UNIT 1.2

UNIT 1.2.THE LEGAL AND REGULATORY ASPECTS OF DIGITAL MARKETING IN THE UK

For many international brands, the UK is a key strategic market within EMEA to establish a presence and take market shares. In particular, launching in the UK is a natural progression for businesses wanting to bridge the gap between Europe and the US. Digital marketing campaigns often form an important part of the endeavour to take shares in the new market, but, as with all territories, it’s important to know the legal issues involved in doing this.“There are several areas of law which businesses should think about. Key legal points to consider are general rules regarding misleading advertising and ‘unfair commercial practices’ as well as specific rules on comparative advertising,”

2.1 The effect of legal and regulatory requirements on digital marketing.

How is digital advertising regulated in the UK? 

Digital advertising in the UK is regulated by a combination of legislative rules (such as the Data Protection Act 2018, which implements the EU’s General Data Protection Regulation (GDPR) into UK law, or thePrivacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and self-regulatory rules such as the Committee of Advertising Practice (CAP) UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing, also known as the CAP Code. Self-regulation and good practice supplements legislation and fill the gaps where the law does not or cannot reach, offering an easier way of resolving disputes and adapting guidelines to new technologies and business models.

Misleading and unfair marketing

“When it comes to rules of misleading and unfair marketing, there are two sets of regulations,” explains the lawyer who specialises in technology, media and advertising work. “One covers misleading B2B marketing, whereas the other one covers unfair commercial practices in a B2C context. Regarding misleading B2B marketing, it states that advertising to another business is banned if it deceives a trader and affects its economic behaviour, such as buying from the misleading advertiser rather than its competitors. In determining whether an advertisement or campaign falls foul of this regulation, a very wide range of things can be taken into account.  This includes the characteristics of the advertised products or services, such as their quality, availability, nature, uses and price; and also covers the conditions of supply, eg time-limited discounts.”

Hamish notes that the attributes of the advertising business are also relevant, eg claims about where the product was made, ownership of intellectual property in the product, the identity of the advertising business, or any misleading claims about membership of any trade association. “Stepping back from the detail, it is clear that these regulations require advertisers to be very careful about claims about the product itself, or the basis on which it can be purchased or consumed,” he adds.

The regulations covering “unfair commercial practices” in a B2C context apply to all advertising to consumers. Like the B2B regulations, the concept of what is an unfair practice is fundamentally an economic test: does the practice materially distort the economic behaviour of the average consumer, or is it likely to do so? “Basically, a practice is unfair if it causes a consumer to make a different decision,” Hamish says “An unfair practice is most likely to be a misleading statement or, equally common, misleading by omission. It’s very important to be aware of this because a misleading omission will breach the regulations in just the same way.”

There are numerous other specific laws in the UK, such as defamation laws, and trademark laws. But the main other areas for digital advertising in the UK to be particularly aware of is the CAP Code. “The CAP Code is a code of practice published by the Advertising Standards Authority. It’s an independent and highly respected advertising organisation. It receives and adjudicates on numerous complaints received from members of the public over marketing campaigns in the UK. It publishes the results of its decisions, and generally, an adverse ruling will create negative publicity for the advertiser,” explains Hamish.

Stories of misleading marketing.

Activia yoghurt

Activia yogurt

Dannon’s popular Activia brand yoghurt lured consumers into paying more for its purported nutritional benefits — when it was actually pretty much the same as every other kind of yoghurt.

Falsely touting the “clinically” and “scientifically” proven nutritional benefits of the product, Dannon even got a famous spokesperson, Jamie Lee Curtis, for the supposed digestion-regulator. But after a while, some customers didn’t buy it.

A class action settlement last year forced Dannon to pay up to £45 million in damages to the consumers that filed the lawsuit and others who said they’d been bamboozled. The company also had to limit its health claims on its products strictly to factual ones.

Tesco was criticised for an ad in response to the horse-meat scandal, which suggested the problem affected “the whole food industry.”

Tesco was criticised for an ad in response to the horsemeat scandal, which suggested the problem affected

In 2013, UK supermarket chain Tesco was criticised after it ran a “misleading” ad campaign in the wake of its horse meat scandal, according to The Telegraph.

The supermarket had been caught selling beef contaminated with horse meat in some of its burgers and ready meals.

In an attempt to recover from the PR disaster, Tesco ran a two-page spread in national newspapers with the headline “What burgers have taught us.”

In the ad, Tesco was criticised for implying that the whole meat industry was implicated in the horse meat fiasco, which was untrue. The UK advertising regulator ASA banned the campaign.

