SMS Bandit's Guide To Staying Legal
When marketing became popular in the late 1990s there have been two major pieces of legislation placed on companies wishing to use text marketing as a tool to generate business. These cover everything from compiling customer data through to their rights to receive your messages. Below is a guide plus links to legal websites which will ensure that your business stays in line with the law and remains morally and ethically responsible towards your customers.
1998 Data Protection Act
This act deals with the collection and storing of personal data. The laws are notoriously complex and as the date suggests came into force just before the explosion of SMS marketing. However it is very useful to know the main points of this act as it still applies today.
The Register of Data Controllers
Firstly, before you take any information from your customers you MUST join the Register of Data Controllers. This is a legal requirement of the 1998 Data Protection Act. You can register your organisation at the Information Controllers Office website.
1. Data should be lawfully collected and only processed in the following conditions:
- The person has given their full consent (defined as written or verbal consent where there is an “informed indication of their wishes by which the data subject signifies their agreement to personal data relating to them being processed.”
- It is necessary for the commencement of a contract
- It is required under legal obligation
- It is necessary for the vital interests of the customer
- It is necessary to carry out public functions
- To pursue the legitimate interests of the data collector or third party as long as it does not prejudice the customer
2. The reason behind collecting personal data has been made very clear to the subject. The use of the data must not stray from its original purposes as agreed with them.
3. Personal data must be relevant to the purpose of its collection and not too excessive. Unnecessary extra information may not be collected.
4. The data must be accurate and the person must be able to correct any mistakes.
5. The data must not be kept longer than necessary.
6. The data should be processed in relation to the rights of the customer.
7. Appropriate measures will be taken against organisations that wrongfully collect data, unlawfully process it or change it.
8. Personal data shall not be given to any country outside the EU, unless the country in question ensures an adequate level of protection of the data.
9. Customers can have access to information that an organisation holds about them.
Offences which may apply to small businesses
Contraventions of the Data Protection Act apply mainly to the unlawful use of personal data;
- If a third party can gain access to the data
- If data is gained by an organisation which is not registered with the ICO
Things your organisation needs to do:
- Join the Data Controller register https://ico.org.uk
- Design a data collection system which
- Outlines a clear purpose for your data collection
- Enable the customer to give their full consent
- Takes relevant data from your customer
- Has a method of taking data accurately
- Is a safe way of storing the information
- Includes a relevant way of processing the information for your business needs.he 1998 Data Protection Act in full is available here
The Privacy and Private Communications Regulations 2003
This EU directive is specifically aimed at businesses who wish to use communication by “electronic means” to customers. This includes marketing through email, fax or SMS as part of their business. A summary of the regulations are as follows:
1. Consent must be given by the customer in order to send them a marketing text message. This can be verbal, or in the form of a “tick box,” which clearly states that they are giving their consent to future marketing messages. A soft-opt in clause means that messages may be sent to a customer if:
The information was collected during sale or negotiation of a sale. The customer has at least expressed interest in your product, even if they have not bought it.
The content of your messages relate directly to a similar product or service The customer was given a chance to opt-out of marketing altogether.
2. The sender must clearly identify themselves.
3. The sender must give the customer a clear method of opting out of their marketing messages at any time.
4. This act distinguishes between solicited marketing messages, which are when the customer approaches your company for information and unsolicited messages, where you send the customer without them asking for it. You can send an unsolicited message, so long as you have their prior consent as mentioned above.
5. The sender has to obtain consent from the customer to pass their personal data onto another company or “third party.”
6. Business to business SMS marketing does not need prior consent, but must contain a way of opting out.
A breach of these guidelines can result in a fine of up to £5,000.
The full Act is available here