Brand collaborations: marketing and data considerations following fashion month

Following fashion month, many brands and labels will be looking to market their brand collaborations as a means of attracting a broader customer base. Highlights will include collaborations between Erdem x Barbour and Mulberry x Stefan Cooke, and a highly anticipated augmented reality experience created by Vogue x Snapchat set to feature six of the world's leading fashion brands, including Dior and Stella McCartney.

When it comes to directly marketing the fruits of these collaborations, however, regulation in the UK is a complex and challenging area.

Many collaborating brands, fashion or otherwise, will ideally want to take advantage of these partnerships by promoting them as widely as possible. Whilst there are a couple of ways of doing this, there are several legal aspects to consider with each method.

The "soft opt-in"  

In most cases, under the Privacy and Electronic Communications Regulations 2003 (PECR), brands must not send electronic marketing communications to individuals in their personal capacity, unless the individual has specifically consented to receive such emails (with separate consents being required for other types of marketing).

Consent must be freely given, and brands must make their request for consent clear (e.g., as to the type of communication being used such as email or text) and prominent, away from other forms of consent, such as general terms and conditions.

One limited exception to this rule under PECR is the so called 'soft opt-in' approach. Where a brand has obtained contact details through a sale or a negotiation for a sale, e.g., from an online order, and the individual was given a clear option to opt-out of receiving marketing communications when their details were collected, a brand may continue to send direct marketing that offers the same or similar products and services to the ones purchased/negotiated for.

However, an option to opt-out of further marketing messages must also be provided in every subsequent communication. It is also important to note that it is only the company that collected the relevant contact details that may use those details to market under the soft opt-in. This means that, in our example, H&M would not be able to send the customer details collected via the soft opt-in to Disney to add to their own marketing database.

Another element of this rule that can be difficult for collaborating brands to navigate is the offering of 'similar products.' For example, H&M's communications to existing subscribers offering Disney 100 x H&M products would be permitted because those subscribers would reasonably expect to receive emails about clothing items made in connection with H&M.

By contrast, if, H&M were to send a separate email offering ticket deals to Disneyland Paris in connection to their clothing collaboration, a customer would be unlikely to expect to receive this email based on their previous interactions with H&M. This would likely fall foul of PECR, even if the email were to contain H&M branding.

Sharing customer databases

As well as leveraging their existing customer databases using the method discussed above, many collaborating brands will want to access each other's customer databases to reach a wider audience when sending marketing communications. These brands must be aware of the potential data protection issues that may arise when sharing their customer databases.

A brand receiving marketing databases from third parties must be sure about the quality and integrity of the data included within it. Effectively, this means that companies need to be sure that (a) the data was collected in compliance with data protection legislation; and (b) the appropriate consents were collected to allow that database to be shared, and for the company receiving it to be able to legally market to the people whose details are included within it.

Appropriate checks should be carried out, such as asking for the source of the data, the party who collected it and the lawful basis of obtaining that data. Where relevant, records of consent should also be sought to understand what individuals were told at the time of collection, when and how they consented to the data sharing (if at all). Contractual protections should also be sought with the relevant collaboration partners, in order to ensure an additional layer of defence should anything go wrong once a database is shared.

Under Article 14 of the UK GDPR, you must give privacy information to individuals whose data has been shared with you indirectly “…within a reasonable period after obtaining the personal data, but at the latest within one month…”. Therefore, a brand that has received personal customer data from another brand will need to provide this information to customers shortly after receiving it. The UK GDPR specifies the information that must be included in such notices, including company contact details and purposes of processing.

Where both brands have influence over and choose how personal data is processed, they may be deemed joint controllers of the data under data protection legislation and will need to take certain measures as a result. A joint controller arrangement might be found where both brands set up an online platform to sell their items, and each were jointly making decisions and deriving benefit from the data being processed e.g., customer data provided to the platform to carry out orders.

Another example might be where two brands use a shared subscriber email list to run a prize draw to win a limited collaboration item. As well as complying with the standard obligations of a controller under data protection law, joint controllers must have a transparent arrangement setting out roles and responsibilities for each controller and this should be shared with the privacy information given to individuals. It will be essential for these brands to seek the appropriate legal guidance in this situation as both will be liable for any damage caused by processing the data unlawfully.

Brand collaboration agreements

As briefly mentioned above, brands entering into these collaboration arrangements should ensure that they include appropriate data sharing provisions in their brand collaboration agreements.

The provisions that should be included will depend on the data protection roles of the parties under the collaboration arrangement (i.e. independent controllers, joint controllers, controller – processor). Where the parties share personal data in their capacity as independent controllers under such arrangements, there is no obligation under UK data protection laws to include data sharing provisions in the agreement.

However, we suspect many brands will choose to do so to ensure there are contractual boundaries as to how the parties can process personal data shared under the arrangement, and we have set out below some of the provision's brands may wish to include in their agreements in such circumstances.

• A provision setting out the data protection roles of parties.
• An obligation on each party to only use the shared personal data for specific purposes and maintain a lawful basis for the processing.
• Standards that should be met when processing the shared personal data.
• A data specification setting out the types of data to be shared between parties.
• An obligation on each party to assist the other in complying with its obligations under UK data protection laws, including in respect of data subject rights requests.

Brand collaborations are a valued and well-developed marketing strategy which can lead to big wins for businesses that carry out campaigns successfully. It makes sense to ensure that the data compliance standards, essential when brands share information, are met.

Get in touch

Speak to us about putting the right measures in place, and how to have constructive conversations with your existing and future collaboration partners about how you deal with your valuable data.

For more on the power of brand collaborations read our report or visit our dedicated website page.