The Information Commissioner’s Office (ICO) recently announced that it had issued a record £400,000 fine to Keurboom Communications Ltd for serious breaches of the Privacy and Electronic Communications Regulations 2003 (PECR). The case involved almost 100 million nuisance calls made between October 2014 and March 2016.
Not only does this decision highlight the risks of not adhering to the rules governing electronic communications with consumers but it acts as a timely reminder of the new e-Privacy Regulation (the draft Regulation) published by the European Commission in January 2017 which is intended to be brought in to replace the PECR in May 2018. One of the aims of the draft Regulation is to make providers of electronic communications services play a more central role in protecting their customers from security risks involved in using their services. As the draft Regulation is due to come in next year, businesses will therefore have to react quickly to implement any necessary changes once the final text is agreed.
- Scope: The draft Regulation’s broad definition of ‘electronic communications service’ will cover a wider range of marketing communications, including messages sent via e-commerce sites, in-app messages and ‘over-the-top’ communication services ie Skype and WhatsApp, in addition to mediums like text, phone and email. All communications must comply with the draft Regulation’s rules in relation to the processing, confidentiality, storage and erasure of electronic communications data.
The draft Regulation applies to any entity providing electronic communications services to end-users in the EU, whether or not that entity is based in the EU. It also proposes changes to the rules governing cookies, seeking to move away from obtaining users’ consent via website banners to obtaining consent through a user’s browser settings;
- Direct marketing: Under the PECR, retailers must obtain prior consent to all marketing communications (although the ‘soft opt-in’ remains for emails sent to existing customers in relation to similar products or services). However, the draft Regulation imposes a much higher standard of consent. As under the forthcoming General Data Protection Regulation (GDPR), consent must be freely given, specific, informed and unambiguous. Retailers will no longer be able to rely upon pre-ticked boxes or silence to establish consent. If you text or email an offer to customers and cannot demonstrate that you have obtained their valid prior consent, you leave yourself open to a fine. Customers must also be offered the means to withdraw their consent;
- Sanctions: There will be greatly increased fines. The ICO’s £400,000 fine in the Keurboom case was close to the current maximum permitted fine under the PECR of £500,000. Fines under the draft Regulation will mirror those under the GDPR, with maximum fines of the higher of €20 million or 4% of annual global turnover for the most serious breaches.
What this means for retailers
With less than a year to go before the proposed implementation date, retailers should be assessing the types of electronic marketing communications they send and how they obtain customer consent. This is likely to involve consideration of whether records being kept are sufficient to enable the organisation to demonstrate its compliance, as well as the review of contracts with any third party marketing providers.