Category: Direct Marketing

ColourCoat Ltd v Information Commissioner

Last week, the First-Tier Tribunal issued its decision in an appeal by ColourCoat Limited (“CCL”) against a Monetary Penalty Notice (“MPN”) issued by the Information Commissioner in respect of contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Since 2016, CCL has been installing, as a subcontractor, hydrophobic thermal coatings to combat damp and heat loss in residential properties. In 2019, CCL decided that it would start marketing directly to potential customers and bought lists of names and phone numbers for this purpose.

When calls from CCL were answered, the call operator introduced themselves as being from “Homes Advice Bureau”; the script that they followed had the call operators inform the recipient that they were following up on a Government initiative about loft or cavity wall insulation. The call recipient was informed that they qualified for a free “heat loss and moisture check” which would be carried out by “EcoSolve UK”. If the recipient expressed interest, CCL would thereafter inspect the property and attempt to sell installation services. By the end of October 2019, CCL’s turnover had increased seven-fold.

In February 2020, the Information Commissioner noted that their office had received a number of complaints about unsolicited direct marketing calls from a company calling themselves “Homes Advice Bureau”. CCL was identified by the Commissioner, using statutory powers, as the source of these calls. The Commissioner discovered that CCL had made almost 970,000 calls for the purpose of direct marketing between August 2019 and March 2020. Of these calls over 450,000 were made to numbers registered with either the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) and had been so registered for more than 28 days.

The Commissioner issued a Notice of Intent and a Preliminary Enforcement Notice in February 2021. After CCL had made representations through its solicitors, the Commissioner served a MPN (in the sum of £130,000) and Enforcement Notice on CCL on 16 June 2021. The Commissioner had found CCL in breach of Regulations 21(1)(a), 21(1)(b), 21(A1) and 24(1)(b) of PECR.

CCL did not dispute that it had breached Regs 21(1)(a) and (b); however, it did dispute the breaches of Regs 21(A1) and 24(1)(b) of PECR; it also appealed the amount of the MPN. However, the FTT held that CCL was in contravention of Regs 21(A1) and 24(1)(b).

In relation to Reg 21(A1), the FTT held that CCL had used mobile numbers from which it could not be identified and that at least one of the numbers used was registered to a pseudonym (“John Smith”).

In relation to Reg 24(1)(b) the FTT found that CCL had failed to provide call recipeints with its name. The FTT said, at para 36, that “[w]hile a company can trade under a trading name, PECR requires anyone making unsolicited direct marketing calls to provide their name – in this case, the registered company name.” The FTT noted that the Commissioner had experienced difficulty in identifying CCL as the source of the call and had only been able to do so by making us of their statutory powers; something that would have been “impossible for the call recipients” [para 36].

CCL had sought to argue that its contravention of Reg 21(1)(a) had been negligent; however, the FTT held that it was deliberate. Names would only go on CCL’s “Do Not Call” list if an individual was particularly forceful or insistent. CCL’s sole director confirmed in oral evidence to the FTT that a call recipient who had told CCL to “go away” would be called again in case they were just in a bad mood or in a rush. [para 39]

In relation to the contravention of Reg 21(1)(b), the FTT held that that was negligent. At paragraph 41 of its decision it states that CCL “knew or ought to have known that there was a risk that calls would be made to” TPS and CTPS registered numbers. The data list invoices received by CCL contained references to TPS and GDPR so although the company lacked actual knowledge of these matters, CCL “could have easily researched the relevant rules and put screening software in place.” [para 41].

In relation to the amount of the MPN, the FTT held, at para 44, “that the Commissioner had taken a careful, detailed and reasonable approach to determining the amount of the penalty” and that it had done so in line with the principles that penalties should be effective, proportionate and dissuasive and whether a fair balance has been struct between means and ends. Furthermore, the decision was in line with the Commissioner’s Regulatory Action Policy and published guidance.

