UK email marketing rules

September 2023

Is email marketing putting your business as risk?

Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules.

It continues to surprise me some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it.

Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies.

Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media.

Consent for business-to-consumer (B2C) marketing emails

Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address.

Soft opt-in exemption for business-to-consumer (B2C) marketing emails

There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met:

  • The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND
  • You only send marketing about your own similar products and services.

See PECR Regulation 22 and the ICO Guidance on Electronic Mail

Marketing emails to business contacts (B2B)

The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection.

For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this:

“The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.”

A couple of key points to bear in mind:

  • A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR.
  • Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required.

The right to object

Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again.

Global email marketing

If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing.

What about UK GDPR?

Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis.

Consent

If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’.

One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right?

Legitimate Interests

If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate.

It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to.

You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this.

Other areas to be mindful of

  • Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages
  • Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people (‘individual subscribers’) to ask them to consent to marketing.
  • ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent.

The above are all areas the ICO has taken action in the past.

On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers.

But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO issues fine for invalid marketing consent

April 2023

How do we make sure the consent we collect is compliant?

The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’.

What did JTT get wrong?

It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific.

One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’.

Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’.

Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to.

Do we have to name third parties which rely on the consent we collect for them?

Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states:

Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.

It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’.

What does valid consent look like?

The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise:

  • A consent request must be prominent and separate from terms & conditions
  • People must take a positive action to opt in
  • Pre-ticked boxes must not be used
  • Clear and plain language must be used
  • It should be clear what we will use the data collected for
  • Any other organisation relying on consent must be named
  • People should be told, when they give their consent, they can withdraw it at any time
  • Consent shouldn’t be a precondition of a service

Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist.

SIGN UP FOR OUR NEWSLETTER
DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button.

Is consent always needed for email marketing?

The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case.

Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met).

When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests.

The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance.

Quick takeaways

  • Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive?
  • Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear.

For more detail see the ICO enforcement notice.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO direct marketing guidance for email and other electronic mail

October 2022

The rules and regulatory expectations spelt out

The ICO has published guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more.

The guidance specifically focuses on direct marketing by electronic mail to individuals (‘individual subscribers’). The term ‘electronic mail’ covers email, text, picture, video, voicemail, and in-app messages, as well as sending people direct private messages via social media.

The rules for sending direct marketing by electronic mail are covered by the UK’s Privacy and Electronic Communications Regulations (PECR). We’re also reminded to comply with UK GDPR if we’re handling personal data.

This summary covers the core rules under PECR, as set out in the guidance, picks up on specific areas where the ICO has clarified its position and includes an occasional soupçon from me.

Where italics are used, this is text lifted from the guidance itself – so the regulator’s words not mine.

A. Core direct marketing rules and definitions

Options for electronic direct marketing messages

PECR says you can only send direct marketing by electronic mail if:

  • You have consent; or
  • you can meet all of the requirements of the ‘soft opt-in’.

I’d just stress, this means the consent of the individuals the message is target to.

Importantly it’s made clear these rules only apply to what are termed ‘individual subscribers’. It says, you can send electronic mail marketing to a corporate subscriber without needing to comply with the above requirements.

The following definitions are given:

  • Corporate subscribers are corporate bodies with separate legal status (eg companies, limited liability partnerships, Scottish partnerships).
  • Individual subscribers are people but also include some types of businesses (eg sole traders and some types of partnerships).

Another way to put this is individual subscribers are people who’ve signed up to the email service provider themselves.

I’d also just add, where you don’t have consent for business-to-business marketing – marketing to corporate subscribers – you’d be relying on Legitimate Interests under UK GDPR. Legitimate Interests is subject to a balancing test, so it’s wise to conduct a written assessment (Legitimate Interests Assessment).

What constitutes direct marketing?

The Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which applies under PECR too.

It’s a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.

