Richard Field (Partner and global co-lead for Privacy and Data Protection) and Koketso Mathebula (Associate) look at what are frequently misunderstood provisions of Guernsey law.

Legislation

Emarketing, SMS/MMS and telemarketing in Guernsey is principally governed by the Data Protection (Bailiwick of Guernsey) Law, 2017, as amended (‘the Data Protection Law’) and the European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance, 2004 (as amended) (‘the Ordinance’). In addition, it is important to ensure that direct marketing activities comply with other privacy-related legislation. The Data Protection Law applies to the processing of personal data which is undertaken either wholly or partly by automated means and which forms part of a filing system. The processing must take place in the context of a controller or processor established in the Bailiwick or relate to the processing of Bailiwick residents’ personal data elsewhere, usually in relation to the offering of goods or services or monitoring behaviour. This is where direct marketing becomes particularly relevant.

It is also important to note that a data “controller” is a person who (either alone or jointly with others) determines the purpose(s) and the means for the processing of any personal data, and a “processor” is a person who processes personal data on behalf of a controller, i.e. does not determine the purpose(s) and means of processing. Notably, a processor can also be a controller if they make those determinations. An employee carrying out these functions on behalf of a controller is not considered a controller in their own right, merely by virtue of their employment. A data subject is an identified or identifiable individual to whom personal data relates (the Ordinance defines individuals to include sole traders and partnerships, i.e. unincorporated).

The Data Protection Law mandates that both controllers and processors must comply with the data protection principles: lawfulness, fairness, and transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Regulatory authority guidance

Guernsey’s data protection regulator, the Office of the Data Protection Authority (‘ODPA’), issued a guidance note titled Direct Marketing – A Guide for Organisations (‘the Direct Marketing Guide’) on May 4, 2023, which was then updated on November 7, 2023, to help organisations understand their obligations and the rights of data subjects in relation to direct marketing.

Definitions

Direct marketing

Neither the Data Protection Law nor the Ordinance expressly define the term ‘direct marketing.’ However, the ODPA defines direct marketing as ‘the communication, by whatever means, of marketing material to specific individuals or organisations,’ a definition broadly aligned with that used in the UK’s Data Protection Act 2018 (‘the Data Protection Act’) (‘the communication [by whatever means] of advertising or marketing material which is directed to particular individuals’). Genuine market research and routine customer service messages do not constitute direct marketing so long as the message or survey does not include any significant promotional material intended to encourage customers to buy products or services or renew contracts.

Email

The Law does not define the term ‘electronic mail.’ However, the Ordinance defines electronic mail as ‘any text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service’. The scope of the legislation covers communications consisting not just of text, but images, audio, or a combination of those media.

Email marketing

While there is no direct legislative definition, the definitions of electronic mail and direct marketing referenced above can be adopted to understand the scope of email marketing under Guernsey law.

SMS/MMS

There is no legislative definition for SMS/MMS. However, the Ordinance specifically includes ‘short message service’ in its definition of electronic mail: ‘any text, voice, sound, or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service.’ As such, this is sufficiently wide to capture MMS sent over a public electronic communications network.

SMS/MMS Marketing

There is no specific legislative definition of this term in Guernsey law.

Marketing calls

There is no definition of marketing calls.

Consent

The Data Protection Law provides that ‘consent’ as a basis for lawful processing and defines it as any specific, informed, and unambiguous indication of a data subject’s wishes by means of a statement or by a clear affirmative action, which signifies agreement to the processing of personal data relating to the individual. It is not always necessary for an individual to signify agreement in writing, even though the Direct Marketing Guide provides that explicit consent must be recorded. Importantly, there must be some active communication between the parties; consent cannot be inferred by virtue of the individual simply failing to respond to a communication or failing to object.

Spam

There is no legislative definition of ‘spam’ in Guernsey law.