The FTT noted that CCL “had targeted older, and potentially more vulnerable, people and by using a “neutral” trading name and referring to a Government initiative, created the false impression that [CCL] was providing an official or Government authorised service.” [para 48] The FTT also held that during the period of the contraventions that CCL’s turnover had been high and that a “substantial proportion” was likely to have been derived from the marketing campaign. [para 50]

The appeal was dismissed.

The FTT makes some interesting comments in its decision in this appeal that ought to be kept in mind by people undertaking direct marketing and those advising them on the lawfulness and/or privacy aspects of direct marketing. If you’re using a trading name and it is not immediately obvious from that trading name who the actual caller (or instigator, if different) is then that is information that requires to be provided as part of the call.

The FTT also noted what was said by the Upper Tribunal in the Leave.EU appeals that comparisons with other penalties issued by the commissioner is not helpful in assessing whether another penalty is appropriate. While there are principles that underpin how the Commissioner (and FTT) will assess what is an appropriate level of penalty, what that is will vary depending on the facts of each case (although being wildly out of step from other penalties may be an indication that something has gone wrong, but consideration would also need to be given to what material differences exist between each case).

Don’t throw stones in glass houses

Today the Scottish National Party (SNP) launched a brand new website with the aim of gauging public support for a second referendum on Scottish independence.  Of course Scotland had a referendum on this issue a little under two years ago where those who voted did so 55% – 45% in favour of Scotland remaining part of the United Kingdom.  In May the Scottish people went to the polls to elect the Scottish Parliament; the Scottish Conservative Party fought that election on a strong pro-union message and had its best electoral success in Scotland in many decades.  They pushed Scottish Labour (who the criticisms in this blog equally apply to) into third place to become the official opposition in the Scottish Parliament to the SNP Government (which, incidentally lost its overall majority and is governing, once again, as a minority government).

This afternoon I had a look at the SNP’s new website and immediately spotted some problems with it.  The National Survey website unsurprisingly has a survey for people to complete.  It asks a number of questions such as how people voted in the 2014 independence referendum and in June’s EU referendum.  It also asks for the name and postcode of the person completing the survey as well as whether or not they have children or grandchildren who are under the age of 18 years, all fields which are mandatory.  The website does have a data protection and privacy policy, which is very brief.  The following screenshot was taken from the National Survey website this afternoon:

surveydp

The policy is extremely short, but the key aspect of the policy for the present purposes is “The SNP may…contact you about issues you may find of interest using any details you have supplied.  You can opt out of some or all contact by writing to us.”  I shall return to why this is the key aspect in a moment, but for now it’s on with the story.

The Scottish Conservative Party has apparently taken legal advice on the SNP’s National Survey website and written to both the Electoral Commission and the Information Commissioner; the former being irrelevant for present purposes.  The Scottish Conservatives state that they considered that the SNP’s website breaches the Data Protection Act 1998 (it does, but more on that in a moment).  However, while they are considering the SNP’s National Survey website they might wish to consider their own website.

Unlike the SNP’s National Survey website, the Scottish Conservatives website has a lengthy data protection and privacy policy, but I have taken a screenshot of the relevant bit:

toriespp

The relevant part for present purposes is the bit that reads “[b]y entering your contact details you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send or using the contact details at the top of this privacy notice.”

There are problems with both the Privacy Notices above, and they are in fact the same problem.  I will come onto the breaches of the Data Protection Act 1998 in a moment; however, I initially want to discuss the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Both the above privacy notices envisage sending information to those who have provided their E-mail address about campaigns that the respective political parties are engaging in.  These E-mails will essentially be promoting the aims of the respective political party, either generally or in respect of a specific area of policy.  These E-mails will be sent directly to an individual; that makes them direct marketing communications.  The law is very strict on when it is legal to send such communications.  The relevant regulation is Regulation 22, which covers direct marketing by electronic mail.  Regulation 22(2) requires (except in a very limited set of circumstances, not relevant here) that there individuals must give consent to receive such marketing.

