This is part one of a three part series looking at the laws relating to digital and social media marketing. The focus will be on the UK (elements of which will be similar to other European countries): if you are from another part of the world then use this as a guide for future consideration.
There eight elements I will be considering in the series, not all of which relate to specific statutory powers:
- Copyright, Designs and Patents Act 1988
- Data Protection Act 1998.
- Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003.
- The Companies (Trading Disclosures) Regulations 2008.
- Electronic Communications Act 2000.
- Social Media and the law.
- Committees of Advertising Practice (CAP).
In part one I will be providing an overview to the Copyright, Designs and Patents Act 1988, the Data Protection Act 1998 and finally the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003.
Copyright, Designs and Patents Act 1988.
I have already written a detail article relating to intellectual property and copyrights (you can find it here). I do however want to cover some of the basics again because as a digital and/or social media marketer, you need to be aware of certain points before creating or commissioning a piece of work. Remember, it is the artist(s) or designer(s) that holds the copyright for anything they produce. You need to ensure that there is an explicit statement regarding copyright ownership in all contracts of employment and business contracts: this should minimise your risk should any disputes arise.
There is a ‘Fair Use’ section in the copyright act which places limitations and exceptions on an owner’s copyright in the form of commentary, news reporting, teaching, archiving, academic research, and search engines. In terms of how long they last, the 1988 Copyright, Designs and Patents Act states the duration of copyright is as follows;
- For literary, dramatic, musical or artistic works 70 years.
- Sound Recordings 50 years.
- Films 70 years.
- Typographical arrangement of published editions 25 years.
- Broadcasts and cable programmes 50 years.
- Crown Copyright, 125 years.
- Parliamentary Copyright 50 years.
Data Protection Act 1998.
The Data Protection Act 1998 is the UK’s interpretation of the EU’s Data Protection Directive (also known as Directive 95/46/EC) which is designed to protect the privacy and protection of all personal data collected for or about citizens of the EU. It relates to the processing, using, or exchanging such data. As a digital or social media marketer, if you manage any sort of personal information (even through a third party) then you must comply with the following eight principles:
- Information must be fairly and lawfully processed.
- Information must be processed for specified purposes.
- Information must be adequate, relevant and not excessive.
- Information must be accurate and up-to-date.
- Information must be not kept for longer than is necessary.
- Information must be processed in line with individuals’ rights.
- Information must be secure.
- Information must be not transferred outside the European Economic Area without adequate protection.
The section relating to the management of personal information via a third party is a bit grey: social media platforms like Facebook, Twitter and Instagram etc are channels managed through US organisations, they privacy laws are different. As of yet, I am unaware of any case law relating to breaches of the act: this is important because strictly speaking, you are still processing, using and exchanging data through these medium. When it comes to specific commissioned services like web hosting or email marketing you must ensure that your chosen contractor adheres to the principles highlighted above or you will risk breaching the act.
The Data Protection Act provides individuals with important rights, including the right to find out what personal information is held about them. More specifically, individuals have a right to know what information organisations hold about them on a computer or in certain filing systems. Individuals can submit a ‘Subject Access Request’ to see or have a copy of this information. Individuals also have the right to object to their personal information being used to target them with unwanted marketing. The Data Protection Act must not be considered in isolation, you should also refer to the Privacy and Electronic Communications Regulations: the next section gives you a brief overview of this regulation.
Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (PECR).
The PECR is a parallel statute to the data protection act. It covers 4 key areas:
- Marketing by any/digital electronic means.
- Security of public electronic communications services.
- Privacy of customers using communications networks.
The key points are as follows: when you send marketing emails to an individual you must not conceal your identity; you must give a valid address for opt-out requests (or an opt-out link); you cannot send electronic messages unless they have your prior consent to do so; you must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent can be implied, but must be knowingly given.
As long as you do this the first time you set cookies, you do not have to repeat it every time the same person visits your website. However, bear in mind that devices may be used by different people. If there is likely to be more than one user, you may want to consider repeating this process at suitable intervals.
The ‘cookie law’ is an EU directive, so organisations outside of this geographical area do not have to apply (although if they are specifically targeting individuals from the EU, or any specific country within it then they should): this is another grey area where there is no case law giving specific direction.
So, what happens if there is a breach or complaint? Well, in the UK, it is the Information Commissioner’s Office (ICO) who will make a judgement as to whether it is ‘likely’ or ‘unlikely’ that the Data Protection Act and PECR has been compromised. Their actions include criminal prosecutions, non-criminal enforcements and/or specific data audits. The Information Commissioner can also serve a monetary penalty notice imposing a fine of up to £500,000. It is thus worth making sure that you consider these regulations when developing a business or charity.
That concludes part 1, next week I should provide you with an overview of the Companies (Trading Disclosures) Regulations 2008, Electronic Communications Act 2000 and points to consider when developing a social media plan.
We at Strategic Planet are not lawyers, when embarking on an exercise involving any of the above we recommend that you take qualified legal advice.
Or join my community: