Direct Marketing Policy

ACME Vape Limited plus all associated companies (hereinafter referred to as the “Company”) uses email/SMS/e-marketing/ e-marketing via a marketing systems/direct mail/telephone/, to send out marketing information to certain individuals. As we have obligations under the Privacy and Electronic Communications Regulations 2003 (PECR), the Company is required to comply with certain rules regarding using and sending direct marketing. The Company understands its obligations under the PECR and ensure that we have adequate and effective policies, procedures, and controls in place to meet our marketing responsibilities.

Purpose

The purpose of this policy is to ensure that the Company and its employees meet legal, statutory and regulatory obligations under the PECR with regards to direct marketing. This policy sets out our obligations, objectives and the controls for meeting the marketing rules. The aim of this policy is to inform the Company’s processes for compliance and to provide employees with information and support reading the direct marketing requirements.

Scope

This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory.

What is Direct Marketing?

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018 and the UK GDPR and set the rules and privacy rights for electronic communications. There are specific rules on marketing that cover all forms of advertising or promotional material that are directed to particular individuals. The PECR marketing rules apply to information sent via phone, fax, email, text or any other type of electronic message or mail. There are different rules for calls, faxes, and electronic mail.

The PECR and Data Protection

The PECR works in conjunction with the UK GDPR and has been amended to sit alongside the Regulation, including utilising the UK GDPR’s definition of consent. As direct marketing most often includes processing personal data, the Company recognises its obligation to comply with both the PECR and the UK GDPR.

The UK GDPR states that ‘where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing’.

Recipients of such information can also exercise their GDPR right to object to processing for direct marketing purposes. Where the Company receives a request in any format that objects to the processing of personal data for direct marketing, we follow our data protection procedures to ensure that the personal data shall no longer be processed for such purposes.

Whilst we recognise that UK GDPR states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest, we ensure that all recipients are provided with the option to unsubscribe or opt-out at any time.

Objectives

As the Company sends direct marketing to individuals, we comply with the relevant rules and requirements set by the PECR and UK GDPR. We also follow the Information Commissioners guidance on direct marketing to inform our policies, procedures and employee knowledge.

As the PECR requires businesses using direct marketing to provide certain information to individuals and comply with specific rules, we have set the below objectives to ensure compliance with the requirements.

To comply with the PECR direct marketing rules, the Company: -

  • Has the below policies and procedures in place: -
  • Uses a direct marketing checklist to ensure compliance with the PECR rules
  • Can demonstrate that consent has been obtained for direct marketing
  • Ensures that consent requests are clear and transparent, use plain language and avoid any illegible terms or jargon
  • Provides individuals with the right to withdraw consent and/or opt-out of marketing at any time
  • Provides simple options for withdrawing consent or opting out of marketing
  • Ensures that all marketing materials and communications contain options for unsubscribing
  • Provides a link to our Privacy Policy so that individuals' can see how their personal data is processed and obtain information about their rights
  • Only makes automated marketing calls if we have consent
  • Retains a ‘do not contact’ list of anyone who opts out or unsubscribes from our electronic mail and we use this list to screen electronic marketing mail to exclude anyone who has asked us not to send it
  • Verifies that all direct marketing mediums contain the relevant information required by the PECR
  • Specifies the methods of communication used for direct marketing (i.e., email, text, phone, call, post)
  • Ensures that when sending direct marketing by post, email, or fax, we include our company name, address, and telephone number in the content

Procedures and Guidance

The Company understands that it has specific obligations under the PECR in terms of direct marketing and has robust policies, procedures, controls, and training programs in place to adhere to these. The Company operates a top-down approach where all employees are aware of, and responsible for complying with the rules and guidance.

Where we provide specific information to individuals about marketing and their rights,
we ensure that such information is easily accessible, clear, and concise.

The Company sends direct marketing in the form of: -

  • Email
  • Text or SMS
  • E-marketing via a CRM or marketing system
  • Direct mail

The company has no current intention of sending direct marketing via telemarketing, automated phone calls or fax. However, if it wishes to do so in the future, this policy will apply.

We use a Direct Marketing Notice to provide additional information to individuals about the type of direct marketing we will/would like to send to them. This notice is easily accessible, a link to which is provided: -

  • In the footer of our website or app
  • On the menu bar of our website or app
  • On the checkout page of our website or app
  • On the subscription page of our website or app
  • Within the text asking for consent to send direct marketing
  • In the footer of all emails related to direct marketing
  • At the end of text messages related to direct marketing

The Company only sends direct marketing or asks for consent to send marketing to certain individuals. The individuals that we send direct marketing to are detailed in our Direct Marketing Notice and include: -

  • Customers of the Company
  • Individuals making a purchase from us
  • Individuals subscribing to a service we provide or a site we host
  • Those attended an event or webinar organised or hosted by the Company
  • Individuals who download or access information via our website
  • Individuals who contact us to request information about our products or
    services

Telephone Marketing

Live Telephone Calls

As the Company may make calls in relation to direct marketing in the future, we have an obligation to comply with Sections 19 and 21 of the PECR. The Company will use the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) to screen all telephone numbers related to direct marketing. We will also retain our own ‘do not contact’ list for individual and corporate subscribers who have opted out of direct marketing via the telephone.

The only exception to calling a number that is registered on the TPS or CTPS is where we have obtained consent to make contact by phone for marketing purposes. We have strict consent mechanisms in place to obtain consent by an affirmative action and to demonstrate that consent was provided knowingly.

For all calls made in relation to direct marketing or where any form of marketing will be mentioned or offered, the Company always advises who we are, our purpose for calling and provide a contact address or freephone number where requested. Our telephone number is always displayed to the person receiving the call.