The Scottish Conservatives’ privacy policy certainly seems to suggest that they have consent, but in reality they do not.  This is because the consent is actually defined in the 1995 Data Protection Directive and that definition is applicable to the PECR; their privacy policy doesn’t meet that definition.  The definition of consent in the 1995 Data Protection Directive is to be found in Article 2 and is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”  Consent achieved in the way the SNP and Scottish Conservatives have approached is not “freely given specific and informed”.  Individuals have not positively expressed a desire to receive general communications about the party or its campaigns; they’ve simply filled in a survey expressing their views on the matters asked about in the survey.  In the case of the specific example of the SNP’s National Survey website the privacy policy isn’t visible at the time the personal data is collected; it cannot therefore be said to be an informed expression of the data subject’s wishes.  The Conservatives (both at a UK and Scottish level) have been guilty of this too.

Essentially what this means is that any E-mail communication sent by either the Scottish Conservatives or the SNP that amounts to direct marketing (which is likely to be every e-mail) in reliance upon the consent obtained through their respective privacy policies is unlawful.

Now, to the Data Protection Act issues.  A data controller (which any political party will be) must only process personal data fairly and lawfully (first data protection principle).  For the processing to be lawful a schedule 2 condition must be satisfied (and in the case of sensitive personal data, a schedule 3 condition as well).  One of the conditions in Schedules 2 and 3 is essentially processing to which the data subject has consented; however, neither the SNP nor the Scottish Conservatives can wholly rely on consent because they simply do not have that data controllers consent.  They wouldn’t be able to satisfy any of the other schedule 2 or 3 conditions to legitimise their sending of direct marketing e-mail communications; they would therefore also breach the first data protection principle when sending those E-mails.

Collecting personal data is also a processing activity.  In the case of the SNP’s National survey they are not collecting the personal data fairly.  While they do have their privacy policy (which is quite frankly a sorry excuse for one) it is not prominent on the actual survey itself; people are not told at the time their personal data is collected exactly how the SNP will make use of it.  You can navigate to the privacy police from the survey page, but the link to the policy is in extremely small text at the very foot of the page (so much so that I initially had difficulty in locating its existence at all).

Turning once again to the Scottish Conservatives, they are currently running a petition on their website against the having a second referendum on Scottish independence.  They continue to rely on implied consent for general communications about the Scottish conservative Party and are arguably collecting personal data unfairly as well.  While the link to their data collection and use policy is clearer, it comes after the “sign up” button and still requires individuals to navigate away from the page that they are no in order to see exactly how their personal data is going to be used by the Scottish Conservatives.

One other issue with the SNP’s National Survey website relates to the third data protection principle which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”  All of the fields are mandatory and it is unclear as to why information such as the number of children or grandchildren you have under the age of 18 or indeed what your name or E-mail has to do with gauging support for a second independence referendum.  This is simply an exercise in gathering personal data and that should be made clear from the website and the survey (otherwise it will only add to the breaches of the first data protection principle).  Those fields should, as a very minimum, be made optional.

To conclude, while the Scottish Conservatives have raised legitimate and valid criticisms of the SNP’s National Survey website, they would do well to remember that people in glass houses ought not to throw stones.

 

Data Protection and the #EUref

Data Protection is not an area that people generally get especially excited about, but the rights contained in the Data Protection Act 1998 (“the DPA”) are important.  They enable individuals to find out (mostly) what information companies and organisations hold about them, where they got it from, what they do with it, who they give it to and what it says.  It also enables people to take a degree of control over what companies and organisations do with that information; including the ability to prevent a company from using their information for marketing purposes, forcing them to correct inaccurate information and forcing them to stop “processing” their information where the processing causes substantial damage or distress that is unwarranted.

