Your views on UK data regime reform proposals

September 2021

DPN Survey on the UK Government’s data regime reform consultation

We’d love to hear your views on the proposals for reforming the data regime in the UK post Brexit.

The consultation can be found here and we’ve published our 12 highlights. Proposals include changes to UK GDPR and the Privacy Electronic and Communications Regulations (PECR).

The DPN will be responding to the consultation and will publish the results of this survey in due course. This survey will close on 21st October.



Direct marketing: household names fined for breaking the rules

September 2021

What did We Buy Any Car, Saga and Sports Direct get wrong?

The ICO has announced a series of fines for companies which have contravened the direct marketing rules under the Privacy and Electronic Communications Regulations (PECR).

Fines amounting to £495,000 have been issued to Sports Direct, We Buy Any Car, Saga Personal Finance and Saga Services.

Contraventions include not being able to evidence valid consent, not abiding by the conditions of the ‘soft-opt in’ exemption, and emails sent via affiliates without valid consent.

In the ICO blog announcing the fines, their Head of Investigations commented:

“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.”

It’s worth noting the Government’s data regime reform consultation proposes increasing the maximum fines under PECR to be in line with GDPR. So in future we could see much higher sums being levied for breaking the rules.

We Buy Any Car

Key finding: failure to meet all ‘soft opt-in’ conditions

We Buy Any Car (WBAC) has been fined £200,000 for sending 191.4 million marketing messages and 3.6 million SMS messages in contravention of the PECR rules.

WBAC came to the attention of the ICO due to complaints received directly to their online reporting tool. Between October 2019 and January 2020, the Regulator received 10 complaints from individuals, and a further two complaints from the same individual.

Much of the investigation focuses on email communications which were sent after people had requested a valuation. People can use the WBAC website to input details about their vehicles to get a valuation.

WBAC claimed it relied on the ‘soft opt-in’ exemption for such messages and said people would anticipate further email communications as part of what was described as ‘journey emails’.

The ICO found while people were informed about these communications, they were not given an opportunity to opt-out at the point their details were collected. This is one of the key conditions businesses have to meet when relying on the soft opt-in exemption.

A clear message to other businesses to assess whether they are taking any risks when relying on the ‘soft opt-in’.  Are you meeting these core conditions?

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication
  • You only send marketing about your own similar products and services


Key finding: inadequate consent obtain for marketing by affiliates/partners

Saga Services Limited (SSL) has been fine £150,00 for sending more than 128 million emails in contravention of the PECR rules. Saga Personal Finance (SPF) has been fined £75,000 for sending 28 million emails.

These cases focus on the potential risks when using partners or affiliates to send marketing on your behalf. Both SSL and SPF paid partners and affiliates to send promotional emails on their behalf for lead generation purposes.

The companies were relying on ‘indirect consent’. In other words they hadn’t collected people’s details directly from them, and were using other parties’ lists to promote their services.

The enforcement notice points to the ICO’s direct marketing guidance which states:

“organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.”

The guidance goes on to say ‘indirect consent’ may be valid, but only if it is clear and specific enough. Providing an individual with a long, seemingly exhaustive list of categories of organisations that may send marketing communications to them is not likely to be sufficient.

In summary, it was found that SSL and SPF were the instigators of these email communications, and the ‘consent’ collected by affiliates and partners was not sufficient.

A lesson here for all organisations using marketing affiliates and partners, to conduct due diligence. You can’t just simply accept claims by those sending emails on your behalf that they have a ‘fully consented list’.

Sports Direct

Key finding: inability to produce evidence of marketing permissions

Sports direct has been fined £70,000 for sending 2.5 million email messages without valid consent.

The company came to the ICO’s attention after the regulator received 12 complaints via is online reporting tool.

This case focuses on a ‘re-engagement’ campaign whereby Sports Direct had identified an ‘aged dataset’ to send communications to. These were described as records which had not unsubscribed – “a category of data that showed as being opted in to receive email marketing but had not received any marketing emails”.

Sports Direct informed the ICO it was either relying on the ‘soft opt-in’ or ‘consent’ to contact this ‘aged dataset’.

However, during the ICO investigations Sports Direct could not provide sufficient evidence it had valid permission to contact people.

In one case Sports Direct couldn’t identify a lawful basis, because the customer in question had asked for their details to be erased, so they had no record at all.

This ruling acts as reminder to all organisations to keep adequate records and specifically highlights the risks of emailing customers who you haven’t been in contact with for some time.

It also confirms that, even if someone submits an erasure request, you should keep minimised but detailed enough records for a suitable period of time so you can adequately respond to any subsequent complaints.

Full details of the above enforcement action can be found on the ICO website.

UK data regime change consultation: 12 highlights

September 2021

The Government’s consultation on UK data protection reform contains a number of sensible proposals to ease the burden on business. There are also a few surprises likely to raise eyebrows in Brussels. The headlines are:

  • The UK is not about to become the ‘Wild West’ for data, as some may have feared
  • Changes to both UK GDPR and the UK’s Privacy and Electronic Communications Regulations (PECR) look likely
  • A probable relaxation of several areas of UK GDPR, with a focus on outcomes rather than prescribed processes
  • Plans to increase fines under PECR to match those under GDPR, a clear warning to those flagrantly disregarding marketing rules
  • The consultation is a ‘direction of travel’ – nothing’s carved in stone. It’s business as usual for now

The Government’s overall aim is to drive economic growth and innovation and strengthen public trust in use of data.

