UK Data Reform – key changes ahead

March 2025

What data protection teams need to know

Plans to reform the UK’s data laws are making speedy progress through Parliament, with the Data (Use & Access) Bill expected to be passed in April or May.

When enacted, the new law will usher in significant amendments to the Data Protection Act 2018, UK GDPR and the Privacy & Electronic Communications Regulations (PECR), as well as measures which go beyond the realms of data protection and ePrivacy.

Controversial plans to amend UK GDPR’s accountability obligations, led by the previous Conservative Government, are not included. So, requirements in relation to Data Protection Officers, Data Protection Impact Assessments and Records of Processing Activities remain the same.

Some new provisions are likely to make data protection compliance efforts slightly easier, although others will impose increased obligations. Here’s our summary of some key changes ahead, with the caveat there’s still time for further amendments.

Individual privacy rights

New right to complain

People will have the right to raise complaints related to use of their personal data. This will require controllers to make sure they have clear procedures to facilitate complaints, for instance, by providing a complaint form. Complaints will require response within 30 days. Alongside this, organisations may also be obligated to notify the ICO of the number of privacy-related complaints they receive during a specified time period.

In practice this means individuals will first have to seek a resolution directly with an organisation, before escalation to the regulator. This is aimed in part at reducing the volume of complaints the ICO receives.
Some sectors, such as financial services and those who receive FOI requests, will already have complaints procedures in place to meet other legal obligations. For others, these procedures will need to be established.

It’s likely privacy notices will need to be updated to reflect this change. If notification to the ICO of complaint volumes is required, this raises questions about how complaints are categorised and what additional records organisations will be required to keep.

Timescales and seeking clarification

Amendments will clarify the time period for compliance with privacy rights requests. The clock does not start until the organisation is satisfied the requestee is who they say they are (i.e. proof of identity has been received). If an organisation reasonably requests further information to clarify a request, the timescale for responding can be paused (i.e. the ‘clock stops’) until this information is provided. These changes are unlikely to have much operational impact, as they simply provide statutory footing to existing ICO guidance on this subject.

Reasonable and proportionate searches

It’s confirmed organisations should conduct a “reasonable and proportionate” search for personal data in responding to Data Subject Access Requests (DSAR). Again, this gives current ICO guidance a statutory footing, and may prove helpful for organisations handling particularly demanding requests.

Court procedures

Where there’s a legal dispute over the information provided (or not provided) in response to a DSAR, a court will be able to request organisations make such information available for the court to inspect and assess. This means organisations will need to make sure they clearly document non-disclosure decisions, including their justifications. This is something we’d strongly advise doing already.

Right to be informed

The obligation to provide privacy information to individuals (i.e. under Article 13 and 14 of UK GDPR) will not apply if providing this information “is impossible or would involve disproportionate effort”. This is most likely to be particularly relevant where organisations have gathered personal data indirectly, i.e. not directly from the individuals. This was a point of contention in the Experian vs ICO case, where Experian argued it would be disproportionate effort to notify and provide privacy information to the millions of people whose data they process from the Edited Electoral Roll.

Legitimate Interests

Direct marketing

Legitimate interests will be confirmed in law as an acceptable lawful basis where necessary for direct marketing purposes. While there are concerns in some quarters this will lead to more ‘spam’ marketing, I’d stress the direct marketing rules under PECR will still apply, so legitimate interests will remain an option only when the law doesn’t require consent.

Recognised legitimate interests

The concept of ‘recognised legitimate interests’ is to be introduced, whereby organisations will not need to conduct a balancing test (i.e. Legitimate Interests Assessment) when relying this lawful basis for certain purposes. The list of recognised legitimate interests includes the following (and may be expanded):
Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function.
Disclosures for national or public security or defence purposes, emergencies,
Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals.

International Data Transfers

There are amendments to risk assessment requirements for international data transfers. Currently, where there’s no ‘adequacy’ decision for the destination country, organisations need to undertake a Transfer Risk Assessment. Moving forward, organisations transferring data overseas will need to “reasonably and proportionately” consider if the data protection standards in the destination country will be materially lower than those in the UK. This gives potential room to streamline assessment procedures, especially to reduce the burden for low-risk transfers.

Reforms to UK data laws will be scrutinised by the EU Commission when it reviews its adequacy decisions for the UK. These currently allow for the free flow of personal data between the EEA and UK, without the need for additional risk assessments or safeguard measures. The EC review of these decisions was due in June this year, but this has been delayed until December. The general consensus is there’s hopefully nothing considered too radical to scare the horses and UK adequacy will be renewed. Nonetheless, this is one to watch.

Special Category Data

A mechanism is included allowing for future introduction of newly defined special categories of personal data. An example given is ‘neurodata’, which is information gathered from the human brain and/or from the nervous system. As the requirements for processing special category data are restricted under UK GDPR, introducing new types has the potential to lead to significant implications in some sectors.

Automated decision-making

A noteworthy amendment is to be made to Article 22 of UK GDPR which currently places strict restrictions on automated decision-making (including profiling) which results in legal or similar significant effects. This will be relaxed, only applying to automated decisions using special category data. With any other personal data, there will be a requirement to put in place certain safeguards, such as giving individuals the ability to contest decisions and requiring human intervention.