Consent Requirements

B2C

Emarketing and SMS/MMS Marketing

The data subject must have consented to the sending of direct marketing unless the sender is relying on ‘soft opt-in’ (discussed below). In any case, the individual must be given a simple method to opt out of receipt of future marketing communications. As noted above, consent is only legally valid where it satisfies the following conditions:

  • it is clearly demonstrable that the individual has given the consent, i.e. written email, text, etc.;
  • the individual has freely given the consent, i.e., it is not based on misleading information, misrepresentation, duress, etc. by the sender;
  • prior to consenting, the individual is informed that they have a right to withdraw the consent at any time;
  • if the consent is given in writing in the context of other matters, the request for consent must be clearly distinguishable from other matters (i.e. the request for consent must not be conflated with other matters); and
  • the request for consent must be communicated in a manner that is intelligible, easily accessible, and with clear and plain language.

Direct marketing by means of an email and/or SMS/MMS is prohibited outright unless the individual has previously consented to such communications. The sender may send or instigate such emails for the purpose of direct marketing where:

  • the sender obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient;
  • direct marketing is in respect of that person’s similar products and services only; and
  • the recipient has been afforded a simple means of refusing or opting out of the use of their contact details for the purpose of direct marketing at the time the details were initially collected and did not initially refuse such use.

The sender of an email for purposes of direct marketing is prohibited from disguising or concealing their identity and must provide the individual with valid contact details or some other means to optout of the direct marketing communication.

Telemarketing

There is no provision that the customer must have consented to the telemarketing, except in the case of recorded calls where specific consent is required. However, the ODPA forewarns that the business must provide the individual the ability to opt-out. Other precautionary measures to observe include:

  • screening against the UK’s Telephone Preference Service (see below) and against the business’s own suppression lists before making calls;
  • ensuring the business displays their telephone number; and clearly identifying who is calling and, if requested, furnishing contact addresses and/or freephone numbers to individuals.

Otherwise, the processing of personal data must comply with the provisions of the Data Protection Law.

B2B

Emarketing and SMS/MMS Marketing

Whilst there is no outright prohibition of direct marketing to entities, it is important to understand that any communication that involves the processing of data subjects’ personal data (via email or SMS/MMS in this context) must nevertheless comply with the Data Protection Law and, in particular, the data protection principles set out above.

To the extent that the business is a sole trader or partnership, then they are considered individuals under the Ordinance. Insofar as individuals employed by entities are sent direct marketing communications, then the extent to which their email address is freely available on the internet will impact the approach. It is broadly acceptable for direct marketing relating to goods and services relating to the business of the entity in question to be sent to individuals working there, provided they are given the ability to easily opt out of such communications going forward.

Where the business is not processing any personal data (i.e. a generic company email address is the addressee), marketing emails can be sent.

Telemarketing

There are no specific provisions regulating consent for businesses. However, the ODPA advises that the business being marketed to must have given the caller specific consent to make marketing calls about claims management services. Specific consent of the individual receiving the call is also required for recorded calls. Otherwise, the telemarketer must adopt the same precautionary measure set out above, with the necessary amendments in relation to the UK’s Corporate Telephone Preference Service (see below).

Social media marketing

Social media marketing involving the processing of personal data can be complicated and will often require a fact-specific assessment to be carried out, depending on factors including the media used and the method of communication. The individual must have given the sender consent to send the marketing material unless the sender is relying on soft opt-in. In this case, the principles above and the requirements set out below shall apply. The individual must be given a simple way to opt out of future marketing communications. Otherwise, the processing of personal data must always comply with the Data Protection Law.

Complications arise where one is dealing with joint controllers or the use of third-party targeting tools that rely on data transfers or data sharing to achieve the direct marketing objective.

Viral marketing

This is not expressly regulated, like most jurisdictions. The nature of this marketing relies on the organic behaviour of the social media community in posting or sharing products or services with their followers or general audience. However, the principles set out in the Data Protection Law and the Ordinance still apply, requiring an analysis of the media, the nature of the communication, and the individuals’ ability to opt-out.

Exceptions: Emarketing and SMS/MMS Marketing

Like most jurisdictions, neither the Data Protection Law nor the Ordinance use or define the term soft opt-in, but it is usually used to describe the exception in law to the email/SMS/MMS consent requirements. Soft opt-in refers to when an individual buys something from a business, directly provides their details (name and contact details), and does not opt out of marketing messages. The business therefore assumes that the individual is probably happy to receive direct marketing about similar products or services, even if they have not specifically consented.

