Richard Field (Partner and global co-lead for Privacy and Data Protection) and Koketso Mathebula (Associate) look at what are frequently misunderstood provisions of Guernsey law.
Legislation
Emarketing, SMS/MMS and telemarketing in Guernsey is principally governed by the Data Protection (Bailiwick of Guernsey) Law, 2017, as amended (‘the Data Protection Law’) and the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance, 2004 (as amended) (‘the Ordinance’). In addition, it is important to ensure that direct marketing activities comply with other privacy-related legislation. The Data Protection Law applies to the processing of personal data which is undertaken either wholly or partly by automated means and which forms part of a filing system. The processing must take place in the context of a controller or processor established in the Bailiwick or relate to the processing of Bailiwick residents’ personal data elsewhere, usually in relation to the offering of goods or services or monitoring behaviour. This is where direct marketing becomes particularly relevant.
It is also important to note that a data “controller” is a person who (either alone or jointly with others) determines the purpose(s) and the means for the processing of any personal data, and a “processor” is a person who processes personal data on behalf of a controller, i.e. does not determine the purpose(s) and means of processing. Notably, a processor can also be a controller if they make those determinations. An employee carrying out these functions on behalf of a controller is not considered a controller in their own right, merely by virtue of their employment. A data subject is an identified or identifiable individual to whom personal data relates (the Ordinance defines individuals to include sole traders and partnerships, i.e. unincorporated).
The Data Protection Law mandates that both controllers and processors must comply with the data protection principles: lawfulness, fairness, and transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Regulatory authority guidance
Guernsey’s data protection regulator, the Office of the Data Protection Authority (‘ODPA’), issued a guidance note titled Direct Marketing – A Guide for Organisations (‘the Direct Marketing Guide’) on May 4, 2023, which was then updated on November 7, 2023, to help organisations understand their obligations and the rights of data subjects in relation to direct marketing.
Definitions
Direct marketing
Neither the Data Protection Law nor the Ordinance expressly define the term ‘direct marketing.’ However, the ODPA defines direct marketing as ‘the communication, by whatever means, of marketing material to specific individuals or organisations,’ a definition broadly aligned with that used in the UK’s Data Protection Act 2018 (‘the Data Protection Act’) (‘the communication [by whatever means] of advertising or marketing material which is directed to particular individuals’). Genuine market research and routine customer service messages do not constitute direct marketing so long as the message or survey does not include any significant promotional material intended to encourage customers to buy products or services or renew contracts.
The Law does not define the term ‘electronic mail.’ However, the Ordinance defines electronic mail as ‘any text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service’. The scope of the legislation covers communications consisting not just of text, but images, audio, or a combination of those media.
Email marketing
While there is no direct legislative definition, the definitions of electronic mail and direct marketing referenced above can be adopted to understand the scope of email marketing under Guernsey law.
SMS/MMS
There is no legislative definition for SMS/MMS. However, the Ordinance specifically includes ‘short message service’ in its definition of electronic mail: ‘any text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service.’ As such, this is sufficiently wide to capture MMS sent over a public electronic communications network.
SMS/MMS Marketing
There is no specific legislative definition of this term in Guernsey law.
Marketing calls
There is no definition of marketing calls.
Consent
The Data Protection Law provides that ‘consent’ as a basis for lawful processing and defines it as any specific, informed, and unambiguous indication of a data subject’s wishes by means of a statement or by a clear affirmative action, which signifies agreement to the processing of personal data relating to the individual. It is not always necessary for an individual to signify agreement in writing, even though the Direct Marketing Guide provides that explicit consent must be recorded. Importantly, there must be some active communication between the parties; consent cannot be inferred by virtue of the individual simply failing to respond to a communication or failing to object.
Spam
There is no legislative definition of ‘spam’ in Guernsey law.