This change will give organisations more flexibility to make automated decisions using ‘normal’ personal data, for example when utilising AI systems. However, there are concerns it could have a negative impact on people’s rights. This also represents a marked distinction between the UK and the EU approaches, which may be a key consideration in the EU’s review UK adequacy.

Steve Wood, Founder of PrivacyX Consulting and former UK Deputy Information Commissioner says: “This creates a real importance on the Code that will be produced by the ICO, covering how the safeguards should be applied in practice. A current priority for the ICO is use of AI in recruitment and this is an emerging area of risk, including the use of AI in fire and hire decisions in the gig economy. Time will tell whether it was premature to remove the precautionary approach of Article 22 when the implications of using AI for automated decision making are still being assessed.”

‘High risk’ AI decisions

People will have the right to request information where a decision is either solely, or in part, based on automated processing including AI and machine learning, and has a legal or similar significant effect on them. Controllers will be required to provide an explanation of the criteria used to reach the decision along with a description of the key factors (or features) which most significantly influenced the decision. Individuals will be able to request human review or details of how to appeal the decision.

Data protection by design to protect children

Amendments to existing law make specific reference to additional protections for children (anyone under the age of 18). When assessing appropriate ‘technical and organisational’ measures in relation to online services likely to be accessed by children, organisations will be legally obliged to take account of how children can best be protected, confirm that children merit additional protection, and have different needs at different ages and stages of development. Such measures strengthen the need to adhere to the UK Children’s Code.

Charities and the marketing ‘soft opt-in’

The use of the ‘soft opt-in’ exemption to consent for electronic marketing is to be extended to charities. This means charities will be able to provide people with an ‘opt-out’ mechanism rather than an ‘opt-in’ to marketing emails (and/or SMS), as long as the following conditions are met:

The sole purpose of the direct marketing is for the charity’s own charitable purpose(s)
Contact details were collected when the individual:
a) expressed an interest in the charity’s purpose(s); or
b) offered or provided support to further the charity’s purpose(s).
An opportunity to refuse/opt-out is given at the point of collection, and in every subsequent communication.

We’ve written about the pros and cons of switching to the ‘soft opt-in’ here.

PECR Fines

Fines for infringements of the Privacy & Electronic Communications Regulations which govern direct marketing and cookies are set to significantly increase. Currently the maximum fine under PECR is currently capped at £500k, but the limits will be brought in line with the much more substantial fines which can be levied under UK GDPR. Reckless disregard for marketing and cookie rules is about to get more costly.

Spam emails and texts

What constitutes ‘spam’ is to be extended to include emails and text messages which are sent, but not received by anyone. This will mean the regulator will be able to consider much larger volumes in any enforcement action, which may result in much higher fines – SPAMMERS BEWARE!

Cookies & similar technologies

Exemptions are set to be introduced from the requirement to collect consent for certain types of cookies and similar technologies, as long as a clear opportunity to opt-out is provided. This will be permitted for purposes such as website analytics and optimising content. I envisage much reconfiguring of the array of website consent management platforms which have been implemented in recent years. But remember, targeting/advertising cookies (including social media targeting pixels) will still need consent.

Alongside these changes the ICO is reviewing PECR consent requirements to “enable a shift towards privacy-preserving advertising models”.  This autumn a statement is expected identifying ‘low-risk’ advertising activities which in the ICO’s view are unlikely to cause harm or trigger enforcement action. You can read more about this in the ICO’s package of measures to drive economic growth.

Research

Purpose limitation and provision of privacy information

Currently, UK GDPR makes it tricky to reuse personal data for new purposes, yet research projects can often move into areas which weren’t anticipated when data was originally collected. A new exemption is to be introduced, in relation to the provision of privacy information. Amendments are also set to be made to the purpose limitation principle to make further ‘RAS purposes’ compatible with the processing. Both these changes are subject to ‘appropriate safeguards’. (‘RAS purposes’ covers processing for scientific and historic research, and archiving in the public interests, and statistical purposes).

Scientific research

The definition of ‘scientific research’ is to be clarified and will explicitly state research can be a commercial or non-commercial activity. Consent for scientific research is to be adapted, in part driven by a desire to make it easier for personal data collected for specific research to be reused for other scientific research purposes.

Commenting on these changes Ellie Blore, Data Protection Officer at Best Companies says; “The aims are to provide greater flexibility for commercial research and innovation. It expands the definition of ‘Scientific Research’ to include certain privately funded and commercial research activities, meaning that some private AI training and research will now be classified under Scientific Research. Furthermore, secondary processing of data for Scientific Research and Development purposes will be considered compatible with the original purpose of data collection, provided the appropriate safeguards are in place. There are exemptions added here, and this will undoubtedly be an area to watch as the Secretary of State will have the power to further vary those safeguards.”

