The Information Commissioner’s Office (ICO) has recently fined telecoms company EE Limited £100,000 for sending millions of unsolicited marketing messages to customers. While the ICO’s recent announcement of its intention to fine BA and Marriott record breaking amounts for breaches of the GDPR has grabbed the headlines, it is important for businesses not to lose sight of their obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and importantly the obligation not to send unsolicited electronic marketing messages without the appropriate consents. These obligations have been around for a number of years but both their application and the fines that the ICO can levy for breaches have both been considerably stiffened as a result of the GDPR.
Under Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), consent must be obtained prior to sending unsolicited electronic marketing communications (for example emails) unless specific criteria are fulfilled. PECR only applies to messages sent to certain people (for example individuals, sole traders and partnerships) and does not apply to messages sent to companies and LLPs.
EE argued that the messages were sent as service messages and were not marketing communications. However due to the inclusion of direct marketing within these messages, the ICO held that the electronic marketing rules applied. Andy White, Director of Investigations for the ICO, stated that EE were only fined a fifth of the maximum £500,000 fine, largely due to their belief that EE did not intentionally break the electronic marketing rules.
Methods of obtaining consent
Consent is essential when it comes to sending marketing texts and emails. The organisation sending the messages has to show that they had valid consent or they may be subject to enforcement action. This consent must generally be obtained at the point that the data was collected as attempts to obtain it afterwards are likely to be construed as unlawful marketing.
The GDPR which came into force in May last year has a similar definition to that contained in its predecessor, the Data Protection Act (DPA) 1998, however, it raises the bar for consent to be lawfully obtained and requires that consent must be in the form of an unambiguous affirmative action. In practical terms this requires a positive opt-in and cannot, for example be implied from silence or inaction.
Organisations must, under the GDPR, be able to show that the consent was freely and knowingly given and are advised to keep records of what the individuals have consented to, as well as when and how this consent was acquired. This can then be used to support their case should a complaint be received by the ICO. Indirect consent (i.e. consent given to a third party) is unlikely to be sufficient unless it is specific enough to clearly apply to the organisation carrying out the marketing.
The most simple and clear way of obtaining affirmative consent is through the use of opt-in tick boxes indicating the customers agreement to receive marketing information. However, it must be noted that pre-ticked opt-in boxes are not permissible under the GDPR as they do not require a positive opt-in.
There is an exception to the rule of obtaining specific consent, known as the ‘soft opt-in’ which, permits organisations to send marketing messages if they fulfil the following three conditions:
-They have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;
-They are only marketing their own similar products or services; and
-They gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.
The customers do not actually have to have bought something but it is a requirement that ‘negotiations for sale’ must have taken place. Consequently, the ‘soft opt-in’ can only be applicable in specific conditions and organisations frequently fail to fulfil the abovementioned criteria, resulting in fines being levied against them by the ICO. Recent examples include Telegraph Media Group Ltd who received a £30,000 fine for sending marketing messages without consent and Parklife Manchester Ltd who were fined £70,000 for not obtaining consent prior to sending marketing text messages. Thus, the seriousness with which the ICO takes enforcement in this area is readily apparent.
When is it ‘direct marketing’?
The GDPR does not give a definition of direct marketing, therefore, the ICO relies on the definition used in the DPA 1998 which defines ‘direct marketing’ in section 11(3) as : “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. This means that, for example, if a telephone company contacts a customer for administration details but also mentions a new offer they have for unlimited 4G, this will be considered direct marketing even though the purpose of the call was for administration details. This definition also applies to PECR with the key element of direct-marketing being that the messages must be directed to a particular individual.
Moreover, it is important to note that the direct marketing rules are also applicable to not-for-profit organisations as they are not limited to the promotion of goods and services but also include advertising an organisation’s ideas and aims. This was demonstrated in the case of Scottish National Party v Information Commissioner in which it was confirmed that making campaign calls to Scottish voters in the general election without their consent amounted to a breach of PECR.
PECR and Brexit
PECR introduces into UK law the EU Directive on Privacy and Electronic Communications. The EU is currently in the process of replacing the current Electronic Privacy Regulation but it is yet to be finalised and this legislation has been delayed quite considerably. It is unlikely to come into effect until after Brexit (depending of course on when that happens). Therefore, whether or not it will be transposed into UK law is currently unclear.
The team at Edwin Coe would be happy to advise on any concerns that you may have with regards to the data that you currently store or may store in the future.
If you wish to discuss this topic further, please contact Nick Phillips – Partner or any member of the Edwin Coe Intellectual Property team.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.