Commonplace direct marketing practices have been under scrutiny by the Information Commissioner’s Office (“ICO”) for some time, with a focus on so-called nuisance calls and texts. However, a flurry of recent cases involving enforcement action by the ICO have wider implications for all businesses and organisations conducting electronic direct marketing, such as by email and text.
In this context, the ICO has imposed substantial fines on Help Direct UK Limited (“Help Direct”) & Oxygen Ltd (“Oxygen”), and Pharmacy2U Ltd (“Pharmacy2U”), for their respective breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), and the Data Protection Act 1998 (“DPA”). The ICO’s approach to PECR compliance has also just been upheld by the First Tier Tribunal (“Tribunal”), when Optical Express (Westfield) Limited (“OE”) failed to win their appeal to overturn the ICO’s enforcement notice to stop their non-PECR-compliant text-marketing.
The cases are relevant to those buying in marketing lists, looking to sell or rent customer data lists, and all those who send electronic marketing outside the narrow boundaries of the direct soft opt-in. Those affected should re-evaluate their direct marketing practices to ensure they do not breach the DPA and PECR in the same way, or otherwise risk the wrath and fining power of the ICO and damage to hard-won reputation.
Consent to direct marketing by third parties
The OE case focused on the nature of fair notice and consent in respect of direct marketing and the party to whom consent to must be given. In seven months, over 4,600 people reported OE to the mobile telephone networks’ Spam Reporting Service, complaining that they had not given their consent to the company to use their details for text marketing. The ICO ordered the company to stop non-compliant marketing by an enforcement notice. OE appealed the decision to the Tribunal on the basis that it had sufficient proof of consent.
In rejecting the appeal, the Tribunal emphasised that there is no difference between the requirements for a PECR consent, compared to a DPA consent. The burden of proof to show that the consent had been obtained rested with OE. Even though OE had purchased prospect details on a “consented” basis, in this case, that was insufficient for valid consent to direct marketing by OE. To be valid, the individual would need to understand who would be carrying out direct marketing to it and for what, to give the necessary consent to such marketing by that sender.
OE could not produce any direct evidence of any consents to it for the text marketing concerned. OE had acquired many numbers from a travel company, in respect of customers who had completed a holiday survey. The travel company told customers that their details might be shared with unspecified third parties for marketing purposes and there was a tick box to opt in but the details did not specify that this marketing may be in respect of laser eye surgery, and that parties such as OE may contact them accordingly by text. The Tribunal said that this did not constitute valid consent and OE had acted in breach of PECR.
The ICO has also just fined Help Direct £200,000 for sending unsolicited marketing texts without the necessary consents; and Oxygen £120,000 for making unsolicited automated marketing calls without consent, both in breach of PECR.
Fair and lawful sale or rental of customer data for marketing
The business entered into a list management arrangement and as a result rented specific customer lists to various buyers. In one case to an Australian lottery company that targeted males over 70 years old. The lottery company intended to contact the Pharmacy2U customers as recipients “specially selected” to “win millions of dollars”. In another case, details of “active donor” customers were sold to a UK charity for them to send letters requesting donations.
The ICO investigation found that Pharmacy2U had not informed its customers that it intended to sell their details to third parties, and that this sale would not be within the customers’ reasonable expectations, this was unfair under the DPA. Further, the ICO found that the customers had not given their consent for their personal data to be sold on, as there was insufficient detail provided to generate a valid consent to onward sale, so there was no lawful ground for the sale of the details to third parties. The ICO found that Pharmacy2U had processed customers’ data in breach of the DPA requirement to process personal data fairly and lawfully, and fined them £130,000, the first fine for a breach of this type.
The ICO is clearly keen to publicise its views on what amounts to compliant electronic marketing and in the Help Direct case noted “The sending of unsolicited text messages is a matter of significant public concern…This is an opportunity for businesses to ensure that they are only sending unsolicited direct marketing text messages in compliance with PECR.”
As we have seen, the ICO is willing and able to issue fines for breaches of the DPA and PECR. PECR compliance is increasingly important, as legal changes this year removed the need to show 'serious harm' before a fine of up to £0.5 million can be imposed for breach.
These cases are likely to be seen by many as a shift in respect of the ICO’s requirements about the level of information which must be provided in a fair notice and what details are needed to ensure a consent is valid for direct marketing and sales purposes. The decisions are timely alongside the ICO’s recent survey to evaluate its current direct marketing guidance. It is likely that these regulatory expectations will be specified in the anticipated revisions to the ICO’s direct marketing guide and its privacy notices code of practice.
The changes may also be seen as a step closer to anticipated more onerous compliance requirements in the proposed General Data Protection Regulation (where enforcement sanctions are likely also to increase, with fines potentially being up to 2-5% of an organisation’s global annual turnover).
As a result of these cases, businesses will need to think carefully when planning marketing initiatives, obtaining marketing lists from third parties and selling personal data. In particular, businesses harvesting contact lists acquired from third parties for marketing purposes must carefully consider whether they now have valid consents to send marketing communications to such contacts. When purchasing data for direct marketing initiatives, businesses will also need to undertake appropriate due diligence into apparent marketing consents, or may find they have purchased details which cannot lawfully be used.