As a result, many businesses resort to soft opt-in as an alternative to actively seeking consent from existing customers. However, businesses must comply with all of the requirements set out below to rely on this option:

  • the business must have obtained the contact details directly from the individual to whom they wish to send the marketing emails;
  • the contact details were obtained during the course of a sale, or negotiations of a sale (regardless of the success of the transaction), of a product or service;
  • the business is marketing similar products or services, for example, this is not a general marketing opportunity or to market products or services from other companies;
  • the business must have provided the individual with an opportunity or a simple method to opt out when collecting the details; and
  • the business must provide the individual with an opportunity or a simple method to opt out of receipt of subsequent emails.

Exceptions: Telemarketing

It is important to note that ‘soft opt-in’ does not apply to telemarketing. Soft opt-in refers to when an individual buys something from a business, directly provides their details (names and contact details) and does not opt out of marketing messages. The business therefore assumes that the individual is probably happy to receive direct marketing about similar products or services, even if they have not specifically consented.

Marketing Lists

Though there is no prohibition on businesses having internal lists of customers for marketing purposes, the disclosure, sharing, and/or sale of personal data without the consent of the individual in contravention of the Data Protection Law is an offence. The business must have the necessary consent from the individual and the processing of personal data must always comply with the Data Protection Law. Businesses cannot rely on soft opt-in in this regard.

To the extent that the business will use third-party service providers and/or transfer data either intragroup or to other jurisdictions, it is important to make individuals aware of such transfers. Personal data should only be processed for the purposes for which it has been collected, and these purposes should be notified to the individual on or before collection (or as soon as practicable afterward). If a third-party processor is retained to undertake processing functions on behalf of the business (controller), a contract must be put in place between the controller and the processor to ensure that similar data processing standards are upheld throughout the supply chain.

It is important to address data transfers of personal information here because of the ease at which personal information can easily leave the Bailiwick. Guernsey’s status as an “adequate” jurisdiction means that international transfers to authorised jurisdictions are permitted, including to the EU, Jersey, the UK, and other adequate jurisdictions. Transfers to other jurisdictions are permitted, but only to the extent that contracts or other similar recognised mechanisms are put in place to safeguard personal data and ensure an adequate and equivalent level of protection. Contracts must be put in place to control data transfers with third-party processors or between members of the same group of companies. The Data Protection Law also sets out several exemptions from the transfer restriction, for example where the individual’s consent has been obtained, if the transfer is in the public interest, or if the ODPA has authorised the transfer. It is common for businesses to use the EU’s Standard Contractual Clauses (‘SCCs’), data transfer agreements, the EU-U.S. Data Privacy Framework (for US transfers), or Binding Corporate Rules (‘BCRs’) for this purpose. Please note that for transfers from Guernsey relying on the SCCs, the ODPA requires that the Guernsey Addendum be appended to the SCCs.

This is relevant because of the ease at which personal data is processed between companies and across jurisdictions. Therefore, it is important for the business marketing its goods and services and agents doing so on their behalf to ensure that personal data is being processed in accordance with the Data Protection Law.

National Opt-Out List

Guernsey does not have its own opt-out list for email, telemarketing or SMS/MMS.

However, if a customer has listed their details in the UK’s Mailing Preference Service and/or the UK’s Telephone Preference Service (both personal and corporate numbers can be registered), the ODPA would likely form the view that direct marketing by email, telephone or SMS/MMS are equally unacceptable to such customers.

In addition, the business should keep its own record of customers who have opted out of receiving direct marketing communications (suppression lists).

Penalties

If an individual requires a business to cease sending direct marketing material, the business must do so within one month, or two months in exceptional cases. Failure to comply with this request is a breach of the Data Protection Law, which might attract the following penalties:

  • on summary conviction, imprisonment for a term not exceeding 12 months, or a fine not exceeding £10,000 (level 5 on the uniform scale), or both; and
  • on conviction on indictment, imprisonment for a term not exceeding two years or a fine(unlimited), or both.