Employee calls are monitored and reviewed monthly to ensure compliance and staff are also provided with scripts of the information that must be relayed during the call.

Automated Telephone Calls

Where the Company uses an automated dialling system to deliver direct marketing messages by recorded message, we only do so with the explicit consent of the person being called. This consent specifies that direct marketing will be made by an automated calling system and is separate and in addition to any consent obtained for live calls.

All automated messages that fall under the PECR rules for direct marketing are reviewed by the Head of Marketing prior to being used and are kept under regular review. Automated messages are only approved where they meet the PECR rules, including providing our company name, address and/or a freephone telephone number.

Our telephone number is always displayed or made available to the person receiving
the call.

Fax Marketing

As the Company may send marketing information via facsimile machine (fax), we have an obligation to comply with Section 20 of the PECR. The Company will use the Fax Preference Service (FPS) to screen all fax numbers prior to their use for direct marketing. We also retain our own 'do not contact' list for fax numbers where an individual or corporate subscriber has requested that we do not contact them via fax.

The only exception to using a fax number for marketing that is registered with the FPS, is where we have obtained consent to use the fax number for marketing purposes. We have strict consent mechanisms in place to obtain consent by an affirmative action and to demonstrate that consent was willingly provided. In any fax message used to send marketing information, we provide written details of our company name, address and/or a freephone telephone number. All fax messages used for direct marketing are reviewed by the Head of Marketing prior to being implemented and are kept under regular review.

Electronic Mail Marketing

For the purposes of this policy and our compliance with the PECR, we define electronic mail marketing as 'any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service'.

We use electronic mail for direct marketing in the form of: -

  • Emails
  • Texts
  • Picture messages
  • Video messages
  • Voicemails
  • Direct messages via social media
  • Online marketing
  • Any similar message that is stored electronically.

We only send electronic mail marketing where we either have consent from the individual to do so or where they are an existing customer who has used our products or services previously. Such customers are provided with an easy way to opt out of receiving such information, both when we first obtain their details and in all subsequent messages.

Marketing information sent by email or text clearly displays our: -

  • Full identity (including any trading names)
  • Our trading address and registered office
  • Our company number (if applicable)
  • Any registration number (i.e., ICO register number, FCA authorisation etc)
  • A hyperlink and/or details on how to unsubscribe

We retain an electronic list of subscribers who have opted out of receiving electronic mail marketing.

Consent

As per our obligations under the Regulations, we usually require an individual’s consent to send direct marketing. In such cases, we never send any information that has not been requested or consented to being received. We have controls and tools in place that provide simple options for withdrawing consent or opt-out of marketing at any time.

Data processed for any purpose requiring consent is only retained for as long as it necessary and is subject to the retention and erasure rules set out in the UK GDPR and our Data Protection and Data Retention Policies. Our Data Protection Policy details the consent mechanisms that we have in place to comply with the PECR and UK GDPR.

Legitimate Interests

In some instances, the Company sends marketing information to individuals where it has been identified as being beneficial or of interest to them. In these instances, we rely on the legitimate interest’s legal basis under the UK GDPR for processing.

We ensure that such information is always relevant to the customer and is nonintrusive. We also ensure that customers’ have the option to opt-out or unsubscribe at any time.

Where we choose to reply on legitimate interests for processing personal data in relation to direct marketing, we have first verified that: -

  • the information being sent is relative and beneficial to the customer
  • we have weighed their interests against our own
  • there is little to no risk posed to the individuals’ personal data or rights
  • the method used to send any direct marketing and the content is non-intrusive
  • the material being sent is something a customer would usually expect to
    receive
  • we have provided visible, easy to use and access options for opting out or
    unsubscribing.

Third Party Processors

The Company uses a third-party service provider to carry out direct marketing by email/telephone/fax/text. We understand that under the PECR, both parties are responsible for complying with the regulations, but as the initial instigator of any marketing communication, the Company is liable for overall compliance.

We carry out extensive due diligence on all suppliers and third parties prior to forming a business relationship with them and carry out regular audits and reviews of the business, services and activities. We have Service Level Agreements and written contracts in place with all service providers that set out our obligations and the providers responsibilities and duties.

Audits and Monitoring

This policy and procedure document details the controls and measures used by the Company to comply with the PECR and any associated data protection rules. It is to be read in conjunction with our other UK GDPR and PECR policies.

To ensure continued compliance with the Regulations and to review internal policies and processes, the Company uses a dedicated Compliance Monitoring & Audit Policy & Procedure, with a view to ensuring that the measures and controls in place to protect subscribers and users, along with their information at all times.

The Head of Marketing has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Board/Directors/Owner and Senior Management Team where applicable.

The aim of internal PECR audits is to: -

  • Ensure that the appropriate policies and procedures are in place.
  • To verify that those policies and procedures are being followed.
  • To test the adequacy and effectiveness of the measures and controls in place.
  • To detect breaches or potential breaches of compliance
  • To identify risks and assess the mitigating actions in place to minimise such
    risks.
  • To recommend solutions and mitigating actions for improvements where
    applicable.
  • To monitor compliance with the PECR and UK GDPR and demonstrate best
    practice.

Training

Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the PECR and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role. Our Induction Policies detail how new and existing employees are trained, assessed and supported and include: -

  • Assessment Tests
  • Coaching & Mentoring
  • 1:1 Support Sessions
  • Scripts and Reminder Aids
  • Access to the PECR and UK GDPR policies, procedures, checklists and supporting documents

Responsibilities

The Company ensures that compliance with the PECR is the responsibility of all employees and provides ongoing support and training to this end. Overall responsibility of PECR compliance has been assigned to the Data Protection Officer, whose role it is to identify and mitigate any risks to the protection of personal data or the privacy rights of users and subscribers