The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them! The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means. Direct marketing means any form of advertising or marketing which is targeted at a specific individual.
The rules are really very simple, but are regularly not complied with by companies large and small. The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means. This post will focus on electronic mail only (such as text messages and E-mail).
What does not qualify as consent for the purposes of the PECRs? Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive. The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:
any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
It is very clear. Consent must be:
- Freely given
- Specific
- informed
When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements. One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent. That’s probably the most blatant and flagrant way of breaching the PECRs you can get. The consent is neither freely given nor informed. While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations. Consent isn’t consent unless there is an option not to consent. Refusing should also be free (except for the cost of transmitting the refusal). In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.
Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent. This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs. So far as electronic mail is concerned, the only option is a clear decision to opt-in.
Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail. Again, this is not compliant with the Regulations. Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply haven’t (for whatever reason) un-ticked the box.
All is not lost though if details have been obtained by stealth. There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs). However, there is another useful right open to individuals. That right is contained in section 11(1) of the DPA which states:
An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing. This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like. The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks. These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.
This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide to Direct Marketing [pdf] which covers everything in more detail. I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are. These breaches are by big names. Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.
prout de jure 