Nearly £300 million ($432 million) was wiped off the value of Tesco following the horse meat scandal, according to The Guardian.

Do your due diligence

Thankfully, there are defences available if a business has made an honest marketing mistake. “For B2B transactions, a business can escape liability if it can show that it has generally taken all reasonable precautions and due diligence to avoid being misleading and that the specific misleading advertising was due to a mistake or due to an error made by someone else (or some other cause beyond its control),” says Hamish. He advises businesses to have a system of ‘checks and balances’ in place to ensure compliance with these regulations. If the worst happens, they can demonstrate that they have indeed taken all reasonable precautions and acted with due diligence.

In a similar fashion, the B2C regulation against unfair commercial practices contains two important safeguards which responsible businesses can rely on. “A business will only be in breach of the general prohibition on ‘unfair commercial practices’ if it has contravened the requirements of ‘professional diligence’. In practice, if you can show it has been undertaking the proper checks and measures internally and acting responsibly and in good faith in its marketing and promotional practices, you should be able to show it has acted with ‘professional diligence’”, Hamish explains. For the specific offences of misleading practices, aggressive practices and the list of banned practices, the business can rely on the same ‘due diligence’ offence as in the B2B regulations.

Banned practices in B2C advertising:

  • False endorsement: falsely claiming endorsement or approval by a public body.
  • Goods not available: advertising goods/services for sale where there are grounds to believe they won’t be available at advertised quantities or prices.
  • Time-limited offers: falsely stating goods/services will only be available on particular terms for a limited time in order to elicit an immediate buying decision.
  • Advertorials: promoting goods/services in a paid-for editorial in the media without making it clear it is paid for.
  • Misleading as to origin: promoting goods/services similar to a competitor’s so as to deliberately mislead consumers that the product is made by the competitor.
  • ‘Free’ offers: describing goods/services as ‘free’, ‘without charge’ etc, where in fact the consumer has to pay something. Unavoidable cost of responding, collection or delivery is disregarded for these purposes.
  • Suggesting prizes can be won: creating a false impression that the consumer has won, or will win, a prize or equivalent benefit, when there is no such prize or benefit or when the consumer would have to incur costs in order to claim the prize or benefit.

Reference:

https://www.iabuk.com/policy/digital-policy-guide

https://www.penningtons.co.uk/news-publications/latest-news/2016/the-legal-aspects-of-digital-marketing-in-the-uk/

https://www.businessinsider.com/false-advertising-scandals-2016-3?r=UK&IR=T#tesco-was-criticised-for-an-ad-in-response-to-the-horsemeat-scandal-which-suggested-the-problem-affected-the-whole-food-industry-4

2.2 Explain how legal issues affect digital marketing.

Develop a digital marketing plan

Legal considerations in digital marketing

There are a number of regulations that relate specifically to digital marketing. You need to keep abreast of developments in this area to ensure that you are complying with the various rules.

A post scrip-tum on ‘Brexit’

“UK law will likely need to remain consistent with the vast majority of EU laws, at least as they currently stand. One possible option would involve the UK joining the European Economic Area, along with Norway, Iceland, and Liechtenstein. Parallels with Norway, which as an EEA member is required to comply with the great majority of EU laws, are hard to ignore.  On a more pragmatic level, the current legal regime has been in force for almost a decade and works well in my opinion. One must also bear in mind the likely timescale for the UK to exit the EU – at least two years and quite possibly longer. Throughout this time the UK laws will need to remain fully consistent with the position throughout the rest of the EU.”

Email and SMS marketing – regulations

There are rules covering marketing emails and SMS messages to individuals.

The Privacy and Electronic Communications Regulations introduced an opt-in consent procedure for commercial emails – which means you can only target people who have agreed to be contacted.

The rules only apply to new customers. You can continue marketing to existing customers provided they can opt-out of future messages and the marketing messages cover similar products and services.

You must also clearly mark your emails with your contact details and include a valid return email address.

Your website and social media

All websites should carry your company’s registered address and company (or charity) registration number. Consider including usage terms and conditions and a disclaimer for your website:

  • sample website usage terms and conditions
  • sample website disclaimer

You should be aware of legal implications and best practice when using social media.

Using cookies

Cookies are text files that are stored on a user’s computer when they visit a website that uses them. Thereafter, the cookie sends information back to the website and can be used to monitor browsing preferences of users, eg types of goods searched for, pages visited and length of dwell time on each page.

Businesses must tell visitors to their website that they use cookies and obtain their consent. You must also tell your site users how you use cookies.  See using cookies and the law.