Consent Requirements
B2C
Emarketing and SMS/MMS Marketing
The data subject must have consented to the sending of direct marketing unless the sender is relying on ‘soft opt-in’ (discussed below). In any case, the individual must be given a simple method to opt out of receipt of future marketing communications. As noted above, consent is only legally valid where it satisfies the following conditions:
- it is clearly demonstrable that the individual has given the consent, i.e. written email, text, etc.;
- the individual has freely given the consent, i.e., it is not based on misleading information, misrepresentation, duress, etc. by the sender;
- prior to consenting, the individual is informed that they have a right to withdraw the consent at any time;
- if the consent is given in writing in the context of other matters, the request for consent must be clearly distinguishable from other matters (i.e. the request for consent must not be conflated with other matters); and
- the request for consent must be communicated in a manner that is intelligible, easily accessible, and with clear and plain language.
Direct marketing by means of an email and/or SMS/MMS is prohibited outright unless the individual has previously consented to such communications. The sender may send or instigate such emails for the purpose of direct marketing where:
- the sender obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient;
- direct marketing is in respect of that person’s similar products and services only; and
- the recipient has been afforded a simple means of refusing or opting out of the use of their contact details for the purpose of direct marketing at the time the details were initially collected and did not initially refuse such use.
The sender of an email for purposes of direct marketing is prohibited from disguising or concealing their identity and must provide the individual with valid contact details or some other means to optout of the direct marketing communication.
Telemarketing
There is no provision that the customer must have consented to the telemarketing, except in the case of recorded calls where specific consent is required. However, the ODPA forewarns that the business must provide the individual the ability to opt-out. Other precautionary measures to observe include:
- screening against the UK’s Telephone Preference Service (see below) and against the business’s own suppression lists before making calls;
- ensuring the business displays their telephone number; and clearly identifying who is calling and, if requested, furnishing contact addresses and/or freephone numbers to individuals.
Otherwise, the processing of personal data must comply with the provisions of the Data Protection Law.
B2B
Emarketing and SMS/MMS Marketing
Whilst there is no outright prohibition of direct marketing to entities, it is important to understand that any communication that involves the processing of data subjects’ personal data (via email or SMS/MMS in this context) must nevertheless comply with the Data Protection Law and, in particular, the data protection principles set out above.
To the extent that the business is a sole trader or partnership, then they are considered individuals under the Ordinance. Insofar as individuals employed by entities are sent direct marketing communications, then the extent to which their email address is freely available on the internet will impact the approach. It is broadly acceptable for direct marketing relating to goods and services relating to the business of the entity in question to be sent to individuals working there, provided they are given the ability to easily opt out of such communications going forward.
Where the business is not processing any personal data (i.e. a generic company email address is the addressee), marketing emails can be sent.
Telemarketing
There are no specific provisions regulating consent for businesses. However, the ODPA advises that the business being marketed to must have given the caller specific consent to make marketing calls about claims management services. Specific consent of the individual receiving the call is also required for recorded calls. Otherwise, the telemarketer must adopt the same precautionary measure set out above, with the necessary amendments in relation to the UK’s Corporate Telephone Preference Service (see below).
Social media marketing
Social media marketing involving the processing of personal data can be complicated and will often require a fact-specific assessment to be carried out, depending on factors including the media used and the method of communication. The individual must have given the sender consent to send the marketing material unless the sender is relying on soft opt-in. In this case, the principles above and the requirements set out below shall apply. The individual must be given a simple way to opt out of future marketing communications. Otherwise, the processing of personal data must always comply with the Data Protection Law.
Complications arise where one is dealing with joint controllers or the use of third-party targeting tools that rely on data transfers or data sharing to achieve the direct marketing objective.
Viral marketing
This is not expressly regulated, like most jurisdictions. The nature of this marketing relies on the organic behaviour of the social media community in posting or sharing products or services with their followers or general audience. However, the principles set out in the Data Protection Law and the Ordinance still apply, requiring an analysis of the media, the nature of the communication, and the individuals’ ability to opt-out.
Exceptions: Emarketing and SMS/MMS Marketing
Like most jurisdictions, neither the Data Protection Law nor the Ordinance use or define the term soft opt-in, but it is usually used to describe the exception in law to the email/SMS/MMS consent requirements. Soft opt-in refers to when an individual buys something from a business, directly provides their details (name and contact details), and does not opt out of marketing messages. The business therefore assumes that the individual is probably happy to receive direct marketing about similar products or services, even if they have not specifically consented.
