Date:

Top tips for compliance on direct marketing in Ireland

Given the recent high fines imposed by the Information Commissioner’s Office (ICO) in the UK, it is worth getting up to speed on the relevant rules in the jurisdiction you are marketing into and we set out below a summary of some top tips to help you to comply with the Irish laws in relation to direct marketing and the use cookies.

In Ireland Data Protection law imposes strict obligations on the use of personal data for direct marketing. Direct marketing involves a person being targeted as an individual, and the marketer attempting to promote a product or service, or attempting to get the person to request additional information about a product or service. Under Irish law direct marketing is defined as“direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate of election to or a holder of, elective political office”

Given the recent high fines imposed by the Information Commissioner’s Office (ICO) in the UK, it is worth getting up to speed on the relevant rules in the jurisdiction you are marketing into and we set out below a summary of some top tips to help you comply with the Irish laws in relation to direct marketing and the use of cookies:

Obtain consent

An individual must be given a right to refuse their personal data to be used for direct marketing purposes,  both at the time the data is collected (an "opt-out") and, in the case of direct marketing by electronic means, on every subsequent marketing message. The "opt-out" right must be free of charge. You must also make clear who you are and where you obtained the individual's personal data (where this is not obvious).

Provide choice

Customers should be given a choice as to whether or not they wish to receive direct mail. This information must be included on the website and at every point where data is captured on a website such as on log-in pages or online registration forms

Be careful when you have access to a customer’s email address and comply with the conditions

Where you have obtained contact details in the context of the sale of a product or service, you may only use these details for direct marketing by electronic mail if certain conditions are met. Also note that organisations must provide their commercial nature and identity on any communication sent and the recipient should understand how they can make a choice regarding whether they wish to continue to receive direct mailings.  

Pay attention to your cookies

The Office of the Data Protection Commissioner in Ireland (“ODPC”) accepts “consent by implication” in relation to cookie notification. This is not as strict as other European countries however it is good practice to make a clear unambiguous statement to the user that by continuing to use the site with their browser settings set to accept cookies the user is consenting to the use of cookies.

Consent must be informed and users should be given clear and comprehensive information which is prominently displayed and easily accessed.  A cookie policy should be separate from a privacy policy and easily understood to allow the user to make an informed choice  A user should understand the purposes for which cookies are used on the site, explain user consent and how a user can manage and disable the cookies.

Insert a tabulated explanation for Third Party Cookies

Where third party cookies are being used, it is not sufficient to simply refer the user to third party websites. In such situations or where there are many cookies being created or read by the site (or its partners) the DPC recommends the inclusion in the Cookies Statement of a tabulated explanation of all cookies with the following details:

  • Type
  • Name
  • A description of their purpose
  • Their expiry dates 
  • Links to advertising networks’ opt – out mechanism for third party cookies.

Enforcement lessons from across the water

It is worth considering the approach of the ICO across the water and how they approach the regulation of marketing calls, texts and emails. In a recent case the Commissioner was satisfied that a company had instigated the sending of automated marketing calls to subscribers without their prior consent. The Commissioner was also satisfied that the Company did not identify itself as the person who was sending or instigating the automated marketing calls or provide an address or a telephone number on which it could be reached free of  charge. The Company said the calls were made by a third party firm that had informed them their list was screened for consent. The company was hit with a £175,000 fine. By contrast in Ireland two companies were ordered to pay sums of money to charity in lieu of convictions after they were prosecuted for email marketing offences. It will be interesting to see what enforcement action would be taken in similar factual circumstances to the recent case in UK.

The ICO has recently published updated guidance (a key document in the UK) both as a guide to how organisations can make sure that marketing calls and texts are made in line with the law, and to inform the ICO’s enforcement activity. In view of the hefty fines recently imposed by the ICO it is worth a read. Helpfully the updated guidance gives more direction around third party consent which makes it clearer than ever that phrases like “are you happy to receive marketing from selected third parties” will rarely be likely to demonstrate the law is being followed.

For further information see www.ico.org.uk and www.dataprotection.ie

Author: Ursula Mulvaney, Regulatory Solicitor at DWF Dublin

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.