17.

(1) In communicating with a data subject on direct marketing, a data controller or data processor shall include a statement which is prominently displayed, or otherwise draws the attention of the data subject to the fact that the data subject may make an opt out request.

(2) A data controller or data processor may, in complying with an opt out requirement—

1. (a)  clearly indicate, in each direct marketing message, that a data subject may opt out of receiving future messages by replying with a single word instruction in the subject line;
2. (b)  ensure that a link is prominently located in the email, which takes a data subject to a subscription control centre;
3. (c)  clearly indicate that a data subject may opt out of future direct marketing by replying to a direct marketing text message with a single word instruction;
4. (d)  inform the recipient of a direct marketing phone call that they can verbally opt out from any future calls; and
5. (e)  include instructions on how to opt out from future direct marketing, in each message.

(3) A data controller or a data processor may use an opt out mechanism that provides a data subject with the opportunity to indicate their direct marketing communication preferences, including the extent to which they wish to opt out.

(4) Despite sub-regulation (3), a data controller or data processor shall provide a data subject with an option to opt out of all future direct marketing communications as one of outlined preferences.