As a result, many businesses resort to soft opt-in as an alternative to actively seeking consent from existing customers. However, businesses must comply with all of the requirements set out below to rely on this option:
- the business must have obtained the contact details directly from the individual to whom they wish to send the marketing emails;
- the contact details were obtained during the course of a sale, or negotiations of a sale (regardless of the success of the transaction), of a product or service;
- the business is marketing similar products or services, for example, this is not a general marketing opportunity or to market products or services from other companies;
- the business must have provided the individual with an opportunity or a simple method to opt out when collecting the details; and
- the business must provide the individual with an opportunity or a simple method to opt out of receipt of subsequent emails.
Exceptions: Telemarketing
It is important to note that ‘soft opt-in’ does not apply to telemarketing. Soft opt-in refers to when an individual buys something from a business, directly provides their details (names and contact details) and does not opt out of marketing messages. The business therefore assumes that the individual is probably happy to receive direct marketing about similar products or services, even if they have not specifically consented.
Marketing Lists
Though there is no prohibition on businesses having internal lists of customers for marketing purposes, the disclosure, sharing, and/or sale of personal data without the consent of the individual in contravention of the Data Protection Law is an offence. The business must have the necessary consent from the individual and the processing of personal data must always comply with the Data Protection Law. Businesses cannot rely on soft opt-in in this regard.
To the extent that the business will use third-party service providers and/or transfer data either intragroup or to other jurisdictions, it is important to make individuals aware of such transfers. Personal data should only be processed for the purposes for which it has been collected, and these purposes should be notified to the individual on or before collection (or as soon as practicable afterward). If a third-party processor is retained to undertake processing functions on behalf of the business (controller), a contract must be put in place between the controller and the processor to ensure that similar data processing standards are upheld throughout the supply chain.
It is important to address data transfers of personal information here because of the ease at which personal information can easily leave the Bailiwick. Guernsey’s status as an “adequate” jurisdiction means that international transfers to authorised jurisdictions are permitted, including to the EU, Jersey, the UK, and other adequate jurisdictions. Transfers to other jurisdictions are permitted, but only to the extent that contracts or other similar recognised mechanisms are put in place to safeguard personal data and ensure an adequate and equivalent level of protection. Contracts must be put in place to control data transfers with third-party processors or between members of the same group of companies. The Data Protection Law also sets out several exemptions from the transfer restriction, for example where the individual’s consent has been obtained, if the transfer is in the public interest, or if the ODPA has authorised the transfer. It is common for businesses to use the EU’s Standard Contractual Clauses (‘SCCs’), data transfer agreements, the EU-U.S. Data Privacy Framework (for US transfers), or Binding Corporate Rules (‘BCRs’) for this purpose. Please note that for transfers from Guernsey relying on the SCCs, the ODPA requires that the Guernsey Addendum be appended to the SCCs.
This is relevant because of the ease at which personal data is processed between companies and across jurisdictions. Therefore, it is important for the business marketing its goods and services and agents doing so on their behalf to ensure that personal data is being processed in accordance with the Data Protection Law.
National Opt-Out List
Guernsey does not have its own opt-out list for email, telemarketing or SMS/MMS.
However, if a customer has listed their details in the UK’s Mailing Preference Service and/or the UK’s Telephone Preference Service (both personal and corporate numbers can be registered), the ODPA would likely form the view that direct marketing by email, telephone or SMS/MMS are equally unacceptable to such customers.
In addition, the business should keep its own record of customers who have opted out of receiving direct marketing communications (suppression lists).
Penalties
If an individual requires a business to cease sending direct marketing material, the business must do so within one month, or two months in exceptional cases. Failure to comply with this request is a breach of the Data Protection Law, which might attract the following penalties:
- on summary conviction, imprisonment for a term not exceeding 12 months, or a fine not exceeding £10,000 (level 5 on the uniform scale), or both; and
- on conviction on indictment, imprisonment for a term not exceeding two years or a fine(unlimited), or both.
Additional penalties may apply if the offense includes a breach of confidentiality, which attracts on summary conviction a fine not exceeding £10,000 (level 5 on the uniform scale), and on conviction on indictment, a fine (unlimited).
For more specific advice please contact Partner and data protection co-lead for Appleby Richard Field or Koketso Mathebula.