The DPA implements an EU Directive into domestic law.  Data Protection law in the UK has its roots in European law.  However, it’s not just the DPA that has its roots in European law; the connected Privacy and Electronic Communications Regulations 2003 (the full name of which is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003) also implement European law into domestic law.  These Regulations relate to the use of personal data and are the regulatory regime that governs the use of electronic communications (such as E-mail, phone and text) to market directly to individuals.  These are the regulations which help deal with those annoying and unsolicited PPI and accident claims telephone calls.

In 2018 the Directive that underpins the DPA is being replaced with a new EU Regulation on Data Protection and the Directive underpinning the 2003 Regulations is currently being reviewed in light of the new EU Data Protection Regulation (the European Commission is consulting on this issue until 5 July 2016).

The DPA replaced the Data Protection Act 1984.  The 1984 Act was introduced to give protection to individuals in relation to the automatic processing of their personal data and was based upon the Council of Europe’s (the same Council of Europe behind the European Convention on Human Rights and Fundamental Freedoms) 1981 Convention for the protection of individuals with regard to automatic processing of personal data.

Now that there has been a brief account in respect of the history of Data Protection law in the United Kingdom, it is possible to thrust into the main purpose of this article; that is to consider Data Protection in the context of the EU Referendum.

If the UK votes to remain in the European Union then in May 2018 the United Kingdom will have to comply with the General Data Protection Regulation (which, being a Regulation, will have direct effect regardless as to whether the UK Parliament enacts a new Data Protection Act or not) together with the associated Directives; including whatever eventually replaces the 2002 e-Privacy Directive.  The associated Directives, together with some of the fudges in the new Regulation, will likely mean that there will be a new Data Protection Act to replace the current Act (probably towards the end of 2017).

If the UK votes to leave the European Union what happens is a bit more uncertain.  A vote to leave the EU will not mean that there is a complete end to the UK’s relationship with the EU, and that will have an impact on Data Protection.

The first thing to note is that a vote to leave will not mean an instantaneous split.  There currently isn’t really a process for an EU Member State to leave the Union so some time will be spent working out how that happens and there will inevitably be a time spent negotiating a new relationship with the EU; whether that is inside of or outside of the EEA.  It seems quite likely that we will still be in the EU come May 2018, which might mean that the GDPR will automatically apply – but that is entirely dependent upon what happens in terms of negotiations between the vote to leave and May 2018.

If the United Kingdom simply becomes part of the EEA then the result, insofar as Data Protection is concerned, will be identical to a vote to remain; the GDPR applies to the EEA countries (presently being Iceland, Liechtenstein and Norway) as well as to EU Member States.

If the United Kingdom leaves the EU and doesn’t join the EEA there will be bit more freedom in respect of Data Protection.  However, the requirement for Data Controllers within EU Member States not to transfer personal data to a country outside of the EU/EEA, unless there is an adequate level of protection for personal data, will mean that we will continue to have some form of Data Protection law.

It is possible that the UK could meet the adequate level of protection requirement with rights that are substantially lower than those afforded by the DGPR (when it enters into force) and so the UK’s Data Protection law will not necessarily be all that similar to the GDPR – especially if the government of the day is one that favours light-touch regulation and a lack of “red tape”.  That means that even if the UK is forced to comply with the GDPR initially, Data Protection law in the UK could change dramatically to something that affords much less protection than the GDPR.  What the law will look like though will not only depend upon the ideals of the government of the day, but what they think would be politically acceptable; over the last 30 or so years people have become much more wary about what governments, public agencies and businesses do with their personal data; so while the political will might be to substantially lower the level of protection afforded to individual’s personal data, the public will might not let them go quite as far as they wish!

In short, the future of Data Protection law in the UK will be very much influenced by the result of the Referendum and the eventual relationship with the EU in the event of a vote to leave.

Round-Up on DPA and PECR: September 2015

A new, trial feature on the blog in which I take a monthly look at the Monetary Penalty and Enforcement Notices issued by the ICO together with the formal undertakings also published.

