At Stint, we often send direct marketing and other communications to our business users and Stint students – this includes communications via emails, phone calls, text messages, social media and other forms of electronic messages. In doing so, we ensure that we comply with applicable laws, including the Data Protection Act 2018 (the DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the PECR), as well as follow guidance from the Information Commissioner’s Office (the ICO).
This Direct Marketing Policy is aimed at ensuring that everyone at Stint complies with applicable laws, it is therefore essential that you read, understand and apply this policy. Note that failure to comply with the law could result in Stint being fined by the ICO, and risks damaging Stint’s reputation. If you have any questions or comments, please do not hesitate to contact our Data Protection Officer (DPO) at dataprotection@stint.co.
The DPA and the PECR both restrict the way we can carry out unsolicited direct marketing – i.e. marketing that has not been specifically asked for.
Direct Marketing is defined as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”.
As per our Privacy Policy, we must comply with the principles set out in the DPA; we must:
If an individual requests that we stop (or not begin) sending them direct marketing, we must do so within a reasonable period. It is good practice to send an acknowledgement email so that the individual is reassured we are processing their request.
You must never sell our marketing lists.
There are specific rules about what marketing communications (of all sorts) should contain – we must ensure that we always provide the following information to the individuals:
If we are making marketing calls, we must ensure our number is displayed – i.e. do not call in private mode.
There is no restriction on sending solicited marketing – i.e. marketing material that was specifically requested by an individual. For example, if a potential business user requests a quote, sending the quote is solicited marketing – anything further is unsolicited.
Similarly, if a business user opts in for direct marketing about our services (i.e. tick a box to be provided with marketing emails), any marketing emails will be specifically requested – but if you send them a quote that they did not ask for, then it would be considered unsolicited marketing.
As explained in our Privacy Policy, consent must be knowingly and freely given, and must be clear and specific. In the context of direct marketing:
The individuals must understand what they are consenting to, so it is very important to be clear when communicating with individuals about their marketing preferences. For example, if you are on a call with an individual, and you ask if they would be happy to be contacted by third parties for marketing purposes, you must tell them who these third parties are, in a clear way.
Do not assume that individuals have consented to direct marketing – e.g. if they do not respond to an agreement. Consent requires positive action to be taken, such as ticking a box, orally approve, or subscribing to a service clearly setting out that doing so would lead to marketing communications (which are relevant to the services). Note that pre-ticked boxes are not allowed under the GDPR.
The ICO considers opt-in consent best practice. We will regularly evaluate whether we wish to move to marketing opt-ins, as opposed to our current model of soft opt-in.
We must keep a record of consents given by individuals where we rely on consent to process personal data – so that we can show our compliance in the event of a complaint to the ICO.
If we send marketing to a third party’s mailing list (e.g. bought-in marketing list from a broker), and rely on their obtention of consent, we must ensure that our communications clearly name that third party.
Note that the third party will have to ensure that they have provided enough information to the customers so that the latter would have anticipated that their details would be passed onto us – and that they were expecting communications from us.
Please contact the DPO, at dataprotection@stint.co before buying or receiving a marketing list from a third party.
We are allowed to make live unsolicited marketing calls provided that the number is not registered with the Telephone Preference Service (see https://www.tpsonline.org.uk/) – unless the individual has specifically agreed to being called by us.
If we intend on making marketing calls to our business users or Stint students, we should ensure that they clearly understand that we will use their phone number to make marketing calls. We do not currently call our business users or Stint students for marketing purposes. If we intend on doing so, we will have to ensure this is clearly set out in our privacy policy – and if possible, seek consent to do so.
Note that specific consent is required to make automated calls (i.e. calls made by an automated dialling system which plays a recorded message). Therefore, we cannot make automated calls to individuals who have not specifically agreed to receiving automated calls.
The general rule is that organisations can only send marketing texts or emails (or social networking messages) to individuals who have specifically consented to it.
There is an exception to the above requirement for consent; organisations can send marketing texts or emails to existing customers – this is known as soft opt-in - and it is on this basis that Stint currently sends marketing communications. We do not rely on consent per se, but rely on our legitimate interest. We carried out a legitimate interest assessment (LIA) regarding our use of soft opt-in, which is appended to this direct marketing policy.
However, soft opt-in is only allowed if:
We can only rely on soft opt-in where we are the organisation that collected the individual’s contact details – we cannot rely on soft opt-in if we obtained a marketing list from a third party (as it requires specific consent – see paragraph 6).
The DPA gives individuals the right to object to their processing of their personal data at any time.
We must make it easy for people to unsubscribe – e.g. by adding a link at the end of every marketing email communications, or by allowing them to respond “STOP” without extra cost (other than the cost of a text message) to any marketing text messages.
Once someone has expressed their wish not to receive marketing emails, we must comply – this overrides any consent or soft opt-in relied on. Their details should be removed from marketing lists as soon as possible – however, we should not delete their details entirely otherwise we cannot ensure that we will not contact them again by mistake. Instead, they should be added to a “suppression list” so that we do not accidentally email them.
We can send a follow up message immediately after someone has opted-out to confirm that they have been unsubscribed – and provide them with information as to how to re-subscribe should they wish to do so. However, this should not be used to send further marketing communications.