the contents of the Privacy Policy persuade you to undertake a transaction that otherwise you might not have do. Given that their purpose is to re-assure consumers that their data is safe and that therefore they can be trusted to do business with, then it would be reasonable to posit that a poorly worded Privacy Policy could very well land you in hot water.

Now what is particularly interesting is that it could be the Marketing Director who will be found guilty of an offence as well as the “body corporate”. And this is VERY different to the Data Protection Act. We could see prisons filling up with marketers (perhaps no bad thing!) But would it actually happen? We suspect not. The new regulations give massive teeth to Trading Standards Officers to go after many of the very bad consumer practices and it is extremely hard to see why they would focus on Data Privacy abuses – at least at first.

So, marketers have a breathing space in which to put their houses in order – what should they do?

First re-write any Privacy Policy into plain English and make sure that it is NOT misleading. Now given that the penalties for breaching the Data Protection Act are, by comparison, minimal there is an argument to be made that says that Privacy Policies could actually become far more important. Here’s a possible scenario.

“By pressing Submit you are consenting to our using your data as defined by our Privacy Policy. “

Then the Privacy Policy says “we will use your data as we see fit, including re-selling it to any third parties”.  Now there’s no misleading – it is absolutely clear and you could argue constitutes “informed consent”. The ICO, of course does not like this kind of approach – but his teeth aren’t sharp and he can’t throw you into jail.

Alternatively, you could adopt a slightly more “ICO-friendly” approach. Here’s what could be done.

“We would like to pass your details to selected partners (for details see our Privacy Policy)”

Then, in the Privacy Policy you can simply state “we select partners who have the funds to buy your data. Anyone who is too poor won’t get it”.

You see no-one actually reads privacy policies. So you can easily put the “bad news” into it. Yes, you’re not being exactly up front but you have made it clear that there are “details” to be read and then within the details you have made the position perfectly clear. But is this the right approach to take? We think not. Eventually Trading Standards will turn their attention onto bad marketing practice. Yet don’t forget that the regulations reference professional standards bodies. In this case it would be the DMA.  The question will then become how the DMA write their own regulations. Expect these to enable marketers to carry on pretty much as they are.