The way they want to achieve this is to alleviate some of the more prescriptive GDPR obligations on business, whilst retaining a robust data protection regime built largely on existing laws.

This approach is in keeping with the UK’s common law tradition, also used in Australia, New Zealand, Jamaica, Pakistan and Singapore (to name a few), as opposed to the statute law system used across Europe. Common law is viewed by its proponents as more flexible. It’s also why legal proceedings tend to move more quickly in UK courts than those in the EU.

It’s clear the UK Government hopes any changes will be compatible with EU equivalency, enabling the UK to retain adequacy.

Data regime proposals 12 highlights

1. Accountability & Privacy Management Programmes (PMPs)

Changes to the accountability framework are proposed, with businesses expected to have a Privacy Management Programme in place. This approach to accountability is long-established in countries such as Australia, Canada and Singapore.

It’s argued this would allow organisations to implement a risk-based privacy programme based on the volume and sensitivity of personal data they handle, and the types of activities they’re involved in.

By doing this, the proposal seeks to do away with some of the accountability obligations under the current UK GDPR, which may be considered to be more burdensome.

Organisations will still need to know where their data is, what its used for, apply lawful bases, implement robust security measures, manage suppliers, assess privacy risks and fulfil privacy rights. But there could be more flexibility and control over how you achieve this.

This doesn’t mean ripping up all the hard work you’ve done to comply with GDPR.

When the dust has settled, many organisations may choose to stick with the tried and tested framework they’ve already established. Others may jump on the opportunity to adapt their approach.

And let’s not forget, UK businesses operating in Europe will still be governed by EU GDPR.

2. No mandatory Data Protection Officers

The consultation proposes removing the mandatory requirement to appoint a DPO.

Under GDPR, a DPO must be appointed by public authorities – and in the commercial sector – if organisations meet specific criteria. It also sets out requirements and responsibilities for the role.

It’s proposed the requirement for a DPO is replaced with a requirement to designate a suitable individual (or individuals) responsible for overseeing compliance. However, the new law wouldn’t lay down specific requirements & obligations for this role.

3. No mandatory requirement for Data Protection Impact Assessments 

Currently, GDPR makes a DPIA mandatory for high-risk activities. It also sets out core elements such an assessment must include.

Furthermore, it requires supervisory authorities to establish a list of processing operations which definitely require a DPIA.  This led authorities, including the UK’s ICO, to dutifully publish lists of where DPIAs would be considered mandatory, as well as best practice.

The Government is proposing removing this mandatory requirement, although this won’t mean throwing out screening questionnaires and DPIA templates, which are often very useful.

The onus would be on organisations to take a proportionate and risk-based decision on when they consider it appropriate to carry out impact assessments and how they go about this.

4. More flexible record keeping

Completing and maintaining up-to-date records, known as Records of Processing Activities (RoPA) has been one of the more onerous aspects of GDPR.

Again, current law and guidance is prescriptive about records keeping requirements – although small and medium sized organisations (with less than 250 employees) are exempt from this.

It’s proposed a more flexible model for record keeping is introduced.

Maintaining a central record of what personal data you hold, what it’s used for, where it’s stored and who it’s shared with is a sensible and valuable asset for any organisation. Many feel such records are vital to effective data risk management.

So again, you don’t need to rip up your current ROPA, but you may soon be allowed to adapt your record keeping to suit your business and perhaps make your records easier to maintain.

5. Data breach notification threshold changes

It’s clear GDPR has led to data protection authorities being inundated with data breach reports. The ICO, for one, has highlighted a substantial amount of over-reporting.

This isn’t surprising when there’s a legal obligation for organisations to report a personal breach if it is likely to represent a ‘risk’ to individuals.

Its proposed organisations would only need to report a personal data breach where the risk to the individual is ‘material’.  The ICO would be encouraged to produce clear guidance and examples of what would be ‘non-material’ risk, and what would or would not be considered a reportable breach.

6. Data Subject Access Requests changes

The stated purpose of a subject access request is to give individuals access to a copy of their personal data so they can ‘be aware and verify the lawfulness of processing’ (although many organisations might question if this is why some submit requests).

The consultation recognises the burden of responding to DSARs has on organisations, especially smaller businesses which often lack the resources to handle them.

The possibility of charging a nominal fee could be reintroduced. It’s also proposed the threshold for judging when a request may be vexatious / manifestly unfounded is amended.

7. Cookies

Headlines surrounding UK data reform usually focus on ending the barrage of cookie pop-ups. The consultation proposes two main options:

  • Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).


  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.

The Government says it is keen to hear feedback on the most appropriate approach.

8. Legitimate Interests

There’s a proposal to create an exhaustive list of legitimate interests which organisations could rely on without needing to conduct the balancing test, i.e. no Legitimate Interest Assessment (LIA) required.

The following are some of the examples given:

  • ensuring bias monitoring, detection and correction in AI systems
  • statutory public communications and public health & safety messages by non-public bodies
  • network security
  • internal research and development projects

Where an activity is not on the list, we’re assuming assessments using the current 3-step test would still be needed.

