Emails requesting consent to future marketing is a data protection breach
22 May 2017
Emails requesting consent to future marketing is a breach of The Privacy and Electronic Communication Regulations 2003 (“PECR”)
by the Commercial team at Kerman & Co LLP, 200 Strand, London
Two companies, UK independent airline FlyBe and car manufacturer Honda Motor Europe Limited, recently received significant fines from the Information Commissioner’s Office (“ICO”) last month in relation to thousands of unauthorised emails sent to current and former customers. The relevant emails (3.3m from FlyBe and 289,000 from Honda) were sent to customers to ask them to update their marketing preferences or amend any out-of-date information currently held by them.
Both companies believed (incorrectly) that the emails did not amount to “marketing” under the PECR, but instead were merely “customer service” emails aimed at helping the company comply with UK and EU data protection laws.
FlyBe directed their emails to customers who had previously withdrawn their consent to receiving marketing emails from them. In Honda’s case, they could not provide evidence that customers had ever consented to receive such an email. As a result of this miscalculation, FlyBe was fined £70,000; Honda £13,000. A summary of the decisions can be found on the ICO’s website here.
What is “marketing”?
Direct marketing consists of communications used by senders to sell goods or services. Typically sent by email, these can include marketing over the phone or by post, and can also apply to the promotion of an organisation’s aims and ideals (such as appeals for charity funding or political party support).
What is the current position?
The PECRs sit alongside the UK Data Protection Act 1998 (“DPA”), giving specific privacy rights to individuals in relation to unsolicited e-communications (marketing calls, texts, emails, cookies, etc.). The DPA is the underpinning legislation that applies to any organisation that processes personal data, based on eight principles of ‘good’ information handling.
The PECRs are clear on the position relating to email marketing: they cannot be sent unless the sender (data controller/processor) has:
the consent of the recipient (data subject); and/or
obtained the recipient’s details from a previous sale of a product or service, and the marketing is related to similar products or services they wish to offer (a “soft” opt-in).
Even where the data controller has sent an email in possession of valid consent from the data subject, they must still give data subjects the option to withdraw that consent at any time (“opt-out”), particularly in cases of soft opt-in (acceptance by conduct).
The current position is clearly stated, and now reinforced by these recent ICO decisions– contacting data subjects for any reason still amounts to “marketing” under the PECRs and, without the right consent in place, will breach both the DPA and the PECRs. Companies must ensure they have the appropriate internal mechanisms and monitoring procedures in place to ensure data subjects who have opted-out do not receive unwanted emails.
How can consent be validly obtained?
For consent to be valid, it must be freely given by the data subject, and related to specific types of communication. Dismissing some common myths that exist in this area:
data controllers cannot infer consent from a data subject who does not respond when asked (i.e. where the data subject does not say that they do not want to receive direct marketing);
consent is not valid if it is given because it was conditional on receiving a product or service previously paid for (e.g. data subjects must opt-in before using a website);
consent that is obtained through complex “opt-out” wording on a website (i.e. often containing double negatives, e.g. “do not tick here if you do not wish to receive....”) is unlikely to be valid; and
failure to tick an opt-out box, or unticking an opt-in box already selected by default, is also unlikely to provide valid consent.
Data controllers must remember that data subjects have the right, at any time, to ask them to cease, or not to begin, processing their data for direct marketing purposes, by any means (email, phone, text, mail). Once consent is withdrawn, it can only be re-obtained through the free-will of the data subject (i.e. visiting the website of their own volition, or purchasing another product or service from the data controller), not as a result of a prompt by the data controller (as was the case with Honda and FlyBe).
What can we learn?
Companies who process, use and store personal data must be aware that the ICO can take a range of actions to change the behaviour of both individuals and organisations. This includes criminal prosecution, audits, monetary penalties (up to £500,000) and a range of enforcement actions requiring specific action to be taken or internal procedures to be implemented. None of the listed actions are mutually exclusive.
To stay on the right side of the DPA and the PECRs, a number of useful guidelines for businesses to initially follow include:
preparing clear and comprehensive privacy policies, that are well publicised and easily located by data subjects;
keep and maintain accurate records of opt-ins and opt-outs, such as by having separate databases that are reviewed regularly;
review current practices and opportunities given to data subjects to opt-in and opt-out (as appropriate); and
place a clear statement prominently on all marketing communications that contains the valid identity of the sender and valid contact details for data subjects to get in touch should they have a query, or wish to opt-out.
Data controllers must be mindful of the impending changes to the consent thresholds, processing mechanisms and application of data protection law due to arrive from May next year (2018). For further explanation of these upcoming changes, and guidance on how best to prepare, please refer to our other article here.
If you are interested in the contents of this article, or to get ahead on how the changing rules may affect you or your approach to marketing and use of customer personal data, please feel free to get in touch with your usual contact at Kerman & Co. who will be happy to explain the implications to you, or direct you to someone able to assist.
The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.