Yet more CC email data breaches

May 2024

Despite a stark warning from the Information Commissioner’s Office last year that a failure to correctly use the BCC field (Blind Carbon Copy) is one of the most common cause of breaches – the mistakes keep happening.

The ICO has recently fined and issued a reprimand to the Central YMCA for sending an email to individuals participating in a programme for people living with HIV. The CC field was used, thereby revealing the email addresses to all recipients. 166 recipients could be identified or potentially identified from this, and it could be inferred they were likely to be living with HIV.

Then we hear the Conservative party has reported a breach to the ICO, after hundreds of email addresses were visible to all recipients in an email communication promoting the party’s annual conference. Again a mistake in using CC rather than BCC. The latter would have kept email addresses private. And a mistake which has the potential to reveal people’s political affiliations.

Last year in response to the number of breaches of this nature, the ICO published specific email security guidance to try and help organisations make sure their email communications are more secure.

Such breaches can cause considerable distress and harm, especially if sensitive personal information is involved, or can be inferred from the context of the email. The Regulator provides the following suggestions:

  • Setting rules to provide alerts to warn employees when they us the CC field.
  • Setting a delay, to allow time for errors to be corrected before the email is sent.
  • Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses.
  • Making sure staff are trained about security measures when sending bulk communications by email
  • Using alternative more secure bulk email solutions.

The Central YMCA and Conservative Party are not the first to find themselves in the spotlight for incorrectly using CC. Sadly, I suspect they won’t be the last.

A couple of years ago, HIV Scotland was fined for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the CC field. Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented assumptions could be made about individuals’ HIV status or risk from the data disclosed. The ICO investigation found a number of shortcomings in the charity’s email procedures, including inadequate staff training and an inadequate data protection policy.

The message is simple: the BCC method of bulk email is open to human error, and not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information.

Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses have policies and training in relation to email communications. It’s also worth checking out the National Cyber Security Centre’s useful Email Security Checklist.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Quick Guide to UK GDPR, Marketing and Cookies

January 2024

How UK GDPR and PECR go hand-in-hand

Most have heard of GDPR. However, data protection law existed way before this new kid arrived on the block in 2018. And let’s not forget in the UK, GDPR has an equally important cousin called PECR.

The UK’s Privacy and Electronic Communications Regulations (PECR) have been around since 2003 before the days of smartphones and apps. Organisations need to consider both UK GDPR and PECR when it comes to marketing and cookies.

Why marketers need to pay attention

There are more fines issued by the Information Commissioner’s Office (ICO) for falling foul of the PECR marketing rules than there are under UK GDPR. Under UK data reform plans, the amount the Regulator can fine under PECR could be set to increase substantially to a maximum of around £17 million. Currently the maximum fine under PECR is £500k. So it’s worth taking notice.

This is a quick overview, and we’d encourage you to check the ICO’s detailed marketing guidance and cookie guidance.

What’s the difference between UK GDPR and PECR?

In a nutshell…

UK GDPR

✓ Tells us how we should handle personal data – information which could directly or indirectly identify someone.
✓ Sets out requirements organisations need to meet and their obligations.
✓ Provides us with seven core data protection principles which need to be considered whenever we handle personal data for any purpose, including marketing.
✓ Defines the legal standard for consent, which is relevant for direct marketing
✓ Gives people privacy rights, including an absolute right to object to direct marketing.

One of the principles is that processing of personal data must be lawful, fair and transparent. This includes making sure we have a lawful basis for our activities.

PECR

✓ Sets out specific rules for marketing to UK citizens, for example by emails , text messages or conducting telemarketing calls to UK citizens.
✓ Sets out specific rules when using cookies and similar technologies (such as scripts, tracking pixels and plugins).

PECR is derived from an EU directive, and EU countries have their own equivalent regulation which, whilst covering similar areas, may have different requirements, when marketing to their citizens.

We’ve written about the specific rules for email marketing and telemarketing here:
UK email marketing rules
UK telemarketing rules
The ‘soft opt-in’ – are you getting it right

How do UK GDPR and PECR work together?

Direct marketing

Marketers need to consider the core principles of UK GDPR when handling people’s personal information. Furthermore, they need to have a lawful basis for each data activity. Of the six lawful bases, two are appropriate for direct marketing activities; Consent and Legitimate Interests.

Consent: PECR tells us, for certain electronic marketing activity, we have to get people’s prior consent. UK GDPR tells us the standards we need to meet for this consent to be valid. Consent – Getting it right

Legitimate interests: If the types of marketing we conduct don’t require consent under PECR , we may choose to request consent anyway, or we could rely on legitimate interests. For example, marketing to business contacts rather than consumers.

Under GDPR, we need to be sure to balance our legitimate interests with the rights and interests of the people whose personal information we are using – i.e. the people we want to market to. ICO Legitimate Interests Guidance 

What about cookies?

PECR requires opt-in consent for most cookies or similar tech, regardless of whether they collect personal data or not. And we’re told this consent must meet the UK GDPR standards.

In simple terms, the rules are:

✓ Notify new users your website/app users about your use of cookies or similar technologies and provide adequate transparent information about what purposes they are used for.
✓ Consent is required for use of cookies, except a narrow exclusion for those which are ‘strictly necessary’ (also known as ‘essential’ cookies).
✓ Users need to be able to give or decline consent before the cookies are dropped on their device and should be given options to manage their consents at any time (e.g. opt-out after initially giving consent).

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

PECR fine for invalid marketing consent

January 2024

What lessons can we learn from the HelloFresh case?

HelloFresh used a marketing consent statement with a clear opt-in box for customers to tick, but the ICO has ruled the wording of the statement did not meet the requirements for consent to be specific and informed. The regulator has issued a £140k fine.

Sometimes, the ICO issues fines under PECR based on only a handful of complaints, however in this case thousands of complaints were raised via the ICO spam reporting tool.

The online meal order business was found to have sent over 80 million marketing email and text messages between September 2021 to February 2022 without first collecting valid consent.

When relying on consent for direct marketing under PECR, consent must meet the UK GDPR requirements; a freely given, specific, informed and unambiguous indication for an individual’s wishes, given by a clear affirmative action.

What ‘consent’ statement was used?

The consent statement HelloFresh used at the time was as follows:

“Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old”.

This was relied on to send marketing emails and texts to customers with an active or paused subscription, and to former customers who’d cancelled their subscription within the last 24 months, but had given their ‘consent’ for marketing.

Users were able to update their communications preferences via an app, but the settings did not allow users to set preferences individually by channel e.g. phone, text and/or email.

☛ Consent: Getting it Right

Key ICO findings

Two points were highlighted as being particularly relevant in this case:

  • for consent to be valid it is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.
  • ‘consent will not be “informed” if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print.

The ICO found HelloFresh’s statement did not satisfy the requirement for consent to be “specific” and “informed” because:

  • Consent for marketing was not clear, as it was bundled in with other aspects. It combined an age confirmation statement and consent to receive free samples with consent for marketing by email.
  • It failed to tell people about text messages and thereby failed to collect valid consent for marketing by text message.
  • Customers were not told they could receive direct marketing messages for up to 24 months after they’d cancelled their subscription.

Key takeaways (no fresh veg included I’m afraid)

✓ Collect consent separately for different aspects /activities – don’t bundle everything into the same tick box

In my opinion using; I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email would have been okay for email marketing.

The big problem was adding; By ticking this box I confirm I am over 18 years old. This clearly should have been separate, and the ICO found this was likely to ‘unfairly incentivise’ customers to agree.

✓ Collect consent separately for each marketing media channel you want to use for communications e.g. telephone, text and email

In my opinion, HelloFresh may have avoided regulatory scrutiny if the statement had at least mentioned ‘via email and text’. The safest approach (from a regulatory perspective) is to collect consent by channel. Also in our experience, people may want email, but not texts, so separating them can optimise email opt-in.

✓ Don’t assume you can continue sending marketing to people after they have cancelled a subscription with you

The last point is interesting and a little surprising. The ICO is indicating that even if a customer has consented to marketing when they take out a subscription, this may not be valid once the customer ends that subscription – unless people are made aware of this when they give their consent. I doubt this point would ever have been picked up if HelloFresh had clearly collected consent for marketing by text in the first place.

Picking through the detail of ICO fines under PECR is always worth doing. The findings can give a nudge to check you aren’t doing anything similar. The full details can be found in the ICO’s enforcement notice.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK telemarketing rules

November 2023

How to avoid falling foul of the rules for marketing calls

Hardly a month goes by without the UK’s Information Commissioner’s Office (ICO) fining another company for breaking the telemarketing rules under the Privacy and Electronic Communications Regulations (PECR).

I’m sure all of us have been on the receiving end of a dodgy call. The favoured have you recently been involved in an accident? springs to mind.

Tackling nuisance calls is clearly a key priority for the Regulator, so how do bone fide businesses avoid being tarred with the same brush as the rogue operators?

6-point telemarketing guide

1. Service vs marketing calls

The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Routine customer service calls don’t count as direct marketing.

But if you’re treating a call as a service call (and not applying the marketing rules under PECR) you need to be careful the script / call guide and what your call handlers say in practice doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts.

A Trade Union was fined in 2021 for not screening numbers against the TPS. The Union didn’t believe its calls were direct marketing, but the ICO judged they were. Just because you believe you’re acting in good faith doesn’t mean you are. Marketing messages and service messages

2. Consent or Legitimate Interests?

Telephone numbers which can directly or indirectly identify an individual are personal data and fall under the scope of UK GDPR. For example, when using someone’s personal or work mobile, direct line business number or home landline you’ll need to comply with both UK GDPR and PECR.

You’ll need to decide whether to rely on consent or legitimate interests as your lawful basis under UK GDPR to make telemarketing calls to people. In brief:

  • Consent: make sure this meets the requirement to be a specific, informed, unambiguous indication of someone’s wishes made with a positive action (e.g. an opt-in). Keep records of consent (including, if relevant the script used) and make sure withdrawing consent is as easy as it is to give it. Consent – getting it right
  • Legitimate Interests: conduct a Legitimate Interests Assessment (LIA), keep a record of this assessment and be sure to provide people with a way to opt-out of future calls. Legitimate interests – is it legit? 

3. Live marketing calls to individuals

Below are the key rules to follow:

  • Don’t make marketing calls to anyone who’s told you they don’t want to hear from you. Keep a suppression file of all objections to telemarketing, and screen your campaigns against this internal ‘do not call list’.
  • Don’t make marketing calls to anyone registered with the Telephone Preference Service, unless you’ve collected consent to call them.
  • Say who’s calling – i.e. clearly state the name of your organisation.
  • Always display your number (or an alternative contact number).
  • Provide an address or freephone contact number if asked.
  • Make it easy to opt-out of further calls.

4. Remember sector specific rules

Stricter rules apply if you’re making calls about claims management or pension schemes. For claims management services you must have consent. For calls about pension schemes, you must have consent unless:

  • You are a trustee/manager of a pension scheme; or
  • A firm authorised by the Financial Conduct Authority; or
  • Your relationship with the individual meets strict criteria.

5. Automated calls

When using automated dialling systems which play a recorded message the rules are very strict. You must have:

  • Specific consent from individuals indicating they’re okay to receive automated calls; and
  • Calls must include your organisation’s name and contact address or freephone number; and
  • You must display your number (or alternative contact number).

In practice, these consent rules make genuine compliant automated calls very difficult.

6.  Marketing/sales calls to business numbers

The rules under the UK’s PECR are the same for calling businesses as they are for individuals.

  • You can call any business that has specifically consented to your calls. Or, and most commonly…
  • You can make live calls to any business number which is not registered with the TPS or the Corporate Telephone Preference Service (CTPS). But only if they haven’t objected to your calls and you’re not calling about claims management services.

The reason screening against both TPS and CTPS is necessary (if you don’t have consent), is sole traders and some partnerships may have registered with the TPS.

Applicable laws for telemarketing

PECR gives us the rules for telemarketing calls in the UK and the ICO has published telemarketing guidance. As well as complying with PECR you should comply with UK GDPR for your handling of personal data.

The rules differ in other countries, so check local laws if your telemarketing extends to calling people in other territories. Many countries have a ‘do not call’ register similar to the Telephone Preference Service.