9. Extended use of the ‘soft opt-in’

PECR currently permits email and SMS marketing messages where consent has been given, or for existing customers only, when the soft opt-in requirements are met.

This exemption to consent for existing customers is only currently available to commercial organisations. It’s proposed this could be extended to other organisations such as political parties and charities.

This could be great news for charities, but could it lead to a deluge of unwanted messages from political parties?

10. Research purposes

The Government wants to simplify the use of personal data for research, with a specific focus on scientific research.

Considerations include establishing new lawful grounds for research (subject to ‘suitable safeguards’) and incorporating a clear definition of ‘scientific research’.

11. Artificial intelligence

It’s proposed certain automated decision-making should be permitted without human oversight.

GDPR prohibits this unless necessary for a contract with an individual, authorised by law or based on explicit consent. The consultation suggests Article 22 is scrapped.

The aim is to ‘deliver more agile, effective and efficient public services and further strengthen the UK’s position as a science and technology superpower’.

It’s hoped this can be achieved by developing a safe regulatory space for responsible AI development, testing and training which allows greater freedom to experiment.

In the consultation press release, an AI partnership between Moorfields Eye Hospital and the University College London Institute of Ophthalmology is highlighted.  Researchers have trained machine-learning technology to identify signs of eye disease, which is more successful than using clinicians.

This is cited as a clear example of the type of data use which should be encouraged, not hindered by law.

12. Reform of the ICO

The Government wants to assert greater control over the UK’s data protection regulator, the Information Commissioner’s Office.

They propose to introduce a new, statutory framework to set out the ICO’s strategic objectives and duties and a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.

This would will bring the ICO into line with other UK regulators such as Ofcom, Ofwat and Ofgem.

The proposals also include introducing a new overarching objective for the ICO, in addition to its other functions, tasks and duties with two key elements:

  • Upholding data rights and safeguard personal data from misuse
  • Encouraging trustworthy and responsible data use, to uphold the public’s trust and confidence in use of personal data


Yes, a shake-up of UK data laws and enforcement is on the horizon, but the final outcome remains unknown, and a healthy debate will surely follow.

The consultation closes on 19th November 2021, and there will undoubtedly be some time before any changes become law.

For the time being its business as usual, but this document gives us a clear idea of what the future might look like.

Meanwhile, the EU will be keeping a very close eye on developments, and it’s possible the UK could be deemed to be going a step to far – it’s easy to see EC adequacy decisions being held over the UK Government like the Sword of Damocles.

The UK Government’s objective is to give organisations more control and flexibility around data protection management within a less burdensome regime, which supports the data economy and drives innovation.

In some ways, it could even be seen as a move towards giving organisations who don’t take data protection seriously more rope to hang themselves with.

The full consultation document is worth a read and can be found HERE.

Simon Blanchard, Phil Donn & Julia Porter – September 2021

ICO says most public sector messages are not direct marketing

August 2021

One of the unwelcome side effects of the pandemic has been the proliferation of bogus emails and texts trying to illegally elicit personal data from us.

I speak with my elderly mother almost daily, repeating the same lines; ‘don’t click on the link’, ‘don’t respond if someone is asking you to enter your details’, ‘hang up’, ‘delete it’, ‘you haven’t ordered a package, please ignore it’.

However, we’ve also all received other communications which I feel have been largely helpful. Messages such as pandemic update emails from our local councils, notifications about vaccines from our GPs, and text messages about the NHS app.

But would some of these be regarded as direct marketing messages? Did some contravene the rules under PECR (the Privacy and Electronic Communications Regulations)?

Possibly, perhaps in some cases definitely (under existing guidance). But does it matter? Surely, there’s an argument to say some communications may not be strictly necessary but are informative and useful, and don’t unduly impact on our privacy.

This is clearly an area the ICO felt needed addressing. The Regulator has issued new guidance, which appears to alter the long-standing interpretation of direct marketing.

What does the new guidance say?

The ICO says public sector organisations can send ‘promotional’ messages which would not be classed as direct marketing, if they are necessary for a public task or function.

This is significant. ‘Promotional’ messages have always been considered as ‘direct marketing’ before, regardless of whether they are sent by commercial companies, not-for-profits or the public sector.

It also means, in the eyes of the Regulator, such public sector ‘promotional’ emails, SMS messages and telephone calls do not fall within the scope of the UK’s Privacy and Electronic Communications Regulations (PECR).

In a blog announcing the new guidance the ICO states:

“Any sector or type of organisation is capable of engaging in direct marketing. However the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.”

Anthony Luhman, ICO Director, goes on to say:

“Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.”

As said, until now any ‘promotional’ message was considered direct marketing. So this new guidance raises some questions:

  • Has the long-standing interpretation of the definition of direct marketing been changed?
  • Is this a sensible new interpretation?
  • Will this open the floodgates to us being spammed by public authorities?

What is the definition of ‘direct marketing’?

The definition is broad. Under section 122(5) of the DPA 2018 the term ‘direct marketing’ means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

A definition which also applies for PECR.