Smart data schemes

Provisions are being introduced to support the growth of new ‘smart data schemes’. The right to portability under UK GDPR currently allows individuals to obtain and reuse their personal data. Moving forward, this will be expanded to allow consumers to request their data is directly shared with authorised and regulated third parties. This will be underpinned by a framework with data security at its core. It’s hoped this will allow for the growth of smart data schemes, enabling data sharing in areas such as energy, telecoms, mortgages and insurance.

Healthcare information

Ever been to hospital and found your GP has no record of your treatment, or the hospital can’t access your GP’s notes? The government is hoping data reform will pave the way for a more consistent approach to information standards and technology infrastructure, so systems can ‘talk’ to each other. For example, allowing hospitals, GP surgeries, social care services, and ambulance services to have real-time access to information such as patient appointments, tests, and pre-existing conditions.

Department Board Appointments

A new measure is to be introduced requiring digital leaders to be represented at executive level within Government departments and other bodies, such as NHS Trusts. At least one of the following roles will need to be appointed to a departmental board or equivalent body; a Chief Information Officer, Chief Technology Officer, Chief Digital Information Officer, Service Transformation Leader or other equivalent role.

Digital verification services

The aim is to create a framework for trusted digital verification services, moving the country away from paper-based and in-person tasks. For example, proposals allow for digital verification services aimed at simplifying processes such as registering births and deaths, starting a new job and renting a home.

New Information Commission

The Information Commissioner’s Office is set to be replaced by an Information Commission. This is to be structured in a similar way to the FCA, OFCOM and the CMA, as a body corporate with an appointed Chief Executive. There’s also provision for the Government to have considerable influence over the operations of the new Commission.

In summary, reform of UK data law has its critics. Among other matters they fear a watering down of people’s rights and an increased ability for personal data to be shared, perhaps recklessly, with and within the public sector. However, the changes are not overly radical, having varying degrees of impact depending on your sector and organisation’s core activities.

Chris Combemale, Director of Policy and Public Affairs at the Data & Marketing Association, welcomes the changes ahead; “The DMA strongly supports the DUA Bill and has worked tirelessly for almost five years to achieve reforms that balance innovation and privacy in accordance with the principles laid out in recital 4 of GDPR. We particularly welcome the greater certainty on the use of legitimate interests as a lawful basis for direct marketing, the extension of the email soft opt-in to charities, exemptions to consent for some types of cookies, greater clarity in Article 22 for automated decision making and the obligation for the ICO to consider innovation and competition alongside privacy.”

Privacy X Consulting’s Steve Wood doesn’t believe the impact will be hugely significant; “The DUA Bill represents an evolution of UK GDPR that should not drive many changes for multi-national companies’ DP governance, which is likely to remain focused around the EU GDPR standard. The more interesting opportunities may lie in the confidence that is provided to the take up of federated digital identity by the statutory underpinning for the Trust Framework and opportunities for data intermediary businesses in relation to the Smart Data provisions.”

UPCOMING ONLINE EVENT – UNWRAPPING UK DATA REFORM

Join a great line up of speakers on 29 April who’ll be discussing the changes under the DUA Bill and taking your questionsBOOK YOUR PLACE  

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Right to object to advertising

March 2025

Landmark privacy case shines light on ‘direct marketing’

Meta has agreed to stop targeting a UK human rights campaigner with personalised adverts in a settlement which could set a precedent for millions of social media users, and raise alarm bells for other businesses which offer targeted advertising solutions.

Tanya O’Carroll launched a lawsuit claiming Meta was breaching UK GDPR by not upholding her right to object to being targeted with online adverts. She argued ads served to her on Facebook met the definition of direct marketing, and under data protection law she has an absolute right to object to direct marketing, and associated profiling. A stance which was supported by the Information Commissioner’s Office (ICO) but disputed by Meta, which claimed its ‘personalised ads’ did not constitute direct marketing.

The definition of direct marketing in the Data Protection Act 2018 is: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A key consideration is whether advertising or marketing is ‘directed’ to individuals, rather than indiscriminate advertising which is not individually targeted.

The case had been due to be heard in the High Court, but the settlement ends the legal action. Ms O’Carroll said; “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

In reaching a settlement Ms Carroll accepts this is not determined in law, as Meta has not accepted liability. However, she believes the support of the Information Commissioner’s Office (ICO) means “the writing is on the wall for Meta and its advertising-based business model.”

The ICO said; “Organisations must respect people’s choices about how their data is used. This means giving users a clear way to opt out of their data being used in this way.”

Meta said it “fundamentally” disagreed with O’Carroll’s claims and took its obligations under the UK GDPR seriously.

The fallout from this is Meta may now introduce a subscription service for UK users. Responding to the settlement Meta said: “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

An ad free ‘paid for’ service is already offered in the EU after a European Court of Justice ruling in 2023.
Meta may now shift to what is known as a ‘consent or pay’ model, whereby people either consent to being tracked for advertising purposes or pay to access an ad-free service.