While marketing has existed since the start of commercial trading, it has become more and more of a grey area for businesses in recent times. Questions that have been raised include the blurred line between data collection and the invasion of privacy as well as the grey area between attracting consumers and deceptive advertisement. Businesses must be careful to tread on the right side of the line between legal and illegal. This article will outline some of the common ethical and legal issues in marketing.

Data Collection and the Invasion of Privacy

Data collection is often considered the first, and most significant, stage of marketing. Extensive data allows businesses to choose the most optimal marketing techniques for their consumer base. In fact, companies such as Google and Facebook primarily rely on tracking a user’s web history to generate returns.

However, while lawmakers are yet to decide on a legal position, individuals are pushing for tougher privacy laws. For example, in a recent survey of 11,000 people, almost 70% said they would gladly use a “do not track” feature on search engines if available. Companies such as Facebook have also received backlash over privacy issues. As such, businesses need to become more conscious of the privacy of consumers when collecting data.

Distribution of Data

Delivery channels such as telemarketing, door to door sales and unsolicited emails are some of the most controversial areas of marketing.

Sometimes the law in different countries specifies time frames in which telemarketing and door to door sales are allowed. For instance, a salesperson may only approach you between 9 am to 6 pm on weekdays and 9am to 5 pm on Saturdays. Further, “do not knock” stickers a “do not call” register must be obeyed by marketers. While these protections are in place, legal and ethical issues arise because the majority of consumers are either unaware of such protections or cannot be bothered to report petty offences. As a result, marketers often get away with illegal and unethical behaviour.

More specifically in Australia, email Anti-Spam laws requires that a business has the receiver’s consent, identifies the sender and contains an unsubscribe facility. The grey area involves the definition of consent. For example, finding a consumer or another business on a shared directory does not constitute consent. Consent must be expressly stated or inferred from situations such as an existing business relationship.

Misleading Claims

Misleading claims in advertising may involve claims about the quality of the product, the availability of a service and any exclusions on a good. As examples, marketing techniques such as pictures of planes for a road transportation company or fine print that may contradict the overall message of the advertisement misleading and illegal. Companies such as Harvey Norman and Spec Savers have all been found liable for misleading claims in the past.

However, problems arise because it is extremely difficult to claim for misleading advertisement. For instance, that a product was “50% off from before”, a consumer must have evidence of before and after prices to make a claim.

Reference:

https://www.nibusinessinfo.co.uk/content/legal-considerations-digital-marketing

https://www.b2bmarketing.net/en-gb/resources/blog/ethical-and-legal-issues-marketing

2.3 Explain how organisations ensure digital marketing activities are compliant with legal and regulatory requirements.

Data protection’ can be an intimidating phrase for a small business owner, conjuring images of wordy, hard-to-understand legislation.

And so business owners think the law is limited to digital businesses or corporations which use information as a commodity, such as data analytics or major supermarkets.

While we don’t want to scaremonger, don’t be fooled into thinking it doesn’t apply to you.

  • Data protection applies to virtually every business, including sole traders
  • Customer information – names, addresses, photographs, card details and phone numbers – are all subject to the law on data protection
  • Failing to obey data regulations could lead to fines of up to £500,000 or even prison

Essentially, if you run any kind of business with customers, from a retail or logistics business to a day nursery, it’s likely you will store other people’s personal information in some way and therefore have to comply with the legal requirements for storing business information. It is essential to ensure this information is protected and as secure as possible.

Data protection is governed by a law called the Data Protection Act 1998, which contains all your obligations as a business. It is vitally important to obey data protection regulations, as the Information Commissioner’s Office (ICO), the body which is responsible for enforcing the Act, has significant powers to crack down on non-compliance.

With the threat of major fines or prison, data protection is clearly no joke, so it pays for you and your business to be informed.

The Data Protection Act is a long piece of legislation and contains so you could be forgiven for wondering where to start with it as a business.

Never fear, though; we have put together a list of frequently asked questions about data protection along with answers that should cover all you need to know about your obligations as a business.

What is the Data Protection Act?

The Data Protection Act 1998 is the piece of legislation that governs how personal information is used by organisations, businesses or the government. If you store or process personal data in certain ways, the Act considers you a ‘data controller’, which means you must register with the Information Commissioner’s Office and abide by strict guidelines when using personal data.

What type of business does the Data Protection Act affect?

The Data Protection Act is really wide-ranging. It is not limited to a specific kind of business or even business in general – even private individuals can be bound by its regulations if they use data in certain ways.

So a retail business that stores customer addresses as part of a loyalty scheme would need to adhere to the Data Protection Act rules, as well as a day nursery that keeps records of the children in its care – to give just two examples.

