This has been a busy month for the Information Commissioner’s Office (ICO): the G7 data protection and privacy authorities’ meeting; a proposed new Information Commissioner; the end of the transitional period for the Children’s Code; proposed reforms of the ICO itself in the Department for Digital, Culture, Media and Sports consultation and enforcement action totalling £495,000 for unsolicited marketing emails or texts, to name but a few!

Several companies found themselves on the wrong side of the law as they did not have permission to send “millions of frustrating and intrusive” marketing emails and texts. Members of the public complained and the ICO opened investigations that ultimately led to enforcement action and in each case a monetary penalty or fine.

Timing of the opt-out

Looking at each case in turn, we start with a vehicle purchasing and wholesale company, well known for offering to “buy any car” and providing a free valuation on submission of your personal details and car registration. The company fell foul of the direct marketing rules, namely Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), when it continued to send emails and texts after the initial response to a valuation was sent. Despite the company arguing that the subsequent emails and texts were “service” in nature, the ICO found that the subsequent emails/texts not only promoted the services of the company but also contained marketing information, and the company did not have consent to send such messages. The figures are staggering – the company sent 191.4 million marketing emails in the space of a year and 3.6 million marketing text messages to individuals “without fully satisfying the requirements of the soft opt in”. The ICO found that while customers were informed of future ways to opt out, at the point of collection of their details the “opportunity to actually object to marketing messages is presented only after provision of the vehicle valuation. Individuals have no opportunity to refuse marketing when initially inputting their details.” The ICO found that this was in contravention of Regulation 22(3)(c) in relation to the timing of the opt-out. This “serious contravention” landed the company with a £200,000 fine.

Instigating the transmission of direct marketing messages

Next two companies in a group, catering for the older members amongst us, were fined £150,000 and £75,000 respectively for “instigating more than 157 million emails between them.” Again we are looking at Regulation 22 of PECR, although in this instance the direct marketing emails were sent to subscribers on behalf of the companies by the companies’ partner and affiliates. The ICO found the companies had “instigated the transmission of the direct marketing messages” for which they did not have valid consent and therefore they had failed to comply with Regulation 22 of PECR. While the partner and affiliates “sent” the offending communications, the communications included content drafted by the companies and therefore the ICO found that “without [the companies’] involvement and positive encouragement, those communications would not have been sent.

The companies argued they had relied on “indirect consent” for the purposes of these emails. In other words, where an intended recipient tells one organisation that they consent to receiving marketing from other organisations. However, the ICO’s direct marketing guidance states “organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.” Further the guidance makes it clear that for indirect consent to be valid it must be clear and specific enough – no “long, seemingly exhaustive list(s) of categories of organisations”; freely given – if a condition of subscribing to a service is consenting to marketing, the “organisation will have to demonstrate how the consent can be said to have been given freely”; specific – both as to the type of marketing communication and to the type of organisation that will be sending it; and informed – language used should be “clear, easy to understand, and not hidden away in a privacy policy or small print" and the ICO specifically went on to say “(c)onsent will not be valid if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description.” On the evidence presented the ICO found the companies did not have the necessary valid consent, and therefore due to the serious contravention the result was a combined fine of £225,000 for the group.

It is also worth noting that signing a contract using language to indicate that partners are “instigators of the marketing” does not get you off the hook with PECR. If you take this approach, and do minimal due diligence, you increase the risk that your partner could send unsolicited marketing communications resulting in complaints, which ultimately could result in regulatory action and a fine. The ICO is quite clear in these notices that this is the case.

Soft opt-in

Finally a sports retailer, the important Christmas and January sales period, a re-engagement campaign with over 2.5 million unsolicited emails sent to subscribers and you guessed it a contravention of Regulation 22 of PECR resulting in a £70,000 fine. The emails were sent as part of a “re-engagement campaign”, and the ICO found that they “contained direct marketing material for which subscribers had not provided valid consent.” The retailer was unable to provide evidence of consent for the emails over the relevant period as it was no longer able to “retrieve the distribution list used in the Christmas 2019 Email Campaign”. In light of this, the ICO was not satisfied that the soft-opt in exception provided for in Regulation 22(3) of PECR could be relied upon. Again the ICO highlighted language used in the retailer’s privacy policy, which has now been amended, but at the pertinent time read as follows:

“You acknowledge that you do not object to us and third parties identified below, including our Third Party Advertisers, using your personal information for any of the purposes outlined in this privacy policy and you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003”. 

The retailer relied on this language even although the campaign in question was to re-engage with subscribers with whom “it had not connected for some time”. The retailer did not seek advice from the ICO or a legal advisor in relation to the basis on which it “proposed to send its unsolicited direct marketing to an aged dataset”. Unsurprisingly, the ICO decided to issue a monetary penalty, and identified the retailer’s “failure to maintain satisfactory internal consent records” as an aggravating factor. However this needs to be balanced with the mitigating factors the retailer put in place, e.g. they undertook an exercise to reduce the amount of data in their database, reconsidered the frequency of emails sent to individuals, and planned to introduce a new data cleansing system, as well as updating its privacy policy in line with the ICO guidance. That said, the retailer still faced a fine of £70,000 when all was said and done.

Conclusion

Although the companies in question will argue differently, these decisions do provide welcome clarity on the ICO’s view of certain common issues such as service v marketing communication and what constitutes “instigator” of a marketing communication for the purpose of PECR. Organisations should be reviewing their marketing comms and capture wording in light of these decisions (as well as ensuring appropriate records are kept of the relevant consents). To the extent organisations are relying on affiliate marketing strategies, appropriate due diligence needs to be carried out on those affiliate partners to ensure appropriate consents are obtained (simply having a warranty to such effect will not keep the regulator away).

These enforcement notices also bring the total number of fines to 18 so far this year, with a monetary total of £1.7 million. Bearing in mind maximum fines for PECR breaches are still capped at £500,000, this figure demonstrates that the ICO is keen to show its enforcement muscle, and marketers who sail close the wind in terms of compliance should be reassessing their risk appetite in light of these decisions.