The Information Commissioner’s Office (ICO) has served a timely reminder that when it comes to sending out electronic marketing (e.g. emails) it is important to consider whether the recipients of that marketing have previously notified you that they consent to receiving these communications from you. In this regard, emails which ask whether someone wants to receive marketing emails in the future, themselves count as marketing emails and should not be sent without the appropriate consent.
This is particularly important to bear in mind at a time when many organisations are looking to “clean up” their marketing lists in time for the General Data Protection Regulation (GDPR) to come into force in May 2018. As the ICO said, “Businesses must understand they can’t break one law to get ready for another”.
In recent months, we have seen the ICO fine Flybe, Honda Europe, and Morrisons £70,000, £13,000, and £10,500 respectively for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
While these fines are rather modest given the size of the companies in question, and especially the egregious behaviour of Flybe, it may well be setting a trend that will continue as the General Data Protection Regulation (GDPR) comes into force and the ICO gets the power to fine a company €20 million or 4% of worldwide turnover (whichever is higher) for breaches of data protection legislation. The maximum fine at present is £500,000.
The acts which led to these ICO fines were in each case the contacting of large numbers of people from the companies’ customer databases (sending 3.3 million, 300,000, and 130,000 emails respectively) asking the people to consent to future marketing. In Flybe’s case, some of the people they sent the emails to had specifically opted out of marketing communications and in Morrisons’ case, all of them had.
Honda’s defence was that these emails were not themselves marketing, but were instead customer service emails to allow them to comply with the Data Protection Act 1998 (DPA), which requires that “Personal data shall be accurate and, where necessary, kept up to date.” (DPA 1998, Schedule 1, Principle 4) and to ready themselves for the introduction of the GDPR. However, they could not produce evidence that their customers had given consent to this sort of communication, so the ICO found them to be breach of PECR.
PECR makes it much more difficult to send unsolicited electronic marketing and represents a considerably more prescriptive regime than that of the DPA. PECR does not, however, apply to non-electronic marketing (e.g. physical post) or marketing to legal persons (such as companies or LLPs). It also only applies to unsolicited communications, for example communications people have not asked to receive. In those circumstances you revert to the standards of the DPA and so, for example those engaging in non-electronic marketing are able to rely on the marketing being in their legitimate interests rather than just on the consent of the proposed recipients. This will remain the case after the introduction of the GDPR, but it will become more difficult to show that the necessary consent has been obtained, and therefore legitimate interest is likely to become all the more important.
Regulation 22(2) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 states the following:
Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
There is a very specific carve-out in Regulation 22(3):
A person may send or instigate the sending of electronic mail for the purposes of direct marketing where:
- that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
- the direct marketing is in respect of that person’s similar products and services only; and
- the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
To comply with Regulation 22, the consent must be “knowingly and freely given, clear and specific”. It was the ‘specificity’ that tripped up Honda, as the ICO said that their customers had not given consent to the sort of marketing in question.
- Where PECR applies
The easiest way to prove that you have received consent, as recommended by the ICO guidance on Direct Marketing [https://ico.org.uk/media/fororganisations/ documents/1555/directmarketing- guidance.pdf] is to have the customer tick an opt-in box on your website. As the ICO says, there must be a:
“Communication or positive action by which the individual clearly and knowingly indicates their agreement. This might involve click an icon, sending an email, subscribing to a service, or providing oral confirmation.”
As Flybe, Honda and Morrisons found to their cost, the ICO guidance goes on to say:
“Note than organisations cannot email or text an individual to ask for consent to future marketing messages. That email or text is in itself sent for the purpose of direct marketing, and so is subject to the same rules as marking text and emails. And calls asking for consent are subject to the same rules as other marketing calls.”
In order to ensure that they do not fall into the same trap as Flybe, Honda and Morrisons organisations should keep a database of those individuals, soletraders and partnerships whose data they hold and who have consented to receiving unsolicited direct marketing. Such databases need to record who has consented to what, how and when and should be maintained accurately and kept up to date bearing in mind that consent is unlikely to last forever. Unsolicited electronic marketing should then only be sent to those people who the organisation is confident and can prove have previously notified them that they consent to receiving these communications.
- Where PECR does not apply
For companies and LLPs who do not fall within PECR, it is also likely to be good practice to maintain a similar database recording what data has been collected, for what purposes and on what basis that processing can take place. Note that when the GDPR comes into force, the standard for consent will be higher (a freely given, specific, informed and unambiguous indication of his or her wishes is required and, for example, any kind of implicit or opt-out consent will for the most part not be sufficient). Therefore organisations will need to make sure that their databases only contain the information of people who have provided valid consent under the new regime, or satisfy themselves that they are covered by legitimate interest or some other ground which allows of processing. Given that the GDPR will be implemented in less than a year, this will be a mammoth undertaking for many organisations.
The team at Edwin Coe would be happy to advise on any concerns that you may have with regards to the data that you currently store or may store in the future.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.