The Act only applies if you put or intend to put this information on a computer in some way, though – so if you’re one of the very few businesses that don’t use a computer to store information, then it won’t apply to you.

How do you register with the Information Commissioner’s Office as a ‘data controller’?

The ICO’s registration page can be found here. It takes around 15 minutes to complete and needs completing in one sitting.

You will then be asked for payment – for the majority of businesses this will be an annual charge of £35. This only goes up to £500 if you are a large business with a turnover of more than £25.9m and 249 members of staff or more.

Who is exempt from the Data Protection Act?

However, there are a number of important exceptions to this rule.

You don’t need to register if you’re using data for purely domestic or private purposes, such as keeping an address book or a phone contacts list of your friends and family. The Data Protection Act isn’t for people uploading their holiday snaps to Facebook. It’s also not for you if:

  • Your business stores personal information for internal day-to-day business activity, such as staff payroll
  • Your business uses personal information for advertising, marketing and PR activity in relation to your own business – providing you have obtained this personal information legally and consent has been given
  • You run a small not-for-profit organisation – like a club, voluntary organisation or small charity – and you use the data only in connection with running the organisation

If you’re still not sure whether you need to register, a self-assessment guide explaining whether or not you need to register is on the Information Commissioner’s website, which asks you a number of simple yes/no questions – it shouldn’t take more than five minutes to complete.

It is vitally important that you find out whether you need to register as soon as you can, as failing to register is a criminal offence.

What happens after I’ve registered?

After registration, your business appears on a publicly-searchable database of data controllers on the ICO website, meaning consumers can see the nature of your business and what you intend to use personal data for.

As a registered data controller, whenever you store or use personal information you must abide by a set of eight principles, outlined in the Data Protection Act. This might seem like a lot to take in at first, but the principles have been drafted to stop companies misusing data for harmful or malicious purposes, and are intended to speak for themselves.

Generally, if you are open with customers about what data you are taking and what you will use it for, and you use the information you collect only for those purposes, it is rare you will fall foul of the Act’s principles.

What do I need to do to comply with the Data Protection Act?

In order to stay within the law once you’ve registered, you need to comply with the eight principles for the storage and use of data outlined in the Data Protection Act.

Below you will find the eight principles, with links to ICO guidance on each. Again, they are intended to be self-explanatory, but we have put together tips to make sure you understand and stay within each one where there are hidden nuances.

1. Data Protection Officer
Appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of GDPR within your organisation. The DPO will then be the figurehead of GDPR and can keep data protection high on the agenda. They can ensure that GDPR compliance is not only achieved but then maintained. In most cases an internal employee (who is appropriately trained/informed) should be fine: but if you are processing personal data on a large scale then you could also consider outsourcing this role.

2. Data Audit
Conduct a personal data audit of all data currently being processed. For each item of data consider:

  • What are you using the data for?
  • Where is the data being stored?
  • Do you still need the data?

If data is being processed on your behalf by third-party data processors (for example Google, MailChimp, Salesforce etc) you need to check that they are GDPR-compliant. In the case of US companies, they should also be US Privacy Shield compliant; the US Privacy Shield framework protect the flow of personal data between the EU and the US. Most third-party data processors are becoming GDPR-compliant if they are not already, but should you find that this will not be the case by May 2018 deadline, you should make plans to replace them with a compliant provider.

3. Website updates
One of the main ways of obtaining marketing data is via a website and it is, therefore, this aspect that needs particular attention before May 2018. The following checklist was outlined in our email and here we add a bit more flesh to the bones so that you can appreciate exactly what actions you need to take:

1. Update your privacy policy to give more explanation about your data retention periods
You need to state how you use data – including which other databases and systems it goes to – how long you will keep it for, and explain how people can complain to the ICO if the need arises.

2. Have procedures in place to correct or delete personal data
The easiest way for people to do this is electronically, but you need to ensure that once it is changed or deleted on one platform that these changes then transfer over to every other place it is stored. You need to make this process as easy as possible for the data subject and it also needs to be free of charge.

3. The ability for your website to easily transfer data into a different system
You need to provide the facility for data subjects to move, copy or transfer their personal data from your system to another in a safe and secure way, for example by downloading their data or transactions with you in an easily portable format.

4. Consent can’t come from a tick box, it needs to be clearly explained and accepted
The aim of this provision is to ensure that consent must be freely given, specific, informed and unambiguous. It will also prevent automated decision-making such as profiling. Specific consent needs to be given for specific products and services, and your website may, therefore, need to build in additional consent points along the online customer journey.

5. Data breaches need to be reported
Better still, they need to be prevented. You will need to ensure that your website’s security is regularly checked and updated to avoid breaches. If a significant data breach does happen, in which data getting into the wrong hands could result in risk to individuals, you need to notify the ICO.