This latest guidance says; The definition doesn’t cover online advertising (eg advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (eg advertising messages shown on news feeds). This is even when organisations target these advertisements to a particular user of the site or platform.”

We’d point out targeted online advertising would fall under PECR rules where your using cookies and similar technologies.

For more information see: What is direct marketing?

Service messages

Messages sent for purely administrative or necessary customer service purposes are not considered direct marketing. However, if such messages include any promotional content, they’ll be considered direct marketing.

The ICO regularly issues fines where organisations have intentionally, or unintentionally, disguised marketing messages as service ones. An area I’ve written about before; Another ICO fine for a ‘service’ email deemed to be marketing.

Organisations have even been fined for sending messages asking people (who haven’t given permission or who’ve opted out) to confirm their marketing preferences. This in itself is judged to be direct marketing.

Solicited messages

If a customer specifically asks for information about your products and services, responding with the information requested will be considered a solicited message and won’t fall under the definition of direct marketing.

B. What constitutes valid consent?

There are specific requirements which the ICO says must be met for consent to be valid.

  • you must give people a free choice to consent so that they can refuse without detriment and you must keep the consent separate from other things, such as terms and conditions (‘freely given’);
  • you must make it clear that the consent covers your electronic mail marketing messages and you must give your name in the consent request (‘specific and informed’);
  • you must have no doubt that they are consenting to your electronic mail marketing messages (unambiguous indication); and
  • they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as an indicator of consent (clear affirmative action).

You should keep a record of the consent (e.g. who, when, how) so that you can demonstrate that it is valid. People can also withdraw consent and you must make it easy for people to do this.

For more information see: How do we use consent?

At DPN we’d recommend any permission statement also includes a clear link to your privacy notice. This is so you can be confident you meet UK GDPR requirements to provide privacy information when personal data is collected.

C. Using the soft opt-in

The guidance reiterates all of the following conditions must be met to compliantly rely on this exemption to consent.

  • You want to send marketing by electronic mail to individual subscribers (includes sole traders and some types of partnerships).
  • You collected their contact details directly from them
  • You collected their details during a sale, or negotiations for a sale, or your products and services
  • You want to use their details to send them marketing about your similar products and services
  • You gave them a clear, simple way to opt-out, or say no to your marketing, when you collected their details
  • You give them a clear, simple way to opt-out, or change their mind about your marketing, in each message you send.

Just to be very clear on the fifth point, you must tell people you want to send them marketing, and give them the ability to say no.

What constitutes a ‘sale’?

Currently, the soft opt-in under PECR specifically uses the word “sale” and refers to “products and services”. The ICO says this means the soft opt-in doesn’t apply to details collected where there’s no sale (or such a negotiation), or where there are no products or services involved.

For “negotiations for a sale” to be triggered the ICO says the customer must actively express an interest in buying your products or services. Examples given include:

  • A request for a quote
  • Specifically asking for more details about what you offer
  • Signing up for a free trial

The ICO says: The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.

What about other companies in the same group?

The ICO considers use of the soft opt-in to be only available to the same entity or single organisation that originally collected the contact details. It says this means it won’t apply to other companies within the same group as the collecting organisation.

Charities and the soft opt-in

The way it’s worded in PECR means the soft opt-in only currently applies to commercial marketing of products and services. The ICO says this does not apply to the promotion of aims and ideals, for example campaigning or fundraising.

However, it could potentially apply to any commercial services or products offered. For example, if a charity has an online shop, they could use the soft opt-in to send direct marketing emails about the shop’s products, assuming all other conditions are met. In other words, the marketing could only be about products, not fundraising.

Under UK Government plans to reform data protection law and PECR it’s been proposed the soft opt-in should be extended to cover charities and political campaigning. (At time of writing, with the current political turmoil, the future direction of the Data Protection and Digital Information Bill is not known).

For more information see: How do we use soft opt-in?

An important point to highlight here, if you’re using the soft opt-in, you’ll be relying on Legitimate Interests as your lawful basis to process personal data for this activity under UK GDPR. This would therefore be subject to a balancing test – a Legitimate Interests Assessment. This is covered in the guidance under: What else do we need to consider?

D. Hosted email campaigns

The guidance doesn’t use the term ‘hosted’ email campaigns, but mentions how both the sender and the instigator of direct marketing by electronic mail will be responsible for complying with PECR.

It says you’re likely to be instigating if you; encourage, incite, incentivise or ask someone else to send electronic mail containing your direct marketing message.

We can take from this that if you ask another company to send your marketing messages to their customers, or you send a third-party’s marketing to your customers, the rules under PECR will apply.

The ICO doesn’t spell it out, but it’s clear it would not be possible to meet the conditions of the soft- in, and therefore consent would be required.

For more information see: Who is responsible?

It’s not unusual for companies to include an element of third-party marketing within their email campaigns, where this is perhaps not the main purpose. For example a travel company might include details of hire car companies within its own marketing messages.

The ICO has previously issued a fine to the Brexit Leave Campaign for including a promotion for an insurance company. In this case the promotion was totally unrelated to the content people might have expected to receive.

Where third-party content is incidental and relevant to the product or service, people are less likely to complain. Some companies may choose to take a risk-based approach here, balancing their commercial imperatives with the arguably lower likelihood of regulator enforcement action. A stand-alone message about a third party’s products and services would carry greater risks.

We’d stress here we do not know what stance the ICO would take should a complaint arise about a campaign which included some relevant and useful content promoting a third party.

E. Using bought-in lists

The message is clear – in order to use bought-in lists for electronic mail marketing to individual subscribers, the ICO says people must have given their consent to receive such marketing from your organisation. The ICO’s separate consent guidance states; Name any third party controllers who will rely on the consent.

For more information see: Can we use bought-in lists?

F. Viral marketing and refer-a-friend

The ICO says you must comply with the PECR rules if you engage in viral marketing, ‘refer a friend’ or ‘tell a friend campaigns. It’s stated: This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.

For the Regulator to consider you the ‘instigator’, just encouraging someone to send or forward the message is enough.

Essentially the ICO says encouraging customers to forward your emails or texts is a non-starter. You don’t have consent from the recipients, and you can’t rely on the soft opt-in.

However, the ICO says you can take steps to avoid being an instigator, such as:

  • Don’t create pre-populated emails for marketing which customers can send their friends and family
  • Avoid actively encouraging customers to forward on an email or text. (If they do it without being encouraged to, the PECR rules wouldn’t apply).

An example is given of a customer logging into their account which includes information about a rewards scheme for friends and family. This explains, if friends or family input the customer’s unique code when signing up to the company’s services, the customer will get a discount on their bill. The ICO says this approach would be okay.

The guidance doesn’t cover viral marketing via social media. We’re presuming the rules would only apply if you sent this as a private message encouraging people to forward it, as opposed to posting something let’s say on a forum.

For more information see: Can we ask people to send our electronic mail marketing?

G. Using publicly available contact details

The ICO says it’s unlikely you can use contact details sourced indirectly from social media accounts, websites or other online or offline sources for electronic marketing. The reason being you can’t comply with PECR as you won’t have their consent and can’t rely on the soft opt-in.

The guidance makes it clear, an exception would be where this is business contact details, where the requirement for consent or soft opt-in doesn’t apply. (We take this to mean ‘corporate subscribers’).

For more information see: Can we use publicly available contact details to send marketing by electronic mail?

The above is a summary of the guidance and we’d encourage you to read the full guidance, or at least any areas specifically relevant to your organisation. In saying this, I’d recommend not taking aspects of the guidance in isolation. If you’re relying on consent, read the ICO’s consent guidance. If you are relying on soft opt-in read guidance on legitimate interests.

I’d also highly recommend making sure you have tailored marketing guidance (or a policy) for employees (and/or your marketing agency). Training for specific teams is also likely to improve awareness and knowledge. A great way to prevent unnecessary mistakes.

Relevant teams should understand the rules and your internal approach. It’s clear in recent PECR fines the ICO sometimes discovers there is insufficient guidance given to staff.

Alongside this guidance on electronic marketing mail, the ICO has also published guidance on live telemarketing.

I think we can take from these specific pieces of guidance the Direct Marketing Code of Practice has been pushed further into the long grass. The draft consultation published back in 2020 is clearly on the backburner, perhaps until there’s a clearer picture of what is, or isn’t happening, with UK data reform?

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Is your marketing profiling lawful, fair and transparent?

October 2022

ICO fines catalogue retailer £1.35 million for ‘invisible processing’

Many companies want to know their customers better. This is not a bad thing. Information gathered about people is regularly used for a variety of activities including improving products and services, personalisation or making sure marketing campaigns are better targeted.

However, the significant fine dished out to catalogue retailer Easylife highlights why companies need to be transparent about what they do, have a robust lawful basis, be careful about making assumptions about people and take special care with special category data.

It also shows how profiling is not limited to the realms of online tracking and the adtech ecosystem, it can be a simpler activity.

What did the catalogue retailer do?

Easylife had what were termed ‘trigger products’ in its Health Club catalogue. If a customer purchased a certain product, it triggered a marketing call to the individual to try and sell other related products. This was done using a third-party call centre.

Using previous transactions to tailor future marketing is not an unusual marketing tactic, often referred to as ‘NBA – Next Best Action’. The key in this case is Easylife inferred customers were likely to have certain health conditions based on their purchase of trigger products.

For example, if a customer bought a product which could be associated with arthritis, this triggered a telemarketing call to try and sell other products popular with arthritis sufferers – such as glucosamine and bio-magnetic joint patches.

Data relating to medical conditions, whether provided by the individual or inferred from other data, is classified as special category data under data protection law and handling this type of data requires special conditions to be met.

The ICO’s ruling

To summarise the ICO’s enforcement notice Easylife was found have failed to:

  • have a valid lawful basis for processing
  • meet the need to have an additional condition for processing special category data
  • be transparent about its profiling of customers

It was found to have conducted ‘invisible processing’ of 145,000 customers.

There were no complaints raised about this activity; it only came to light due to a separate ICO investigation into contraventions of the telemarketing rules. The ICO says it wasn’t surprised no one had complained, as people just wouldn’t have been aware this profiling was happening, due to the lack of transparency.

It just goes to show ICO fines don’t always arise as a result of individuals raising complaints.

Key findings

Easylife argued it was just processing transactional data. The ICO ruled when this transactional data was used to influence its telemarketing decisions, it constituted profiling.

The ICO said while data on customer purchases constituted personal data, when this was used to make inferences about health conditions, this became the processing of special category data. The ICO said this was regardless of the statistical confidence Easylife had in the profiling it had conducted.

Easylife claimed it was relying on the lawful basis of Legitimate Interests. However, the Legitimate Interests Assessment (LIA) the company provided to the ICO during its investigation actually related to a previous activity, in which health related data wasn’t used.

When processing special category data organisations need to make sure they not only have a lawful basis, but also comply with Article 9 of UK GDPR.

The ICO advised the appropriate basis for handling this special category data was with the explicit consent of customers. In other words legitimate interests was not an appropriate basis to use.

Easylife was found to have no lawful basis, nor a condition under Article 9.

It was ruled there was a lack of transparency; customers hadn’t been informed profiling was taking place. Easylife’s privacy notice was found to have a ‘small section’ which stated how personal data would be used. This included the following:

*Keep you informed about the status of your orders and provide updates or information about associated products or additional products, services, or promotions that might be of interest to you.
*Improve and develop the products or services we offer by analysing your information.

This was ruled inadequate and Easylife was found to have failed to give enough information about the purposes for processing and the lawful bases for processing.

The ICO’s enforcement notice points out it would have expected a Data Protection Impact Assessment to have been conducted for for the profiling of special category data. This had not been done.

The Data Processing Agreement between Easylife and its processor; the third-party call centre, was also scrutinised. While it covered key requirements such as confidentiality, security, sub-contracting and termination, it failed to indicate the types of personal data being handled.

Commenting on the fine, John Edwards, UK Information Commissioner, said:

“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.

The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.”

Alongside the £1.35 million fine, Easylife’s been fined a further £130,000 under PECR for making intrusive telemarketing calls to individuals registered on the Telephone Preference Service. Currently the maximum fine for contravening the marketing rules under PECR is £500,000, much lower than potential fines under DPA 2018/UK GDPR.

Update March 2023: The ICO announces reduction in GDPR fine from £1.35 million to £250,000.

6 key takeaways

1. If you are profiling your customers, try to make sure this is based on facts. Making the type of assumptions Easylife was making will always carry risks.

2. Be sure to be transparent about your activities. This doesn’t mean you have to use the precise term ‘profiling’ in your privacy notice, but the ways in which you use personal information should be clear.

3. Make sure your clearly state the lawful bases you rely upon in your privacy notice. It can be helpful and clear to link lawful bases to specific business activities.

4. If you’re processing special category data, collected directly or inferred from other data, make sure you can meet a condition under Article 9. For marketing activities the only option is explicit consent.

5. If you’re conducting profiling using special category data, carry out a DPIA.

6. Always remember the marketing rules under PECR for whatever marketing channel you’re using. For telemarketing, if you don’t have the consent of individuals, be sure to screen lists against the TPS.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Consumers increasingly comfortable sharing data

March 2022

Trust and transparency remain fundamental drivers

In the modern data-driven economy, businesses need people to share their data. Marketers need to understand what makes their audience tick and be willing to share.

But how important is trust in the data exchange? How do attitudes to data sharing differ across international borders and between age groups?

New research shows people increasingly understand the benefits of sharing their data; a clear value-exchange has never been more important. Younger people are shown to have less privacy concerns than older generations.

These are just some of the findings of the ‘Global Data Privacy: What the Consumer Really Thinks 2022’ research report. The report represents 28 marketing associations whose reach stretches to more than half the world’s population – including the UK Data &  Marketing Association (DMA). The latest findings build on previous studies, giving us trends useful over the past decade.

Here are some key points from the global and UK-specific reports.

Rise of the ‘unconcerned’

The research categorises people into three groups:

  • Data unconcerned – people who have little or no concerns about their data privacy. The UK report shows a notable rise in this group, almost doubling over the past decade from 16% in 2012 to 31% in the latest study. So nearly a third of consumers are not unduly concerned about their privacy.
  • Data pragmatists – people who are happy to share data with businesses as long as there’s a “clear benefit in doing so”. This group still makes up the largest group of consumers, but has declined in the past decade from 53% to 46%.
  • Data fundamentalists – People who are unwilling or highly cautious about sharing their personal information. This group is in decline reducing in the past decade from 31%  to 23%.

The chart below illustrates UK trends over the last 10 years:

Data unconcerned

Younger people are most comfortable sharing their data

Growing numbers of consumers claim to feel more comfortable with the idea of exchanging personal information with companies, although there’s a significant variation across age groups.

Younger people (18-44) are most likely to feel comfortable sharing data. However those aged 55+ have actually become less comfortable sharing data.

Trust and transparency remain fundamental

Trust in an organisation remains the most important factor driving consumer willingness to share personal information. This comes significantly above factors such as product/service benefits, price and value perceptions.

The chart below shows UK trends for the factors driving consumers to share their data:

Trust remains vital

Consumers continue to seek transparency. Today, 77% of global consumers claim that transparency around how their data is collected and used is important to them.

Industry is still seen to benefit more than consumers from the data economy

The majority of consumers globally see data exchange as essential for the running of society. Over half (53%) of consumers across all markets agreed ‘the exchange of personal information is essential for the smooth running of modern society’.

However, consumers globally continue to believe that industry benefits more than they do from data sharing, despite a small shift towards greater value being perceived by consumers. On average (across the 10 trended markets) 71% of consumers believe that ‘industry benefits more from data sharing’. In general, younger people tend to be more likely to understand and recognise the benefits from sharing their data.

This suggests we still have a long way to go to truly enable consumers to fully realise the benefits from sharing their data, or they could see this as an unfair trade.

Importance of the data exchange

The findings once again illustrate the importance of the data exchange – the moment when businesses request or otherwise collect personal data from individuals. Whilst increasingly many consumers understand the intrinsic value of their data, they want easy access to clear information about how their data will be used and need to understand what product, service or value benefits they’ll get from sharing it.

The age profile of your customers is crucial here. It’s clear businesses need to work hard to win trust and provide clear information for older age groups.

Alex Hazell, Head of Privacy and Legal at Acxiom (the DMA’s UK research partner):

‘We must drive home the value exchange between brands and people – in other words, strive harder to help people understand what they receive in return for sharing their data. For marketers, we must continue to make that value clear, whether it’s in more straightforward scenarios like relevant discounts and offers, or in more complex processing such as cross domain personalised experiences that surprise and delight.’

Concerns about online privacy remain, although reduced

As the digital economy has expanded and matured, more and more consumers are engaging with online data exchange. The proportion of UK consumers who claim to have ‘high levels of concerns’ about online privacy has fallen to 69%.

Younger consumers want to support smaller businesses

The role data sharing can play in driving more competitive economies is a compelling reason for many UK consumers to share personal information. 52% of UK consumers stated they would be more likely to exchange personal data to provide a competitive advantage to smaller companies. This sentiment was most pronounced for the under 45s.

DMA Chief Executive, Chris Combemale gave a summary the UK findings:

‘Overall, concern with data privacy is in decline, while the levels of happiness with the amount of data shared and comfort with the notion of data exchange are on the rise. In addition, public awareness and understanding of the role that data exchange plays in the modern digital economy has increased dramatically since 2012.’

“As the UK’s digital economy, alongside digital markets around the world, continue to advance and mature, there has been an increase in public ease and engagement with data sharing and the digital world. Younger people are digital natives – this is reflected in both their willingness to share data and acceptance of its importance to modern society.”

The times they are a changin’

The research highlights some interesting trends. You can read more detail in the Global report or UK report.

While consumers may be increasingly comfortable with sharing their data, it’s clear they’re most likely to do this with brands they trust, who’ve been upfront and honest about how they handle personal information and clearly demonstrate the benefits of the data exchange.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

How did a trade union fall foul of the marketing rules?

November 2021

Unite the Union has been fined £45K over its telemarketing practices

The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’).

This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer.

Unite believed these calls did not fall within the scope of the direct marketing rules.

What is the Telephone Preference Service?

The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls.

There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS).

What does PECR require?

Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS).

Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements.

The ICO’s findings

The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too.

In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.”

The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR.

In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS.

Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer.

The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints.

Not deliberate

The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention.

The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic.

What can we learn from this?

Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS.

I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA).

Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals.

Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied.

 

If you would like help to ensure your marketing is compliance, please Contact Us.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK data reform: Direct Marketing

September 2021

What changes could be on the horizon for direct marketing?

The UK Government’s consultation on data regime reform mostly focuses on proposals to amend UK GDPR requirements, but it’s worth noting some changes for direct marketing could also be on the cards.

Changes which could be particularly significant for political parties and charities.

Marketing emails, SMS and calls are governed by the Privacy and Electronic Communications Regulations (PECR) and some tweaking of these rules is being proposed.

Furthermore, in what would be a substantial shift, political campaigning could no longer even be considered to be direct marketing.

So what’s be proposed?

Extending scope of the ‘soft opt-in’

PECR requires consent for email and SMS marketing to consumers, i.e. a positive action (such as a tick in a box) to say they’re happy to receive communications. However, commercial organisations can rely on an exemption to consent when it relates to existing customers.

This exemption, known as the ‘soft opt-in’, says email and SMS marketing messages are permitted without obtaining consent as long as the following conditions are met:

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and again in every subsequent communication
  • You only send marketing about your own similar products and services

At the moment not-for-profit organisations, such as political parties and charities, are not allowed to rely on this exemption and therefore must gain consent for email & SMS marketing. The Government is seeking views on whether this should be changed.

Clearly, this speaks to the difficulties organisations can face in trying to gain consent from people. The requirements necessary to make consent valid, were enhanced when GDPR came into force.

We all know from our own experience when buying products online that many commercial organisations rely on the ‘soft opt-in’, despite the Information Commissioner’s Office trying to push the message that consent is best.

To be fair, in research and testing we’ve conducted in the past, the general public perception is consent is much more open and honest. An opt-out can easily be missed and is often perceived as trying to trick people into being targeted with marketing.

But, I’m sure this move to extend permitted use of the ‘soft opt-in’ beyond the commercial uses would be very much welcomed by charities and political parties.

The big question though is will the public be happy with this move? A move which may also call into question the definition of ‘sale’ or ‘negotiations for a sale’. Would this only be permitted in certain situations where, for example, people had donated to a charity or political party or had purchased merchandise?

just to clarify the PECR rules on consent and the soft opt-in do not apply in the context of B2B marketing, where for example you are contacting individuals at their business email address. However, when relying on legitimate interests rather than consent you still need to fulfil transparency requirements and honour the right to object to direct marketing.

Removing political campaigning from ‘direct marketing’ rules

Another idea put forward in the consultation is to take things a step further for political parties…

Currently, political campaigning is included within the interpretation of the definition of direct marketing. The draft Direct Marketing Code states:

The DPA 2018 and PECR do not clarify what is meant by ‘advertising or marketing material’. However it is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.

It’s pointed out in the Government’s consultation that case law has established communications from political parties which promote ‘aims and ideals’ should be classed as direct marketing and are therefore subject to the PECR rules.

The Government says this has never been debated in Parliament. I’d suggest this is just as well, as to my mind they’d have a skewed view!

The consultation is therefore being used to seek views on whether electronic communications from political parties and other political entities should be subject to the same direct marketing rules as other organisations and businesses.

Examples of ‘other political entities’ are given as ‘candidates and third-party campaign groups registered with the Electoral Commission’.

The Government believes relaxing the rules would give organisations more freedom to engage with prospective voters and this could lead to increased voter turnout.

However, it’s accepted people may not wish to receive electronic communications of this nature in the same way as not wanting to receive commercial marketing.

We’ll have to wait and see what views the consultation elicits on this.

Increased fines for breaking the marketing rules

The Government is proposing to raise fines under PECR, which are currently limited to a maximum of £500,000, to be in line with UK GDPR fines.

This would be a significant rise as the UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for contravening the rules.

I suspect this is an element of the reform which will go through – so a clear warning for nuisance spammers, who seem to be the most common recipients of fines under PECR at this time.

What next?

For the time being nothing is carved in stone, and it will be interesting to see how things develop after the consultation closes on 19th November.
What’s clear is this has probably put the long-awaited final version of the current draft Direct Marketing Code of Practice, published in January 2020, on ice for a little longer.

Your views

If you would like to share you views on the above proposed changes, and other proposals in the UK data reform consultation take part in our survey.  The DPN will be submitting a formal response to the consultation, and we’d appreciate your thoughts.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.