Shared & Halved – IHL series: Privacy issues in ending the lockdown & remote marketing

As part of our series of webinars to support in-house lawyers during the current pandemic, on 10 June 2020 we hosted a webinar focusing on how data protection and privacy laws affect what you can and can’t do when reopening your offices.

In the light of the explosion of online trading, we also looked at how you can finetune your direct marketing to make it compliant.

Introduction

The IHL series of our COVID-19 webinar programme covers bite-size topics designed for a half hour coffee break and focuses on practical tips for in-house lawyers.

Below are our key tips and takeaways:

Do temperature checks offer a ‘quick fix’ or ‘easy win’?

• While temperature checks can be defended from a legal and regulatory point of view in many jurisdictions (they are used extensively in Asia and increasingly in the US), and are becoming a de facto norm in many places, they are not easy to implement and typically don’t offer a quick fix
• Thermal cameras can be expensive. What’s more, businesses may have many buildings which increases the expense
• There are many practical limitations with thermal cameras and similar technology:
  • they don’t directly identity COVID-19
  • they only detect a fever and there could be another reason for the fever
  • certain patients may present with no fever

What are the data protection and privacy implications of using temperature checks?

• Some regulators such as the UK’s ICO are pragmatic, others less so. Regulators in Spain and Italy have taken a similar pragmatic approach to the UK, no doubt given the large amount of COVID-19 cases in those countries
• The key test is are you processing personal data? Some countries such as Germany take a broad view on what processing of personal data is in this context
• You need to make it clear that you are using temperature checking technology. Many businesses are focusing on employees at the moment, but some businesses are looking to set this up for visitors too. Bear in mind that the issues that arise in the context of visitors can be nuanced
• You may need to consult with works councils in some countries

What should businesses think about when using temperature checks?

• For global businesses it is tricky as laws are often piecemeal. Some businesses are trying to adopt a global approach, others are looking at regional solutions. Pilots are helping some businesses see how it can work in practice. There is no right or wrong answer as such as it depends on the business
• As an in-house lawyer you need to be involved in ‘Project Restart’ from day 1. Getting involved at the last minute can have difficult consequences
• Think about procurement if you outsource this activity. How long are you storing data for?
• Do (a) data protection impact assessment(s) (DPIA)
• Check whether any other industry or sector guidance is available
• In terms of the bigger picture, consider whether it should be mandatory for, say, employees to come back to work
• Check and update privacy notices. Do you need to have a physical notice? How do you deal with any rights to object? How do people queue in practice?
• Check to what extent you give the identities of employees who are ill, including the extent to which you can tell a line manager (in some countries you can’t do this such as France or Belgium)
• Check and update your records of processing activities
• Document everything!

What about the use of video calls?

• You can record calls but you must say that you are doing so. If someone isn’t comfortable with this they should leave the call or the call should stop
• When recording a call, what inferences can you make out and what information is given (on, ie, special categories of data)?
• Consider what are you showing in the background
• What are the cybersecurity implications of the software you are using?

And subject access requests?

• Subject access requests or DSARs are likely to increase (sadly) because of the rise in redundancies
• Look at your procedures and make sure that they are able to deal with such an increase
• Many regulators such as the UK’s ICO are willing to give a bit more lee-way in terms of any time limits

Where are we now in terms of direct marketing?

• The economic outlook is challenging and CRM marketing budgets are under close scrutiny. Every business wants ‘more bang from their marketing buck’. The upshot? Typically this has meant more data collection to be used for more direct marketing
• After COVID-19 there won’t be a ‘back to normal’. Marketeers are likely to focus on:
  • existing customers and lists
  • the need for metrics in showing success
  • campaigns with a quick impact

Where does direct marketing sit in terms of the background law?

• The law is fiendishly tricky in this area given the interplay between:
  • different laws (in the UK laws such as the GDPR and eprivacy laws regulate this area. In Europe there are different interpretations of the same laws and globally even more variety. There is little harmonisations in this area)
  • guidance from regulators
• This is a challenging area as it often isn’t possible to take a one-size-fits-all approach and campaigns need to be tailored to the countries in question
• Privacy rules are changing. We are also still waiting for the final version of the new Direct Marketing Code in the UK. The consultation on it ended on 4 March 2020. It is unknown when this will be issued. Belgium issued some guidance in January 2020
• Fines have been levied: recently we’ve seen a €100,000 in Finland and a business being fined €1,000 in Belgium for breach of direct marketing laws
• In the UK live calls require consent or verification against Telephone Preference Service (TPS) lists. Generally speaking, businesses should not send marketing emails or texts to individuals without their specific consent. There is a limited exception for own previous customers: the ‘soft opt-in’ (this is likely to continue under the new rules)
• Globally, there are multiple varieties of the ‘soft opt-in’ or local nuances such as times of day excluded from calls, whether an email is deemed available for marketing use or what counts as an individual as opposed to a business contact. Do you consider the law of the location of the marketer or the customer?

What practical tips are there so businesses can navigate this area?

• There are many more quick impact campaigns. In house lawyers should get involved in any direct marketing campaign as early as possible. The draft ICO guidance refers to ‘Planning your marketing: DP by design’. The later you get involved, the trickier it is to fix things
• Marketing teams will also be looking for ‘no waste’ campaigns. This is where you can show your value to the business. Ask, are you collecting and analysing just the data you need? Do asking those extra questions that people are tempted to ask add value or create unpleasant moments for the customer?
• Not every campaign has to involve emails or targeted channels at individuals. Can the same objectives be achieved by, eg, a poster campaign in certain key postcodes?
• Does social distancing mean more internet and social media use or at different times without working hours restrictions?
• Improving the relevancy of your website to current audience search terms also helps
• Don’t forget about data mapping and DPIAs! These are key documents for compliance. For marketing purposes, the data map helps with the questions: what have we got and what do we need? DPIAs can be mandatory in some circumstances, and the new Code looks to be making them even more likely
• From a non-legal point of view if images show people not socially distancing, see whether the marketing team has more appropriate ones. Nothing dates a campaign more at the moment

Service messages are common at the moment. Any tips?

• Take great care with service messages, they may get caught up in the law on direct marketing
• The ICO guidance says a service messages is ‘sent to an individual for administrative or customer service purposes’ where there is ‘no advertising or marketing occurring and no promotional material being transmitted’
• Common examples include reminding customers how to contact you in case of a problem or sharing your COVID-19 customer strategy
• A key factor is likely to be the ‘phrasing, tone and context’ which is also emphasised in the new Code. Adopt a neutral tone. General branding, logos or straplines in these messages do not count as marketing. Avoid though trying to also get customers to buy extra products or services or to renew contracts that are coming to an end
• The upshot is that many businesses are erring on the side of caution in their campaigns. In complying with privacy laws you will have better quality data to use