We’ve seen a number of UK newspapers adopt this approach in recent months, which I’ve written about here. It’s controversial, and if Meta takes this step I anticipate more legal challenges to come.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

The Marketing Soft Opt-in – Pros and Cons

January 2025

Consent vs the Soft Opt-in Exemption

Consent is not always needed to send marketing emails (or text messages) to UK consumers. There’s an exemption for electronic marketing messages, which providing you can meet specific criteria allows businesses to provide people with an ‘opt-out’ instead. This is commonly (and rather ambiguously) known as the ‘soft opt-in’.

It has recently been confirmed the UK Data (Use & Access) Bill is set to pave the way to extend the use of the soft opt-in to charities. So I’ve taken a look at the advantages and disadvantages of adopting this approach. But first a little explainer of the rules…

The soft opt-in criteria

The exemption to consent under the Privacy and Electronic Communications Regulations (PECR) can currently be relied upon to send electronic marketing (e.g. emails and texts) if ALL of the following conditions are met:

A person’s contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
You only send marketing about your own similar products and services (not those of a third party).

Just a quick note: the rules on consent and the soft opt-in exemption apply to electronic marketing to ‘individual subscribers’ i.e. people’s personal email addresses. They don’t apply to emails to business contacts. See UK email marketing rules and ICO guidance on marketing to business contacts

Plans to permit charity use of the soft opt-in

The current strict criteria, in particular needing to collect a person’s contact details in the context of a sale (or negotiations for a sale), has meant charities have to date been very restricted in its use. For example, only being able to use the soft opt-in if they have a commercial arm such as an online shop, but not for gathering data via non-commercial activities.

However an amendment has been made to the DUA Bill, which is set to allow charities to send electronic marketing messages, where ALL of the following conditions are met:

The sole purpose of the direct marketing is for the charity’s charitable purpose(s)
Contact details were collected when the individual a) expressed an interest in the charity’s purpose(s) or b) offered or provided support to further the charity’s purpose(s).
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication.

Just to be clear this is not UK law yet – the DUA Bill is currently working its way through Parliament.

Weighing up the pros and cons of the soft opt-in

It isn’t necessarily a straight-forward step to switch from using consent and here are some some areas to consider (and there may well be others).

Back in 2017, DPN commissioned independent research into consumer attitudes when presented with a statement inviting them to opt-in (consent) or to opt-out to marketing (i.e. the soft opt-in). While this was some time ago, we believe our findings still have value and have referenced them where relevant.

More people to market to?

Collecting someone’s consent to send them marketing, obtaining a clear unambiguous tick (or check in a box) is undoubtedly a clear indication they would like to hear from you in future. However, asking people to take a positive action is recognised as negatively impacting on the volume of people you can communicate with. Hence why many commercial organisations adopt the soft opt-in (an ‘opt-out’) approach, whenever they are permitted.

It’s worth bearing in mind if people didn’t really want to hear from you by email or text, i.e. they ‘missed’ the opt-out box, they could be more likely to quickly unsubscribe. Which neatly brings me onto…

Potential for opt-out confusion

Relying on the soft opt-in means you can provide people with the ability to opt-out at the time they provide their contact details. This immediately raises a consideration: have people become expectant of being asked opt-in? If they have, there could be adverse consequences of switching to an opt-out.

For example, if you switch:

Will people accidentally tick the box, thinking they are opting in, but in effect be opting out?
Conversely, will people who don’t want to receive marketing, fail to tick the opt-out box (assuming it’s an opt-in) and inadvertently be saying ‘yes that’s okay’?

Our research showed when people were presented with an opt-out box, it lead to confusion about whether to tick it, or not. Our findings showed, even in a test environment, people had a tendency not to read statements carefully.

Attitudes to opt-out

Our research also showed when asked for their opinions, a significant majority disliked being presented with an opt-out. Some people viewed it as misleading or an attempt to try and ‘trick’ people into receiving marketing. There was a much more positive reaction to opt-in statements. Here’s just an illustration of the type of comments people gave in reaction to an opt-out box:

“This is a way of fooling the user to not tick the boxes and get loads of junk sent to them”
“Everyone knows doing it this way is to catch stupid people out.”

Could it be simpler to take an opt-out approach for ALL channels?

At the moment, organisations are presented with a dilemma if they collect consent for email (and/or text) marketing, but rely on legitimate interests for post and telemarking. Giving people a statement which mixes opt-ins and opt-outs really does create a muddle for people.

We’ve noticed the way some charities have got round this is to state they will communicate by post and telephone, and then provide people with contact details for how to change their preferences (i.e. if they want to object).

A potential advantage of being able to provide an opt-out for email (and/or text) marketing messages is it could create the ability to provide more clarity and transparency. For example, statements could be amended to provide clear opt-outs for all channels.

Can your CRM handle a switch from consent?

If you’re considering switching to the soft-opt-in, be mindful this could present a technical challenge. You’ll need to be able to clearly distinguish on your database between:

those who previously provided their consent
those who were asked for consent but declined – or have subsequently opted-out, and
moving forward, those who were given a soft opt-in statement and have simply not opted out.

Some CRM systems may not have more than two statuses for each marketing channel.  In addition, when you gather new data via the soft opt-in (opt-out), you’ll need to make sure it’s mapped correctly to your CRM.

