The UK Information Commissioner's Office has issued fines to two businesses for unlawfully sending emails to individuals to ask about their marketing preferences. These cases emphasise the fact that "marketing" in this context is a very broad concept, and is not limited to sales and promotional activities.
The EU General Data Protection Regulation ("GDPR"), which will be enforced from 25 May 2018, will have a significant effect on the ways in which businesses are lawfully able to collect, process and transfer personal data. One of the major impacts of the GDPR is that valid consent will become harder to obtain, and some forms of consent that are acceptable under existing laws will become invalid under the GDPR. It is essential for businesses that reach out to consumers electronically (e.g., via email or text message) to ensure that they have the correct systems in place, so that they can demonstrate to regulators that appropriate consents have been collected. Businesses should consider whether they have a strong audit trail evidencing each individual’s consent, bearing in mind that, under the GDPR, businesses are responsible for proving that they obtained valid consent.
In an effort to become GDPR compliant, some businesses have been trying to collect fresh consents from individuals. However, when reaching out to individuals to obtain such consents, businesses need to ensure that they comply with the rules regarding electronic direct marketing. "Businesses must understand they can’t break one law to get ready for another," said Steve Eckersley, the Information Commissioner's Office ("ICO") Head of Enforcement.
The ICO recently issued fines of £70,000 and £13,000 respectively to two large international businesses under section 55A of the Data Protection Act 1998. Both businesses sent large volumes of emails (289,790 and 3,333,940 messages respectively) asking individuals to clarify their marketing preferences. Sending such emails without first obtaining the consent of the affected individuals was deemed to be a breach of the Privacy and Electronic Communications Regulation 2003 ("PECR"). Regulation 22 of PECR requires UK businesses to obtain consent (or fall within a narrow exemption) before sending electronic communications to individuals for direct marketing purposes.
In the first case, the relevant business sent an email to individuals asking whether they would like to hear from the business in the future. The email was sent to individuals who were in the business' database, but for whom the business did not have records of marketing preferences. The business contended that these emails were not "marketing" emails, but "service" emails designed to ensure compliance with data protection principles relating to the retention of personal data and direct marketing.
In the second case, the relevant business sent emails asking individuals to confirm whether their details were correct. However, those emails were sent to some individuals who had previously opted-out of receiving electronic communications from that business.
When questioned by the ICO, neither business was able to show that they had obtained the prior consent of the individuals to whom the emails had been sent.
The ICO's decision
In both cases, the ICO found that the businesses had contravened Regulation 22 of PECR by sending direct marketing messages without obtaining the required consents. The ICO's direct marketing guidance is clear that businesses cannot e-mail or text an individual to ask for consent to receive future marketing messages, and the ICO considered that these businesses had failed to adhere to that guidance. In the ICO's view, contacting an individual to request consent for direct marketing is, in and of itself, a communication sent for the ultimate purpose of direct marketing. Such communications are therefore subject to the same rules as any other form of electronic direct marketing.
Impact on businesses
UK businesses that engage in electronic direct marketing should note the following:
- Do not email individuals to ask whether they consent to receiving emails – Businesses cannot send emails (or texts) to individuals to confirm that those individuals consent to receiving electronic marketing communications. Such emails are in clear violation of Regulation 22 of PECR, as demonstrated by the ICO's decisions in these cases.
- "Marketing" is a very broad concept – The emails in these cases were not primarily promotional in nature. Their focus was not directly to promote products or services, but to confirm individuals' preferences. Nevertheless, the ICO concluded that the emails amounted to "marketing" for the purposes of PECR.
- Good intentions are not enough – The ICO acknowledged that neither business had intended to breach PECR, and concluded in both cases that the contravention that occurred was not deliberate. Both businesses were attempting to comply with what they saw as their legal obligation to obtain consent. Nevertheless, both businesses were found to be in breach, and were fined as a result.
- The (relatively low) fines are going to change – The ICO found the contraventions by both businesses to be at the "serious" end of the scale, based on the large number of emails that were sent without valid consent. However, the fines were still relatively low, given that the maximum fine that the ICO could have issued is £500,000. It should be noted that, with effect from 25 May 2018, the maximum fines increase significantly, to the greater of €20 million, or 4% of worldwide turnover.
- Fines are not the only concern – Cases such as these can attract negative press attention, with the clear potential for adverse PR impact for the businesses concerned. Monetary Penalty Notices setting out the names of the businesses, the breaches and the applicable fines are permanently displayed on the ICO's website. Moreover, sending potential customers marketing information that they have not consent to receive (or, in some cases, have opted out of receiving) is unlikely to improve a business' reputation. The cost of restoring a business' reputation following such incidents can be significant.
For any business looking to engage in electronic direct marketing, the best approach is to maintain clear and accurate records of what each individual has consented to, and when and how this consent was obtained, so that the business can demonstrate compliance in the event of a complaint.