What exactly is meant by ‘advertising or marketing material’ is not clarified in the DPA 2018 or PECR, but the long-standing interpretation of this has been that it is not limited to commercial marketing and includes any material which promotes ‘aims and ideals’.

This interpretation is clear in the ICO’s Direct Marketing Guidance and more recently in the draft Direct Marketing Code, published in January 2020, which says of directly marketing;:

“It is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.”

When is a promotional public sector message not direct marketing?

In a nutshell, the new guidance states;

  • If you’re a public authority and your promotional messages are necessary for your public task or function, these messages are not direct marketing
  • If your messages by telephone, text or SMS are not direct marketing, you don’t need to comply with PECR. (But you still need to comply with UK GDPR).

The ICO is now drawing a distinction between promotional messages necessary to fulfil a public task or function, as opposed to messages from public authorities promoting services which a user pays for (such as leisure facilities) or fundraising activities. The latter would still be considered direct marketing.

The new guidance provides the following interpretation;

“In many cases public sector promotions to individuals are unlikely to count as direct marketing. This is because promotional messages that are necessary for your task or functions do not constitute direct marketing. We do not consider public functions specified by law to count as an organisation’s aims or ideals.”

This is in marked contrast to the wording of the draft Direct Marketing Code which says:

‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules.”

What types of messages are direct marketing and which aren’t?

The following examples are given of the types of promotional content a public authority might communicate which would NOT constitute direct marketing;

  • new public services
  • online portals
  • helplines
  • guidance resources

The ICO says promotional messages likely to be classed as direct marketing include:

  • fundraising; or
  • advertising services offered on a quasi-commercial basis or for which there is a charge (unless these are service messages as part of the service to the individual)

How do you decide if messages are necessary for public task or function?

The ICO says it accepts all public authorities will have what it describes as ‘incidental powers’ to promote their services and engage with the public.
It therefore says it is not necessary for a public authority to identify an ‘explicit statutory function’ to engage with promotional activity which is deemed ‘necessary’ for a task or function.

However, the ICO does stipulate you can’t just say a direct marketing message is no longer direct marketing because the lawful basis has been stated as public task.

Nor can you just decree a promotional message is ‘in the public interest’, this won’t automatically mean it isn’t direct marketing.

What the Regulator expects is for public authorities to identify a relevant task or function for the communication they wish to send.

There’s a risk here the ICO has not been clear enough. This could cause confusion and I suspect plenty of deliberation over which messages are or are not direct marketing.


It’s made clear that even if you determine certain promotional messages are not direct marketing, this doesn’t mean you can ignore other basic data protection principles.

You still need to make sure people know what you are doing with their personal data, and this must be within their reasonable expectations.

In other words public authorities must make it clear to people they intend to send promotional messages which are necessary for a public task or function. Which may mean updating their privacy notices.

Right to object

People have an absolute right to object to direct marketing, but they also have a general right under data protection law to object to processing, which includes when organisations are relying on the lawful basis of public task. A right people should be made aware of.

The guidance makes it clear – if someone objects to a promotional message from a public authority, it will only be possible to continue sending messages if ‘compelling legitimate grounds’ to do so can be demonstrated.

The ICO makes the point it would be difficult to justify continuing to send unwanted promotional messages if this goes against someone’s wishes.

My advice would be to include a clear ability to opt-out on any promotional message; any message which isn’t an essential service message.

(Albeit, this could cause some configuration issues for public authorities who don’t have sophisticated systems which can distinguish between different types of messages and opt-outs).

Lawful basis for promotional non-marketing messages

The ICO points to two lawful bases under UK GDPR for sending promotional messages necessary for a public task or function, either public task or consent.

The guidance suggests just because you can rely on public task, doesn’t mean you shouldn’t consider consent, which may be considered appropriate for public trust reasons.

The ICO accepts that Public Authorities may be reluctant to rely on consent, due to a potential imbalance of power, but says it may be considered appropriate if the individual has a genuine free choice to give or refuse to consent to promotional messages.

A change in interpretation

This new guidance certainly seems to represent a marked change in the ICO’s previous interpretation of direct marketing.

It’s interesting to note the following pertinent examples which are present in the draft Direct Marketing Code (which I suspect may be altered in the final version).


Scenario A
A GP sends the following text message to a patient: ‘Our records show you are due for x screening, please call the surgery on 12345678 to make an appointment.’
As this is neutrally worded and relates to the patient’s care it is not a direct marketing message but rather a service message.

Scenario B
A GP sends the following text message to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.’

This is more likely to be considered to be direct marketing because it does not relate to the patient’s specific care but rather to a general service that is available.

It seems to me Scenario B, under the new guidance could be classed as a promotional message, but NOT direct marketing.

(Personally, I would never have complained about Scenario B, it’s a helpful, informative message and hardly in the realms of the untargeted nuisance spam).

The draft Code goes on to confirm the following would be direct marketing;

  • a GP sending text messages to patients inviting them to healthy eating event;
  • a regulator sending out emails promoting its annual report launch;
  • a local authority sending out an e-newsletter update on the work they are doing; and
  • a government body sending personally addressed post promoting a health and safety campaign they are running.

The specific examples from the draft Code were used by people to question whether some of the messages they received during the pandemic contravened PECR.