6. Data protection by design – your websites need to lead with GDPR
“Data protection by design and by default” is an express legal requirement of GDPR. Every aspect of the collection of personal data via your website needs to reflect this so you will need to update your website accordingly. When developing new websites or online data collection mechanisms, think about data privacy right from the start rather than adding it in as an afterthought. This default also applies to reference to data subjects on social media: you need to assume that their required privacy settings will be the highest they can be.

Principles of data protection

There are eight principles of data protection and anyone processing personal data must comply with them. These state that:

  1. Data must be processed fairly and lawfully practice, this means you shouldn’t mislead, coerce, or bribe your customers into giving away their personal data. This condition requires you to be clear about what data you are collecting, why you are collecting it, and what it should be used for. Most businesses take care of this by making customers sign or tick what’s generally known as a ‘privacy notice’. The ICO has produced a helpful checklist on the Data Protection Act, specifically produced for small businesses, which contains guidance on how you can draft a privacy notice. The first principle also requires you to meet at least one of the ‘conditions for processing’ when using personal information in any way. If you have a good reason for using information it’s rare that this won’t be the case, but you should briefly read the principles on the ICO website to give yourself an overview all the same. More restrictive conditions also apply to ‘sensitive’ personal information, such as information on a person’s religious beliefs or sexual orientation.
  2. Data must only be obtained for specified and lawful purposes and processed in a manner which is compatible with that purposes Essentially, it must be made clear to the user/customer/potential customer at the start what your business will be using the data for and why it is being collected. Any new purpose you use the data for should be broadly in line with the original purpose. So, for example, if you run a courier business, you shouldn’t start using your customers’ addresses to send them unsolicited marketing material.
  3. Data must be adequate, relevant and not excessive in relation to the purpose for which it is processed fairly self-explanatory, and can be followed easily by only taking the data you really need. You must be clear as to the type of information you wish to store on customers or potential customers and why, e.g. name, address, any personal details. This includes information taken electronically, e.g. from e-commerce transactions. Make sure that you take the data protection principles into account when storing customer data.
  4. Personal data shall be accurate, and where necessary, kept up-to-date. Again, this principle more or less speaks for itself.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes sure to securely delete/dispose of the data when you no longer need it.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act Customers have a right to access a complete copy of the information you hold on them, under something known as a subject access request. Other rights they have included a right to stop your business doing anything that may cause them damage or distress, a right to stop you using their information for direct marketing, and a right to claim compensation caused by breaking Data Protection Act regulations.
  7. Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of or damage to personal data. You must keep any personal data you hold secure and it cannot be compromised, accidentally or deliberately. The Act says you should have security that is ‘appropriate’ to both the nature of the information and the harm that may result from its improper use. This doesn’t necessarily mean having state-of-the-art military-grade security software, but the measures you take should be in line with the risk to your company. It’s important to remember that the IT security solution you choose isn’t the end of the story, either. Just as important is which of your employees can access the information and what they can do with it. Keep as much data restricted as possible and only authorise the people you need to – don’t go giving the office intern access to your customers’ credit card details.
  8. Personal data shall not be transferred to a country or territory outside the EEA (European Economic Area) unless that country or territory ensures an adequate level of protection this is particularly relevant if you are a hosting or cloud-based storage company, which may store large amounts of data overseas. You should keep personal details within Europe at all costs as the number of countries considered as having an ‘adequate’ level of protection is actually quite limited; the European Commission has listed only 10 countries, of which the USA is not one (although sending data to companies operating under the voluntary ‘Safe Harbor’arrangement is considered acceptable.

Reference:

Data Protection Act: How can your business comply with the law?
GDPR: what it means for marketers and clients!

2.4 What are the consequences of illegal marketing.

Illegal Marketing and advertising: the law

Regulations that affect advertising

Advertising to consumers

The Consumer Protection from Unfair Trading Regulations mean you cannot mislead or harass consumers by, for example:

  • including false or deceptive messages
  • leaving out important information
  • using aggressive sales techniques

Advertising to businesses

Advertising to businesses is covered by the Business Protection from Misleading Marketing Regulations. As well as being accurate and honest, you must not make misleading comparisons with competitors, that includes:

  • using a competitor’s logo or trademark, or something very similar
  • comparing your product with a competitor’s product that’s not the same

Penalties

If you break the regulations, you could be reported to a local Trading Standards office. You could be fined, prosecuted or imprisoned.

Reference: https://www.gov.uk/marketing-advertising-law/regulations-that-affect-advertising

Leave a comment