September has seen the Information Commissioner issue two Monetary Penalty Notices in respect of breaches of PECR and publish three formal undertakings following breaches of the DPA.

General Dental Council

The General Dental Council (‘the GDC’), a statutory regulator, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal.  This followed an incident in which fitness to practice allegations and a CD containing background information relative to the allegations were sent to the wrong practitioner.  An investigation by the GDC established that the error had occurred because the recipient had a similar name to the intended recipient.

The GDC had in place guidance on the processing of such information; this had not been followed by the employees who had arranged for this information to be sent out.  The GDC’s guidance and processes required that the CD on which the background information was sent was encrypted.  In this particular incident the CD was not encrypted.

The Commissioner established that while the GDC had in place sufficient policies and procedures, there was a lack of corporate refresher training in relation to data protection for those employees whose job roles entailed the processing of personal data.  The GDC had introduced induction training, but this was not rolled out to existing staff.  The GDC did have examples of where data protection training was being delivered; however, much of this was delivered on an ad hoc basis.

The Undertaking records a second incident where a patient’s dental records had gone missing.  The GDC’s investigation suggested that the records had never left their office, but had instead been securely destroyed.  However, the employee involved in this incident had not received induction data protection training.

Cold Call Elimination Ltd

The Commissioner served a Monetary Penalty Notice on Cold Call Elimination Ltd following breaches of PECR.  Somewhat ironically Cold Call Elimination Ltd was making unsolicited cold calls to sell a service and device to stop unsolicited cold calls.

The Commissioner wrote to the company following a number of complaints to the Commissioner and the Telephone Preference Service.  The Company provided an explanation and further explained that it would be putting in additional measures relating to unsolicited marketing calls.  The Commissioner placed the company on a period of monitoring for a period of 3 months, during which a large number of complaints continued to be received.

The Commissioner’s Office met with Cold Call Elimination Ltd to discuss its compliance with PECR following which a further period of monitoring took place.  During that second period of monitoring there was a drop in the number of complaints received, but the Commissioner described this as an insignificant drop.

The Commissioner had received 46 complaints directly from individuals who were subscribed to the Telephone Preference Service between 14 June 2013 and 31 March 2015.  The Telephone Preference Service had received 336 complaints over the same period.

The Commissioner determined that the company was in breach of Regulation 21 of PECR and subsequently issued a Monetary Penalty Notice in the amount of £75,000.

Martin & Company

Martin & Company, a firm of solicitors, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a DVD containing CCTV footage went missing.  The firm was acting for a criminal accused and the CCTV footage was released to them by the Crown Office and Procurator Fiscal Service (‘the COPFS’).  Martin & Company is based in Ayr and the DVD required to be collected from the COPFS office in Kilmarnock.  Martin & Company instructed a third party to collect the DVD from the COPFS.  The DVD went missing having been collected by the third party, but before reaching Martin & Company.

The Commissioner’s investigation found that there were some shortcomings in Martin & Company’s procedures.  In particular the Commissioner highlighted a lack of guidance to staff regarding the DPA as well as relevant training on the DPA.  The Commissioner also took the view that there was a lack of formal procedure for staff when arranging to have personal data collected from outside of the office environment.

FlyBe Limited

FlyBe Limited, an airline, gave the Commissioner an undertaking to comply with the seventh Data Protection Principal following an incident in which a temporary employee sent a scanned image of another individual’s passport to his personal E-mail address.  The incident occurred in the department responsible for processing airside clearance for other FlyBe staff.

The Commissioner investigated and discovered that FlyBe did not provide any training to its staff members who processed personal data, including the temporary employee who was involved in this particular incident.  The Commissioner also found that FlyBe’s data protection policy was inadequate and only provided limited information.