Would these types of communications now no longer be direct marketing?

It would certainly seem like they aren’t if you go by the clear message from the ICO that; ‘the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.’

Will the above examples disappear from the final Direct Marketing Code?

In summary

This new guidance is likely to be welcomed by some who have been frustrated, or indeed bewildered their communications could be considered direct marketing.

However, it could also muddy the waters. It leaves the public sector needing to clearly define different types of communications and make sure relevant teams are adequately briefed to understand the difference.

As I see there are three types of communication:

a) Service messages – essential messages relating to the provision of a service
b) Promotional messages for public task or function (which are highly likely to need an opt-out)
c) Direct marketing messages (must have an opt-out to honour the individual’s absolute right to object).

I just wonder whether the term ‘promotional messages’ could have been avoided in this guidance. I am not sure I have a satisfactory alternative, but perhaps something like ‘information messages’ – i.e. messages that are not essential service messages but provide helpful information.

I also wonder whether there could have been a carve out for important health-related messages, rather than applying this new interpretation to any ‘promotional’ message from any public authority.

Let’s hope the public sector now pays due care and attention to transparency, provides an opt-out to all but essential messages, and doesn’t abuse this new-found power to engage with us beyond what is actually necessary.


Need advice on complying with the direct marketing rules? Do your people need refresher training? Our experience team can help you navigate GDPR, PECR and regulatory guidance. CONTACT US.


Marketing and the ‘soft opt-in’ – are you getting it right?

June 2021

The ICO has recently issued a £10,000 fine to a pizza company for sending ‘nuisance marketing messages’ to its customers.

Papa Johns claimed it was relying on the exemption to consent, known as the ‘soft opt-in’, but it was found to have not abided by the rules of this exemption.

So, what is the ‘soft opt-in’ and how can you use it, within its limitations, and not fall foul of the rules? What did Papa John’s get wrong?

What is the soft-opt-in?

The laws governing electronic marketing are covered in the Privacy and Electronic Communications Regulations 2003 (PECR) and these govern email, SMS and telemarketing.

Under PECR you need to have consent to send email or SMS marketing messages to what are termed ‘individual subscribers’. These are people who personally subscribe to their email/SMS service provider (this is often referred to as B2C marketing).

But you don’t always legally need consent…

There’s an exemption under PECR for email or SMS marketing to existing customers. This is commonly known as the ‘soft opt-in’. An annoyingly ambiguous term as it permits the use of an ‘opt-out’ mechanism!

When relying on the ‘soft opt-in’ you need to be careful to make sure you follow the rules about when this exemption applies, which can be summarised as:

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services; AND
  • You provide the ability to opt-out in every communication

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

It’s worth noting the rules on consent and the soft opt-in under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email/SMS service. (Commonly referred to as B2B marketing).

To quote the ICO on this, here’s an extract the draft Direct Marketing Code of Practice:

“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”

You do however need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

What did Papa John’s get wrong?

The ICO says it received 15 complaints from Papa John’s customers about the unwanted marketing they were receiving by text and email. The Regulator points out, ‘the complaints noted the distress and annoyance the messages were causing’.

Subsequent ICO investigations found the pizza company sent more than 168,000 messages to its customers without valid consent.

Papa John’s claimed it was relying on the ‘soft opt in’ exemption in order to send these marketing messages. But the ICO ruled they were unable to rely on this exemption for customers who’d placed orders over the telephone, as people had not been given the opportunity to opt-out at this point. The ICO also makes the point that customers were not provided with a privacy notice.

Andy Curry, ICO Head of Investigations said:

“The law is clear and simple. When relying on the ‘soft opt in’ exemption companies must give customers a clear chance to opt-out of their marketing when they collect the customers details. Papa John’s telephone customers were not given the opportunity to refuse marketing at the point of contact, which has led to this fine.

“We will continue to take action against companies who may be gaining unfair advantage over those companies that adhere to the law and comply with electronic marketing law”.

The message is clear, you need to tell people you’d like to send them marketing and give them an opportunity to object when you collect customers’ details in order to rely on the ‘soft opt-in’. You can read more from the ICO about this case here.

This latest fine comes hot on the heels of action against another company for falling foul of PECR. A case which focused on the often fine line between a service message and a marketing one. I wrote about this here; Are your service message actually direct marketing?

Both these fines act as warnings to organisations, and provide a good opportunity to review practices and check you aren’t taken any unnecessary risks.


Struggling with data protection? Ease the strain with our no-nonsense advice and support via our flexible Privacy Manager Service. Find out how our experience team can help you. CONTACT US.


Are your service messages actually direct marketing?

Navigating the line between service messages and marketing messages can be tricky, as American Express has just discovered.

The ICO has fined AMEX for a contravention under the Privacy and Electronic Communications Regulations (PECR), and this is not the first time the regulator’s spotlight has shone on this area.

Others have been sanctioned before for sending ‘service’ messages that are found to fall under the definition of direct marketing, to customers who’ve opted out of marketing.

It’s important to point out we all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules.

And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent.

With that in mind, what did AMEX do? How can you avoid making the same mistake?

The ruling in a nutshell

An ICO investigation found AMEX had sent marketing emails to people who’d not given their consent or who’d opted out. More than four million messages were sent over the course of a year (June 2018 – May 2019).