Legitimate interests, transparency & privacy notices

Relying on the soft opt-in (an ‘opt-out’) means the lawful basis for processing under UK GDPR will not be consent, it will be legitimate interests. Therefore it would be wise to conduct and document a Legitimate Interests Assessment (LIA). You’ll also need to make sure relevant privacy notices are updated to reflect this, clearly calling out where marketing is carried out based on legitimate interests.

At DPN we wholly support the planned changes in the DUA Bill to level the playing field between commercial businesses and charities. Giving charities a choice to rely on the soft opt-in exemption, should they wish to. However, we’d just caution the switch from consent shouldn’t be taken lightly. In my opinion, any change to using an opt-out will need to be made very clear to people.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK email marketing rules

January 2025

Is email marketing putting your business as risk?

Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules.

It continues to surprise me some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it.

Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies.

Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media.

Consent for business-to-consumer (B2C) marketing emails

Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address.

Soft opt-in exemption for business-to-consumer (B2C) marketing emails

There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met:

  • The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND
  • You only send marketing about your own similar products and services.

See PECR Regulation 22 and the ICO Guidance on Electronic Mail

This strict criteria means the ability for charities to rely this exemption is very limited. However, the UK Data (Use & Access) Bill which is currently progressing through Parliament looks set to change this: Soft opt-in set to be extended to charities.

Marketing emails to business contacts (B2B)

The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection.

For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this:

“The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.”

A couple of key points to bear in mind:

  • A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR.
  • Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required.

The right to object

Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again.

Global email marketing

If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing.

What about UK GDPR?

Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis.

Consent

If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’.

One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right?

Legitimate Interests

If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate.

It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to.

You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this.

Other areas to be mindful of

  • Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages
  • Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people (‘individual subscribers’) to ask them to consent to marketing.
  • ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent.

The above are all areas the ICO has taken action in the past.

On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers.

But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Big change as marketing ‘soft opt-in’ set to be extended to charities

January 2025

In a hugely significant move the Government has adopted an amendment to the Data (Use and Access) Bill (DUA), which paves the way for charities to be able to benefit from the ‘soft opt in’ exemption to consent for email and text marketing. This marks a clear move to level the playing field between charities and commercial businesses.

In December nineteen major UK charities joined the Data & Marketing Association (DMA) in urging the Government to make this change. The DMA estimates extending the soft opt-in to charities will increase annual donations in the UK by £290 million.

What is the soft opt-in?

There’s a common misconception consent is always needed for email marketing to ‘individual subscribers’ (i.e. B2C – business to consumer marketing). There’s always been an exemption available to commercial businesses, commonly referred to as the ‘soft opt-in’. Under the Privacy and Electronic Communications Regulations (PECR) this can be relied upon for marketing emails and texts if ALL of the following conditions are met:

A person’s contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
You only send marketing about your own similar products and services (not those of a third party)

This strict criteria, in particular the first point, has meant charities have been very restricted and have only technically been able to use this exemption in a commercial context. For example, when someone purchased a product from an online charity shop. But charities have not been permitted to use supporter data gathered via the soft opt-in for fundraising purposes.

However, the DUA Bill has now been amended to include a section on ‘Use of electronic mail for direct marketing by charities’. This states:

A charity may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a) the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes;
(b) the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient—

(i) expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or
(ii) offering or providing support to further one or more of those purposes; and

(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.

What do charities need to consider?

The Bill is still progressing through Parliament, so it’s not law yet. But once passed it will give charities a choice; stick with consent or start collecting new data using the soft opt-in.

Of course, the pros and cons, will need to be weighed up. This will raise some important questions, including (but not limited to):

Will your CRM system be able to store multiple permission statuses for legacy data alongside new data gathered under the soft opt-in?
Will supporters find it confusing if you suddenly switch?
Will people tick a box, thinking they’re opting in, when actually they’ll be opting out?

We’ve written more about this here: The marketing soft opt-in – pros and cons

It has always felt unbalanced that the commercial sector has been able to benefit from this exemption to consent, but charities have not been able to. Here are DPN we’re delighted the lobbying of the DMA and Charities has paid off.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cookie reprimand and more ICO investigations

September 2024

How to get to grips with your cookies and similar technologies

Following warnings issued to companies operating some of the UK’s most popular websites in relation to their use of advertising cookies, the ICO has issued a reprimand to a leading betting website. It’s also announced an investigation into a company which has failed to take action to meet cookie compliance requirements.

Bonne Terre Ltd, training as Sky Betting and Gaming, received a reprimand for ‘unlawfully processing people’s data through advertising cookies without their consent’. Third-party tracking technologies including cookies were dropped by the SkyBet website onto use devices, which collected personal data (e.g. device id and unique identifiers).

While the site had a cookie notification (pop-up) and a consent management platform (CMP), the ICO investigation found certain cookies were dropped onto user devices before visitors interacted with the CMP. This meant visitors’ personal information was being processed and made available to AdTech vendors without the visitors’ knowledge or prior consent.

In my experience this is often an area organisations often get wrong; cookies and other trackers being deployed onto user devices immediately, regardless of the CMP.