Additional penalties may apply if the offense includes a breach of confidentiality, which attracts on summary conviction a fine not exceeding £10,000 (level 5 on the uniform scale), and on conviction on indictment, a fine (unlimited).

For more specific advice please contact Partner and data protection co-lead for Appleby Richard Field or Koketso Mathebula.

Locations

Guernsey

Services

Corporate, Dispute Resolution, Regulatory Advice

Sectors

Banking & Financial Services, Energy & Natural Resources, Insurance & Reinsurance, Privacy & Data Protection, Technology & Innovation, Transport & Logistics

Type

Insight

Key contacts

Richard Field

Partner: Guernsey

T +44 (0)1481 755 610
E Email Richard

Richard Sheldon

Managing Group Partner*: Guernsey

T +44 (0)1481 755 904
E Email Richard

Koketso Mathebula

Associate*: Guernsey

T +44 (0)1481 755 623
E Email Koketso

Claire Milne WS

Partner: Isle of Man

T +44 (0)1624 647 698
E Email Claire

Caren Pegg

Partner: Isle of Man

T +44 (0)1624 647 636
E Email Caren

Peter Colegate

Partner: Cayman Islands

T +1 345 814 2745 | +1 345 324 0504
E Email Peter

Katherine Garrood (née Johnson)

Counsel: Isle of Man

T +44 (0)1624 647 971
E Email Katherine

Share
Twitter LinkedIn Email Save as PDF
More Publications
30 Apr 2024

Secondary Pensions in Guernsey: Are you ready for it?

After several years of planning (and delays), The Secondary Pensions (Guernsey and Alderney) Law (La...

Richard Sheldon
James Gallimore
Lisa Upham
Richard Sheldon, James Gallimore, Lisa Upham
9 Apr 2024

The Global – your offshore corporate law questions answered: April 2024

The Global is a quarterly collection of corporate expert insights and analysis across Appleby's glob...

Lisa Upham, Vincent Chan, Judy Lee, Kelly Tang , Juliette Ally
22 Mar 2024

Trading Standards: Application to your business

The Trading Standards (Fair Trading) (Guernsey) Ordinance, 2023 (Ordinance) came into force last O...

Jeremy Berchem
Lisa Upham
Jeremy Berchem, Lisa Upham
19 Mar 2024

Guernsey retains its EU adequacy – as expected

The post-Brexit regulatory landscape continues to throw up challenges and jurisdictional arbitrage, ...

Richard Field
Koketso Mathebula
Richard Field, Koketso Mathebula
18 Mar 2024

Parental Bereavement Leave: Jersey to implement further family leave rights

The UK introduced “Jack’s law” in 2020. Jersey is now following the UK’s example, and as of ...

Richard Sheldon
Niall MacDonald
James Gallimore
Richard Sheldon, Niall MacDonald, James Gallimore
26 Jan 2024

Fund Finance Laws and Regulations 2024 – Guernsey

Guernsey is a leading funds domicile with a proven track record of more than 50 years as an internat...

Jeremy Berchem
Jeremy Berchem
10 Jan 2024

The Global – your offshore corporate law questions answered

The Global is Appleby’s quarterly collection of expert insights and analysis on the latest develop...

Matthew Carr, Richard Field, Lorinda Peasland, Andrew Weaver, Ida Nylund
22 Sep 2023

Discrimination law in Guernsey: The Same but Different

The Prevention of Discrimination (Guernsey) Ordinance 2022 (“Ordinance”) will come into force on...

Richard Sheldon
James Gallimore
Niall MacDonald
Richard Sheldon, James Gallimore, Niall MacDonald
22 Sep 2023

Financial platforms and intermediation

The Lending, Credit and Finance (Bailiwick of Guernsey) Law 2022, (LCF Law) came into effect 1 July ...

Jeremy Berchem
Richard Field
Lisa Upham
Jeremy Berchem, Richard Field, Lisa Upham
19 Sep 2023

Regulation of Financial Firm Business

The Lending, Credit and Finance (Bailiwick of Guernsey) Law 2022, (LCF Law) came into effect 1 July ...

Jeremy Berchem
Lisa Upham
Jeremy Berchem, Lisa Upham