The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them.

The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied.

What was the content of the emails?

During the investigation AMEX provided the ICO with a number of different types of emails which they classed as ‘service’ messages.

The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on.

Why were they internally classed as ‘service’ messages?

In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card.

AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”.

They said the aim of the communications was to reinforce messages, to make sure customers were clear on how their benefits worked. They also said they wanted to make sure card members got value for money and “avoided any disappointment or detriment”.

In short, you might argue AMEX decided to fix the line between service and marketing messaging too far in the direction of marketing. The ICO certainly thought so.

I’m sure AMEX won’t be alone in having taken this approach.

The ICO’s conclusion

The regulator assessed the content of the emails and found the following:

  • The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app
  • The emails were clearly of an advertising and promotional nature
  • None were “neutrally worded and purely administrative” in nature

Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain.

The Data Protection Act 2018 (“DPA 2018”) defines direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This definition also applies for the purposes of PECR.

These emails were sent to customers irrespective of whether they had given their consent to promotional emails (when they opened an account) or had subsequently opted-out of marketing emails.

The ICO ruled that as these were not essential service messages, AMEX could not rely on them being necessary for contractual requirements.

The penalty notice makes it clear:

There is no exemption under PECR Regulation 22 which allows organisations to send marketing emails they consider advantageous for subscribers where they have not received prior consent to do so. If there were, such an exemption would likely be relied on by all persons in breach of the PECR direct marketing rules.

In its findings the ICO says AMEX should have made sure it’s marketing operations complied with the relevant statutory regime, and that it was reasonable to suppose AMEX should have been aware of its responsibilities.

Who complained?

The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all).

What struck me was the tiny percentage of complainants… especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals).

It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint).

How was the fine determined?

For those wondering why this wasn’t an eye-watering multi-million pound fine, it should be remembered this was a contravention of PECR not GDPR. Under PECR, the maximum fine that can be levied is £500,000.

In determining whether to issue a monetary notice, the Commissioner judged that AMEX had access to sufficient financial resources to pay the proposed fine without causing it undue financial hardship.

The Commissioner considered a penalty sum of £90k was both reasonable and proportionate.

The penalty notice notes AMEX undertook its own independent internal review, when the Commissioner began her investigation.  AMEX stopped marketing to customers who had opted-out of receiving direct marketing communications by email and has made changes to processes and procedures to ensure compliance with PECR.

Okay, so what IS a service message?

The ICO’s draft Direct Marketing Code of Practice sets out what would be considered a ‘service message’.

Essentially, it’s a communication sent to individuals for administrative or customer service reasons, which must be neutral in tone, purely providing important and necessary service information.

It must NOT include any advertising or promotional materials. The ICO says the key is in the ‘phrasing, tone and context’.

If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing.

And, if your email communications are likely to fall under the definition of direct marketing, you should be adhering to the email marketing rules under PECR.

If you’d like more detail see Understanding email marketing rules and the ICO Guide to PECR.

What lessons can be learnt?

This fine is a wake-up call for many organisations who’ve not clearly defined service versus marketing messages. And for those who are knowingly taking a risk? Watch out!

Do you have clear rules for your marketing and communications teams to follow? Do your people understand where to draw the line? Do you have an internal compliance review process for emails purported to be ‘service;’ emails?

In AMEX’s case, the penalty notice reveals they did have an internal email communications policy with training in place. However, the ICO found they’d classified ‘service’ messages incorrectly.

I suspect this case will be of particular interest to businesses who’ve taken a decision to class customers as ‘members’ and taken the step of bundling promotional messages in as being necessary ‘service’ messages.

This case shows semantics aren’t good enough here; the ICO takes a strict interpretation and a handful of complaints can put you firmly in their crosshairs.

The key, for me, is AMEX sent emails which were not absolutely necessary, and AMEX customers who didn’t want to receive these had no way of objecting to them.

Let’s not forget the right to object to processing is a fundamental data protection right; you need a robust justification for refusing to fulfil this. (And the right to object to direct marketing is absolute).

Maybe if AMEX been able to provide an opt-out from such comms, given people a choice, some wouldn’t have felt the need to complain to the ICO.

There’s a clear message here to take your customers seriously, if they are complaining they may have a point. You can read the full details in the ICO Penalty Notice.


Data protection team over-stretched or need some specialist support? Find out how we can help with no-nonsense practical privacy advice – Contact Us

Social media targeting: consent or legitimate interests?

April 2021

Social media marketing is well established and mainstream – lots of organisations carry out targeted advertising via various social media platforms.

But are we being open and upfront about it? Do our customers, or supporters, know enough about how you use their data on social media platforms?

From retargeting your own customers by uploading pseudonymised data to a social media platform, through to targeting ‘lookalikes’, there are a variety of options available.

Are there any compliance risks when we conduct these activities? Do people have enough control over the use of their data and the advertising they see? And to what degree are people even bothered by it?

What does the ICO think?

We began to get an insight into the ICO’s expectations when they published their draft Direct Marketing Code, back in January 2020.

Firstly, yes they are in scope:

Online behavioural advertising and some types of social media marketing are not classed as electronic mail under PECR but these are still direct marketing communications.