The ICO also looked into whether Sky Betting and Gaming were deliberately misusing people’s personal information to target vulnerable gamblers, but found no evidence of deliberate misuse. As a result of the ICO investigation, Sky Betting and Gaming made changes in March 2023 to make sure people could reject all advertising cookies before their personal information was shared down the AdTech supply chain.

Along with this reprimand the ICO has announced it will be investigating a gossip website; Tattle Life. Despite receiving an ICO warning, Tattle Life is said to have failed to engage.

What is the ICO’s key concern

The ICO is focusing on meeting the requirement to give users a fair choice over whether they are tracked for advertising purposes. Along with not dropping non-essential cookies on a user’s device automatically regardless of whether they have given their consent, the ICO stresses organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’.  To be clear, websites can still display adverts when users reject tracking, just not ones which are tailored to the person’s browsing habits.

Our 5 steps for compliant cookies

So, how can we make sure we’re following the rules when we deploy cookies and other similar technologies? Here are some straight-forward steps to take:

1. Audit: Do a cookie audit. If you don’t know what cookies your website is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what cookies and similar technologies are currently deployed on your website(s). Establish what they are being used for, which are provided by third party providers and which involve the sharing of data with the third party (for example Google, Meta, etc).

2. Spring clean: Get rid of the cookies you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies lurking on websites, serving no purpose yet still needlessly sharing data with third parties! You might need to check with your colleagues which are still used.

3. Categorise: Categorise your cookies – what are they used for?

  • Strictly necessary (essential) cookies – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or a cookie which allows items to be added to a cart in an online store.
  • Analytics/Statistics/Performance cookies – for example, cookies which allow you to monitor and improve the site performance.
  • Functional cookies – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website.
  • Advertising/Targeting cookies – allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website.

4. Collect consent: The law tells us you need to collect consent for all cookies and similar technologies which are not ‘strictly necessary’ before cookies are dropped onto the users device. To achieve this, you may wish to select a specialist Consent Management Platform to handle notifications and consents for you, as a website ‘plug in’.

There are many CMPs on the market, some of which are free. Beware that not all of them meet the UK/EU cookie requirements, so care is required when selecting the right one. If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, your likely to need a paid solution.

5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include:

  • the cookies you intend to use;
  • the purposes they will be used for
  • any third parties who may also process information stored in or accessed from the user’s device; and
  • the duration of any cookies you wish to set.

There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice.

What are cookies and similar technologies?

Cookies are small pieces of information, which are used when users visit websites. The user’s software (for example, their web browser) can store cookies and send them back to the website the next time they visits.

The cookie rules also apply to any other technologies which stores or accesses information on a user’s device. For example, similar technologies could include, web beacons, scripts, tracking pixels and plugins.

What the law says

Contrary to what we often read in the papers, GDPR does not give us the rules for cookies and similar technologies. In the UK the rules are set out in the Privacy and Electronic Communications Regulations (PECR) which are derived from the EU ePrivacy Directive. The specific requirements vary by country, so think about which countries your site users visit from. Many EU countries have their own rules, all based on the same EU Directive but in the real world they have their own nuances.

In simple terms, you can’t ‘drop’ a file on a user’s device or gain access to information stored on their device unless:

a) You have provided clear and comprehensive information about your purposes for doing this, and
b) You have collected the consent of the user.

There is an exemption for strictly necessary cookies only. The cookie rules apply regardless of whether you’re processing personal data or not, i.e. these rule also apply to the automated collection of anonymised data.

Some points worth noting from ICO guidance

  • Consent needs to meet the requirements under GDPR for it to be a specific, informed, indication of someone’s wishes given by a clear affirmative action.
  • You must inform users about what cookies you use and what they do before they give their consent.
  • Where third-party cookies are used, you must clearly and specifically name who these third parties are and what they will do with the information collected.
  • Users must be given control over non-essential cookies, and should be able to continue to use your website if they don’t give consent.

It’s worth noting the ICO has determined analytics cookies are NOT essential and require consent. However, this is not always the case in other European countries. For example, the French regulator CNIL does not mandate the collection of consent for analytics cookies. They consider these cookies can be used under Legitimate Interests, which means they still require websites to notify users and give them the opportunity to object (opt-out).

The future and alternative solutions for cookies

In both the UK and in the European Union there’s a concerted desire to simplify the rules and remove the necessity for everyone to be faced with a barrage of cookie pop-ups on every website they visit. As yet however, a suitable solution has not been agreed.

Instead of using third-party cookies to help target advertising, there are a growing number of contextual advertising solutions, which are less intrusive, and a growing interest in more privacy friend Edge Computing Solutions.

However, there’s a sense these alternatives are not yet fully tried and tested. So we’ve seen a move by some organisations (particularly publishers) to a consent or pay model.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Solving the GDPR puzzle

September 2024

Winston Churchill famously described Russian foreign policy as, ‘a riddle wrapped in a mystery inside an enigma.’

I’m sure those entrusted with data protection for their organisation may harbour similar thoughts about GDPR! Especially small-to-medium sized businesses and start-ups.

