Don't let cold calling get you into hot water

Photo of a phone

The ICO has fined a company £75,000 for unlawful marketing. Nothing particularly surprising there, as the ICO does it all the time, but this particular decision is an unusual one: it is a fine issued in respect of unlawful business-to-business telephone marketing.

(In addition to the fine, the ICO has also imposed an enforcement notice, the gist of which is "comply with the law".)

The rules for telephone marketing

In addition to "normal" GDPR rules, there is a specific set of rules relating to calls made for direct marketing purposes.

The relevant rules are:

(1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where—

(a) the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or

(b) the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.

...

(4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.

There are specific, more onerous, rules around calls for direct marketing of claims management services and calls for direct marketing in relation to pension schemes.

The Telephone Preference Service register

The Telephone Preference Service runs the UK's "do not call" register. There is a "normal" opt-out list, and a corporate telephone preference service list.

If a phone number is on either list, Regulation 21(1) prohibits marketings calls to that number, unless the subscriber has notified the caller that they can make those calls.

Organisations can pay to subscribe to the TPS lists, to filter outbound call attempts against them, so that they do not called listed/registered numbers.

But...

... it's a business's phone number - it's not personal data!

The rules are under the ePrivacy framework, not the data protection framework, and it does not matter if the phone number is personal data or not.

If the phone number is personal data, then you would also need to consider the UK GDPR.

... the number is on their website!

That a phone number is on their website, on a business card or email signature, or on someone else's marketing list is irrelevant if it is on a TPS list, or if they have told you that they don't want marketing calls.

If it is on the list, you cannot make the call (lawfully) unless the subscriber has said that they do not object.

... we got someone else to make the call!

Regulation 21 covers both using a phone service for direct marketing calls and instigating the use of a service.

Getting someone else to make calls on your behalf does not remove your responsibility.

Actionable points

In addition to considering the UK GDPR implications if you are processing personal data, if you are going to make outbound marketing calls, you need to have specific measures in place.

Screening calls against the TPS lists

In this option, you would screen all outgoing calls via both TPS lists.

You can still call the number of someone on the TPS list if the subscriber has given you permission to call them anyway, but make sure that you can demonstrate this.

This option probably means you need to have a subscription to the TPS, or else use the services of an organisation which does.

If you rely on the services of a third party and they do not screen correctly, you could be fined by the ICO for the breach, so you will likely want to make sure your agreement with that third party contains appropriate obligations and liability provisions.

In addition to not calling numbers on the TPS lists unless you have permission, you must also not call the numbers of anyone who has told you that they do not want to receive calls to those numbers.

Not using the TPS lists

If, for whatever reason, you do not want to screen calls against the TPS lists, your options are limited.

In essence, you could only call numbers where the subscriber has specifically said that they want to receive calls from you (or, at least, do not object to it).

Aside: what about calls to number-independent interpersonal communications services (e.g. SIP URIs)?

I've focussed here on calls made to what most people would consider "phone numbers": numbers in the UK's national telephone numbering plan (NTNP).

But what about calls where a NTNP number is not the communications address? For example, calling someone via FaceTime Audio using an email address as the address, or a Skype username, or calling a SIP URI (whether the local part is exclusively numbers or not)?

The definition of "call" is:

a connection established by means of a telephone service available to the public allowing two-way communication in real time

In addition:

Any reference in these Regulations to a line shall, without prejudice to paragraph (3) [which has been deleted], be construed as including a reference to anything that performs the function of a line, and “connected”, in relation to a line, is to be construed accordingly.

In principle, it feels like the number-independent interpersonal communications services above should fall within the rules here. After all, the harm suffered is the same. Does anyone like cold calls, however they arrive?

Whether the ICO or a court would consider these to be "telephone services", or an IP data session carrying voice traffic to be a "line", remains, IMHO, unclear.