The ICO points out the need for transparency:

Individuals may not understand how non-traditional direct marketing technologies work. Therefore it is particularly important that you are clear and transparent about what you intend to do with their personal data.

Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way.

You must be transparent and clearly inform individuals about this processing so that they fully understand you will use their personal data in this way. For example, that you will use their email addresses to match them on social media for the purposes of showing them direct marketing.

When using “list-based” tools (e.g. Facebook Custom Audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (e.g. list of email addresses) you must be transparent and clearly inform people about this processing.

The draft DM Code says:

You must be upfront about this processing. Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the legitimate interests basis. However you will still need to ensure you also meet transparency requirements.

If an individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools.

So, the ICO says we need consent.

But actually many disagree with this rather draconian interpretation of the law. Remember this is still draft guidance and we don’t know if it will change or when the Code will be published.

(When finalised, as a Code of Practice it will replace and carry more weight than the existing Direct Marketing Guidance, which doesn’t really touch on social media marketing).

So, is Legitimate Interests out of the question?

Many organisations may be currently relying on Legitimate Interests, especially when using “list based tools”. It’s not been made clear why the ICO believes these tools would not meet the three-part test for Legitimate Interests.

In contrast, the European Data Protection Board (EDBP) suggest in their August 2020 social media guidelines that Legitimate Interests might be suitable for social media targeting:

Generally speaking, there are two legal bases which could theoretically justify the processing that supports the targeting of social media users: data subject’s consent (Article 6(1)(a) GDPR) or legitimate interests (Article 6(1)(f) GDPR). A controller must always consider what the appropriate legal basis is under the given circumstances.

The EDPB goes on to explain the 3 conditions for a Legitimate Interests must be met:

(i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed
[i.e. the processing must be for a legitimate purpose]

(ii) the need to process personal data for the purposes of the legitimate interests pursued, and
[i.e. the processing must be necessary]

(iii) the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

The EDPB reminds us that, in cases where a controller envisages to rely on legitimate interest, the duties of transparency and the right to object require careful consideration in relation to (iii) above.

Therefore it is important to make sure your privacy notice is clear about the use of personal data for social media targeting.

The EDPB also reminds us that CJEU have previously specified that, in a situation of joint controllership (as there might be with a controller and a social media platform):

It is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them.

Why would you want to be a trail blazer and limit the scale of your marketing activity by adopting a consent-based approach, when others don’t do it too?

John Mitchison is Director of Policy and Compliance at the Data and Marketing Association (DMA);

“The current compliance landscape can be very confusing for marketers, not least in the area of online advertising and social media.  We have a ‘draft’ version of the ICO’s Direct Marketing Code of Practice and guidance from the EU, of which the UK is no longer a part.

If a person has a first party relationship with a brand and a first party relationship with a social media platform it seems entirely reasonable for that person to see ads about the brand on the social site, and for this processing to be done under Legitimate Interest. 

Transparency and control are essential if you want to retain the trust with your customers; clearly explain what is going on in your privacy policy and allow people to opt out if they really want to.”

Consumer expectations

It can be argued people nowadays expect to see relevant advertising when they browse social media and that ads which are relevant to their interests have got to be better then untargeted ads.

So is there really any harm in this type of targeted advertising?

It’s important to acknowledge there could be harm if data is used in intrusive, appropriate or unlawful ways, especially were individuals may be minors or vulnerable people.

When data is used without the proper controls to protect people, such as offering dieting tablets to anorexics, targeting alcohol offers to alcoholics, or offering gambling services to problem gamblers – it is highly likely to be harmful.

This type of advertising is also regulated under the CAP code, so we’re not entirely reliant on data protection rules here.

But outside of these concerning situations, where targeted advertising is used for non-sensitive products and services, is this type of targeting likely to cause harm?

What user-controls are available within social media platforms?

Most social media platforms which carry advertising provide user controls on the advertising you are exposed to. For example, Facebook Ad Preferences enable users to:

  • see which advertisers are targeting you directly and hide ads if you wish
  • manage advertising topics and ‘see fewer’ if you wish
  • view data about your activity from ad partners
  • decide if you wish to share certain profile information (employer, job title, education & relationship status) for advertising purposes
  • edit you’re your interests and other categories used by advertisers to reach you
  • find out whose targeting you via audience-based advertising and hide those ads if you want

What are the risks to advertisers?

At this point in time, it seems the likelihood of enforcement action by the ICO regarding social media targeting (for non-sensitive products & services) appears rather low. But of course this could change.

It’s certainly wise to keep a close eye out for customer / supporter complaints which might arise from social media targeting, as if these are not handled properly, people could escalate their concerns to the ICO.

At the end of the day the key is making sure you are open and upfront about how you use people’s personal information.  Take a risk-based judgement call on the right lawful basis for your business and try to avoid any unwelcome surprises!


If you’d like any advice or support regarding social media marketing, or any other use of data, please get in touch – Contact Us 

Minimise your data with maximum permissions

March 2021

Deliver successful marketing campaigns without hoarding data

This might seem like a contradiction in terms. How can you minimise the volumes of data you keep whilst also maintaining good levels of marketing permissions?