As a piece of legislation, UK GDPR has lots of moving parts. As a consultant dedicated to helping organisations understand data protection, here’s my round up of things we at DPN find most commonly misconstrued.

UK GDPR & Data Protection Act 2018

The UK GDPR and the Data Protection Act 2018 are not the same thing.

UK GDPR was implemented in 2020 and largely mirrors its EU namesake. Post-Brexit, the UK flavour of GDPR was created to make it fit for purpose in a UK-specific context. For example, removing all the bits which referenced ‘member state law’.

The Data Protection Act 2018 supplements UK GDPR. For example, it provides more detailed provisions in relation to special category data, child consent, the public interest lawful basis and individual privacy rights exemptions.

The DPA 2018 also includes distinct provisions for processing by law enforcement and intelligence services.

The Privacy and Electronic Communications Regulations (PECR)

It’s PECR not UK GDPR which sets out the rules for direct marketing by electronic means, and for cookies and similar technologies.

PECR has been around since 2003, and is derived from the ePrivacy EU Directive 2002. In 2011 there was a significant update to this piece of legislation with the so called ‘cookie law’.

UK GDPR and PECR sit alongside each other. Organisations need to comply with both when personal data is collected and used for electronic marketing purposes, or collected and used via the deployment of cookies and similar technologies. UK GDPR, marketing & cookies

There’s further interplay, for example, when consent is required under PECR, the consent collected needs to meet the UK GDPR standard for valid consent. This means, to give one example, the required consent for non-essential cookies must be ‘freely given, specific, informed and unambiguous’ and must be given by a ‘clear affirmative action by the data subject’. Getting consent right

Controller and processor

UK GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.

For example, a sole trader, a charity, a limited company, a PLC or a local authority can be a controller. An individual within an organisation such as a CEO or Data Protection Officer (more on DPOs in a bit) is not a controller – a point some companies get wrong in their privacy notice and internal data protection policies.

A controller decides how personal data is collected and used, and the organisation’s senior management is accountable. Furthermore the controller decides which service providers (aka ‘suppliers’ / ‘vendors’) to use. Which brings me onto….

A processor – which means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

Routinely processors will be companies which provide a service, and in providing this service handle their clients’ data. The key is the processor won’t use this client data for their own business purposes.

To give some common examples of processors – outsourced payroll provider, external cloud services, marketing platforms, communications providers, website hosts, IT support services, software and application providers, and so much more.

Some organisations which primarily act as a processor (service provider) may also act as a controller for certain activities. For example, to handle their own employee’s personal data. Controller or Processor – what are we?

Controller, processor and ‘sub processor’ contracts

A key change ushered in by GDPR was the concept of processor liability flowing right down the data supply chain. The law decrees there must be a contractual agreement between a controller and a processor, and gives very specific requirements for what this should cover. These are often found in a Data Processing Agreement (DPA), which may be an appendix or addendum to an existing or new contract.

The law aims to make sure individuals’ rights are protected at all times as data flows down and back up the supply chain. As well as a contract between a controller and processor, the processor should have similar contractual terms flowing down to other processors they engage to deliver their services – commonly known as sub-processors. For example, the obligation to keep the controller’s personal data secure at all times. A point which can often get overlooked. Supplier contracts

International data transfers include granting ‘access to’ personal data

(aka ‘restricted transfers’ or ‘cross border transfers’)

An international data transfer refers to the act of sending or transferring personal data from one country to another. Crucially this includes when an organisation makes personal data available or accessible to another entity (‘third party’) located in another country. In other words, the personal data can be accessed from overseas.

To give a couple of examples;

⚑  your UK-based organisation engages a website hosting service based in the United States, which also provides support services. Employees of this service provider can access your customer data on the back end of your website.

⚑ Your UK-based organisation provides a payroll service to clients, to provide this service you use a sub-contractor based in India. The sub-contractor can view your clients’ employee payment records.

In both of the above situations an international data transfer is taking place, and the law tells us specific safeguards are necessary. These rules exist because in the above two cases, customers and employees risk losing control of their personal data when it is ‘transferred’ outside the UK.

For more detail see our International Data Transfers Guide and the ICO International Data Transfer Guidance

Consent should not be your default lawful basis

(aka ‘legal grounds’)

Under UK GDPR there are six lawful bases for processing personal data. No single lawful basis is ’better’ or more important than the other and you must determine your lawful basis for each processing activity. Pick whichever one of the six is most appropriate to the activity.

Sometimes consent will be the most appropriate basis to rely on, but certainly not always and consent should only be used when you can give people a genuine choice. Quick guide to lawful bases

A privacy notice is simply a notification, not something people have to agree to

(aka ‘privacy policy’)

People have a fundamental right to be informed and one of the main ways organisations can meet this is by publishing a privacy notice. All businesses need an external facing privacy notice if they’re collecting and handling people’s personal information. And despite a common misconception, this doesn’t just relate to data gathered via a website.

