The ICO and FCA joint letter to UK Finance and the Building Societies Association
Following some confusion across the industry, the ICO, together with the FCA, have confirmed that firms can write to customers with regulator-required communications even where they have opted out of marketing. The joint statement – issued on 18 July – came following concerns from firms around UK data protection laws and their impact on communications with customers about better savings rates.
Regulatory communications are defined as those that contain “neutral, factual information.” In practice this means care should be taken when formulating the wording of the communication, to ensure that it only includes factual information: about the interest rate and terms of the savings product the customer holds, and the interest rate and terms of any other available savings options.
The joint letter confirms that UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 do not prohibit these regulatory communications. In fact, the Consumer Duty requires firms to send customers information that they need to have to be able to meet their financial objectives, at the right time, and presented in a way they understand. In other words, the FCA is highlighting that a failure to send these communications where they apply to the customer would in fact be potentially more harmful to the customer. Firms that have customers who are on lower-rate savings accounts should be making those customers aware of products that might “better serve their financial objectives.”
Some firms might feel like they’re on shaky ground here. UK GDPR, and the importance of complying, has been made clear for the previous five years now, and there are some well publicised instances of the ICO having taken action against firms that breach the legislation. The line between telling a customer about a better savings rate and honouring an opt-out from marketing is a thin one, but the ICO’s published guidance on direct marketing and regulatory communications helps us to walk that line.
The Guidance makes clear that it is rare that regulatory communication messages would count as direct marketing, but that in some cases, they do. The ICO would use the “phrasing, tone and context of the regulatory communication message” to help determine whether it is direct marketing.
To stay on the right side of the law, the message should be neutral in tone, and should not contain any active promotion or encouragement for customers to take a specific action.
However, if the message actively promotes a product, for example through prominently highlighting the benefits and encouraging a particular course of action, then it would be likely to be counted as direct marketing.
This matters because if a communication is counted as direct marketing, then the right to object applies. If action isn’t taken in line with UK GDPR and the Data Protection Act 2018, then the firm could be held liable for failings on customers’ rights, and the marketing provisions of PECR might also apply.
Other important aspects to consider include necessity and proportionality:
Is the regulatory requirement identifiable? i.e., within CONC, or via PRIN 2A.5.3R or PRIN 2A.5.5R
Is the method appropriate for the message? Will one message suffice, or is there a justification where more than one message is due to be sent?
Can you achieve the purpose via a less intrusive means?
We support firms with their data protection regimes in a number of ways. We offer Data Protection online training that interprets the requirements that all staff need to abide by in an easy to understand, relatable way. Priced at £20, the course is accessible at the user’s convenience and provides a certificate upon successful completion. We also offer a senior version, designed for those in senior management, available here.