The answer, of course, is to only keep the data you need. Less is more. I’ll say that again – less is more. However, the challenge for many marketers is to understand which data to discard and which data to keep.

Figuring out which data is needed takes time and effort and draws on some old-fashioned skills we learnt in the pre-internet era to maintain data accuracy and assess what variables/values actually drives a sale.

Before the ubiquitous email, which appears to cost nothing, we used to make some very difficult decisions about who to contact because each contact cost a fortune. Now is the time to re-discover some of those skills and cut down on those emails and digital ads, whilst rebuilding trust with prospects and customers.

1. Data accuracy

Arguably the most boring job for any marketer is to keep their customer and prospect data up to date and accurate.

Questions to consider:

  • How many records hold inaccurate data?
  • Are they worth keeping?
  • How recently did that prospect engage with you?
  • Will they ever engage again?
  • Are the marketing permissions up to date and valid?

Like de-cluttering your house, it’s difficult to throw away data but keeping data for too long can attract large fines and a bad reputation.

2. Effective retention policies

If you understand the patterns of purchase and sale you’ll have a good idea of when people who are customers are no longer engaged and either need to be refreshed or removed.

Asking if people want to be removed from a database after a long period of inactivity is a good idea. Why keep people on a list who don’t want to hear from you?

Questions to ask:

  • Have you reviewed your retention policy and refreshed permissions?
  • Do you have a regular routine in place to identify and update permissions once they reach their retention policy limit?
  • Do you regularly review the responses you generate from the older data sets?
  • Based on your findings, should you adjust the retention policy periods?

3. Reduce the collection of data points

If I provide a phone number when I place an order, what happens to that data?

Unless it’s for a carrier I’ll always provide an inaccurate number. It makes more sense to explain exactly why you need every single data point and provide a “what’s in it for me” reason why this data should be collected. The completion rate will be greater with more accurate information.

Questions to ask:

  • Do have a clear plan for how every single data point is used?
  • Have you communicated that intention clearly?
  • Have you explained clearly the “what’s in it for me”?
  • Which data can be discarded?

4. Special category data

Special category data can be explicitly collected or inferred from the combination of other data sets. This is a particular challenge in Adtech where the quantity of data collected through third party cookies is, frankly, mind blowing.

If you’re able to establish  sexuality from which websites someone uses this, potentially, becomes special category data. Keeping any special category data presents an additional risk and should be carefully considered, whilst consent for marketing needs to be sought under any circumstance. If in doubt get rid of it.

Questions to consider:

  • Do you really need to know anything sensitive about your prospects and customers?
  • What difference will knowing the information make to your ability to sell your products and services?

5. Preference centres

The notion you should give your customers and prospects the choice to manage their preferences in an open and transparent way is at the heart of data protection legislation.

There are technology solutions from a wide variety of providers to create preference centres for cookies, as well as managing marketing preferences for emails, direct mail and so on.

Presenting this information in an easy-to-understand format can feel like a formidable challenge and there’s sometimes the temptation to hide it or just not bother to explain clearly enough.

Not explaining or hiding information is never a great idea, as there is a direct link between openness and transparency and trust.

“Doing the right thing” and building trust is a No 1 priority for many brands and they see it reaps dividends in greater loyalty and repeat purchase.

Not only that but the afore-mentioned technology solutions have relatively inexpensive options for smaller or medium sized businesses. Cost should not be an impediment.

Questions to consider:

  • Are all your marketing and cookie preferences managed centrally?
  • Do you know what all the cookies on your website do?
  • Do you know what happens to the data that is captured by third party Adtech providers?
  • Have you completed a DPIA for Ad Tech activity?
  • Do you have a compliant cookie notice and preference centre with the permissions options applied correctly?

6. Understanding the ROI of your campaigns

Being able to analyse the customer/prospect journey from first point of data capture through to a final sale is the holy grail. An apparently cost-efficient lead at the front end may not translate into high margin sales in the end.

Equally, being able to understand what influences a purchasing decision and what environment is most successful will allow you to filter your marketing effort against fewer key variables.

As the ICO clearly stated in their review of RTB, the sheer volume of data in use by Adtech providers feels disproportionate to the outcome.

Questions to ask:

  • Can you calculate an end-to-end ROI on customer transactions?
  • Do you know which variables will influence purchase more than anything else?
  • Have you done some modelling of your own customer data to create anonymised look alike segments to be used with contextual advertising?

7. How do you move on from third-party cookies?

As we know, Google will stop supporting third party cookies in 2022. This places an immediate pressure on advertisers to focus on their own first party data.

Immediate questions to ask:

  • Do we have any first party data?
  • How else do we add to what we already know?
  • Can we ask our customers to share more data? What interests them, what content do they consume, how do they shop?

If we’re able to create segments from our own data, the opportunity to use that information to create anonymised look-alikes will improve targeting efficiency. We are seeing a proliferation of providers who are using different variables to target customers which does not even involve large quantities of cookie data and this trend is set to grow.

If you understand your data well and create meaningful segments for targeting from first party data, which has been volunteered by customers, marketing teams will be in a strong position to deliver more with less.


Data protection team over-stretched? Find out how we can help with our flexible no-nonsense Privacy Manager Service.