A privacy notice is a notification about ALL the different ways in which you’ll handle people’s personal details (your processing of ‘personal data’). It’s a method of providing necessary and legally mandated information. Although often still referred to as a ‘privacy policy’ it isn’t really policy (it’s a notification only) and isn’t something people should have to confirm they agree to. Privacy Notices Quick Guide & ICO Right to be Informed Guidance 

Not every organisation must have a Data Protection Officer

Many small organisations, and many medium-sized business don’t fall under the mandatory requirement to appoint a DPO. It’s only mandatory if your activities meet certain criteria;

✓ you’re a public authority or body (except for courts acting in their judicial capacity); or
✓ your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
✓ your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

It can sometimes be difficult to assess whether your organisation falls under the mandatory requirement or not. And of course it’s perfectly acceptable to voluntarily appoint one – a good DPO can be a huge benefit. But if you don’t appoint a DPO you’ll still need someone (or a team) who have responsibility for data protection.

It is worth bearing in mind the role of a Data Protection Officer is clearly defined in law. UK GDPR sets out the position of a DPO, specific tasks they’re responsible for, and how the organisation has a duty to support the DPO to fulfil their responsibilities. DPO Myth Buster

Not all Personal Data Breaches need to be reported

You’ve accidentally sent an email to the wrong person. This included limited personal information about someone else. You’ve apologised. The person you accidentally sent it to is a trusted person and has confirmed it’s been deleted. It’s unlikely this type of minor breach needs to be reported to the ICO.

When a personal data breach has occurred (or is suspected), it’s important to quickly establish the likelihood and severity of risk and potential harms to those affected. You only need to report a breach to ICO if you assess the breach represents a risk to them. It can prove invaluable to have a clear methodology for assessing the risk posed. Data Breach Guide

The right of access (aka DSAR or SAR) is not a right to documentation

People have the right to submit a request to a controller asking for a copy of their personal data – a Data Subject Access Request. They can ask for ALL the personal data you hold about them. But this doesn’t mean the organisation is obliged to provide complete documents just because the individual’s name is referenced at some point. The same applies to emails. Requestees are not entitled to receive the full content of every email their name or email address appears in (unless all of the email content is personal data relating to them). DSAR Guide

Sensitive vs special category data

Certain types of personal data require higher levels of protection. Under the previous DPA 1998 the term ‘sensitive data’ was used, but under GDPR the revised term for this is ‘special categories of personal data’ commonly referred to as Special Category Data.

This includes (but isn’t limited to) racial or ethnic origin, biometrics, political opinions, sexual orientation and data concerning health or sex life. This doesn’t mean other types of data aren’t ‘sensitive’, and shouldn’t be handled securely – such as bank details, national insurance numbers, date of birth and so on.

It can be helpful to remember the root of special category data lies in human rights and data protection principles which emerged in Europe after World War Two – a war in which individuals were persecuted for their ethnic background, religious beliefs or indeed sexual orientation. Understanding and handling special category data

I’m going to finish off with another, but very different, quote. As Douglas Adams wrote in The Hitchhiker’s Guide to the Galaxy, ‘DON’T PANIC!’ There’s plenty of help available (this article, for starters 😉 ) and the ICO has published plenty of guidance, including a dedicated SME Hub.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Yet more CC email data breaches

May 2024

Despite a stark warning from the Information Commissioner’s Office last year that a failure to correctly use the BCC field (Blind Carbon Copy) is one of the most common cause of breaches – the mistakes keep happening.

The ICO has recently fined and issued a reprimand to the Central YMCA for sending an email to individuals participating in a programme for people living with HIV. The CC field was used, thereby revealing the email addresses to all recipients. 166 recipients could be identified or potentially identified from this, and it could be inferred they were likely to be living with HIV.

Then we hear the Conservative party has reported a breach to the ICO, after hundreds of email addresses were visible to all recipients in an email communication promoting the party’s annual conference. Again a mistake in using CC rather than BCC. The latter would have kept email addresses private. And a mistake which has the potential to reveal people’s political affiliations.

Last year in response to the number of breaches of this nature, the ICO published specific email security guidance to try and help organisations make sure their email communications are more secure.

Such breaches can cause considerable distress and harm, especially if sensitive personal information is involved, or can be inferred from the context of the email. The Regulator provides the following suggestions:

  • Setting rules to provide alerts to warn employees when they us the CC field.
  • Setting a delay, to allow time for errors to be corrected before the email is sent.
  • Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses.
  • Making sure staff are trained about security measures when sending bulk communications by email
  • Using alternative more secure bulk email solutions.

The Central YMCA and Conservative Party are not the first to find themselves in the spotlight for incorrectly using CC. Sadly, I suspect they won’t be the last.

A couple of years ago, HIV Scotland was fined for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the CC field. Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented assumptions could be made about individuals’ HIV status or risk from the data disclosed. The ICO investigation found a number of shortcomings in the charity’s email procedures, including inadequate staff training and an inadequate data protection policy.

The message is simple: the BCC method of bulk email is open to human error, and not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information.

Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses have policies and training in relation to email communications. It’s also worth checking out the National Cyber Security Centre’s useful Email Security Checklist.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.