Home Energy & Lifestyle Management Ltd

The Commissioner served a Monetary Penalty Notice on Home Energy & Lifestyle Management Ltd following breaches of PECR.  Home Energy & Lifestyle Management Ltd engaged in a marketing campaign via automated recorded calls to 6 million people in relation to the ‘Green Deal’, a Government backed energy saving initiative

The Commissioner wrote to the company having received a number of complaints about the calls being made.  The Company explained that it had now ceased the marketing campaign and that it had not realised that there were different rules in the Privacy and Electronic Communications Regulations for recorded calls as opposed to “live” calls.  The company also sought to explain the calls by attempting to lay the blame at the door of the third party company it had contracted to make the calls on its behalf.

The Commissioner’s office received 242 complaints concerning Home Energy & Lifestyle Management Ltd’s calls during a three month period of monitoring. The Commissioner decided that the company had breached Regulation 19 of PECR. The Commissioner also found that the company had breached Regulation 24 of PECR by not identifying the person who was sending the automated marketing calls, not providing the address of the person and not providing a telephone number on which the person responsible for making the calls can be reached free of charge.

The Commissioner issued a Monetary Penalty notice requiring the company to pay the sum of £200,000, the largest amount ever required for a breach of PECR. Press reports of the Monetary Penalty Notice have indicated that the company intends to appeal.

Comment

In respect of the three undertakings for breaches of the Data Protection Act 1998 it is clear that data controllers, even large organisations, are still failing in the basics by not having in place adequate policies and procedures covering data protection and failing to provide adequate induction and refresher training on data protection to those who handle personal data.  This is a regular feature in enforcement action taken by the Information Commissioner.  Having in place sufficient policies and procedures, as well as training and adequate checks to ensure compliance, will reduce the chances of experiencing a data breach in the first place.  Furthermore, it will undoubtedly serve to mitigate any enforcement action taken by the Commissioner should a data controller experience a breach.

The Monetary Penalty Notices issued this month highlight the importance of ensuring that organisations undertaking marketing by telephone have in place he appropriate consents and take sufficient steps to ensure that the calls are not made to individuals who have registered with the Telephone Preference Service.  They also highlight the truth of the latin maxim ignorantia legis neminem excusat – or ignorance of the law excuses no one. Following a change in the law, it is now much easier for the Commissioner to issue Monetary Penalty Notices in respect of breaches of PECR; it is therefore now much more likely that breaches of PECR will result in the Commissioner issuing Monetary Penalty Notices.

Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA.  This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:

  • That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
  • The contravention was of a kind likely to cause substantial damage or substantial distress
  • and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it

It looks complicated, and to an extent it is.  However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:

  1. do nothing
  2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
  3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing

The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options).  What has struck me though is what is missing from option three.  The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it.  However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me.  It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk.  It basically excuses negligence.  It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS.  I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.

Direct Marketing by E-mail and Text: the need for consent

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them!  The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means.  Direct marketing means any form of advertising or marketing which is targeted at a specific individual.

The rules are really very simple, but are regularly not complied with by companies large and small.  The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means.  This post will focus on electronic mail only (such as text messages and E-mail).

What does not qualify as consent for the purposes of the PECRs?  Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive.  The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

It is very clear.  Consent must be:

  • Freely given
  • Specific
  • informed

When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements.  One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent.  That’s probably the most blatant and flagrant way of breaching the PECRs you can get.  The consent is neither freely given nor informed.  While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations.  Consent isn’t consent unless there is an option not to consent.  Refusing should also be free (except for the cost of transmitting the refusal).  In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.

Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent.  This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs.  So far as electronic mail is concerned, the only option is a clear decision to opt-in.

Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail.  Again, this is not compliant with the Regulations.  Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply  haven’t (for whatever reason) un-ticked the box.

All is not lost though if details have been obtained by stealth.  There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs).  However, there is another useful right open to individuals.  That right is contained in section 11(1) of the DPA which states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing.  This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like.  The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks.  These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.

This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide  to Direct Marketing [pdf] which covers everything in more detail.  I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are.  These breaches are by big names.  Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.