There are also specific rules under PECR for email marketing messages, see UK email marketing rules.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketing messages and service messages

September 2023

How to avoid falling foul of the PECR rules

Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply.

The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below.

The risk for businesses is it can take just one, or a handful of complaints to cause a problem.

What’s a service message?

Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information.

The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’.

Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include:

  • confirming an order/purchase
  • confirming a delivery date/time
  • providing necessary event information when someone has purchased a ticket (free or paid for)
  • notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight
  • informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed
  • communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information

What’s a marketing message?

If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature.

The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR.

It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning.

Regulatory communications

Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information.

The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing.

  • give advance warning of changes to terms, conditions or tariffs
  • explain about statutory complaint or compensation schemes
  • warn about fraud and how to report it
  • remind people of how to get in touch if they are struggling with payments
  • provide offers of support for those customers most at risk of harm.

Where businesses have got it wrong

Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered.

We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules.

American Express

In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing.

The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on.

The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied.

And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent.

In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”.

The ICO however assessed the content of the emails and found the following:

  • The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app
  • The emails were clearly of an advertising and promotional nature
  • None were “neutrally worded and purely administrative”

Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain.

The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability.

What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals).

It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint).

Halfords

In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny.

Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics.

This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link.

In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages.

However the ICO said the content of the email promoted Halfords, and was therefore a marketing message.

  • It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords.
  • People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’

The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar.

  • A lack of clarity was initially provided surrounding the numbers of emails delivered/received
  • No policies and procedures existed to guide staff in respect of PECR

It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked.

What lessons can we learn?

It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach.

These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO issues fine for invalid marketing consent

April 2023

How do we make sure the consent we collect is compliant?

The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’.

What did JTT get wrong?

It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific.

One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’.

Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’.

Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to.

Do we have to name third parties which rely on the consent we collect for them?

Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states:

Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.

It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’.

What does valid consent look like?

The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise:

  • A consent request must be prominent and separate from terms & conditions
  • People must take a positive action to opt in
  • Pre-ticked boxes must not be used
  • Clear and plain language must be used
  • It should be clear what we will use the data collected for
  • Any other organisation relying on consent must be named
  • People should be told, when they give their consent, they can withdraw it at any time
  • Consent shouldn’t be a precondition of a service

Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist.

SIGN UP FOR OUR NEWSLETTER
DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button.

Is consent always needed for email marketing?

The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case.

Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met).

When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests.

The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance.

Quick takeaways

  • Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive?
  • Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear.

For more detail see the ICO enforcement notice.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO direct marketing guidance for email and other electronic mail

October 2022

The rules and regulatory expectations spelt out

The ICO has published guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more.

The guidance specifically focuses on direct marketing by electronic mail to individuals (‘individual subscribers’). The term ‘electronic mail’ covers email, text, picture, video, voicemail, and in-app messages, as well as sending people direct private messages via social media.

The rules for sending direct marketing by electronic mail are covered by the UK’s Privacy and Electronic Communications Regulations (PECR). We’re also reminded to comply with UK GDPR if we’re handling personal data.

This summary covers the core rules under PECR, as set out in the guidance, picks up on specific areas where the ICO has clarified its position and includes an occasional soupçon from me.

Where italics are used, this is text lifted from the guidance itself – so the regulator’s words not mine.

A. Core direct marketing rules and definitions

Options for electronic direct marketing messages

PECR says you can only send direct marketing by electronic mail if:

  • You have consent; or
  • you can meet all of the requirements of the ‘soft opt-in’.

I’d just stress, this means the consent of the individuals the message is target to.

Importantly it’s made clear these rules only apply to what are termed ‘individual subscribers’. It says, you can send electronic mail marketing to a corporate subscriber without needing to comply with the above requirements.

The following definitions are given:

  • Corporate subscribers are corporate bodies with separate legal status (eg companies, limited liability partnerships, Scottish partnerships).
  • Individual subscribers are people but also include some types of businesses (eg sole traders and some types of partnerships).

Another way to put this is individual subscribers are people who’ve signed up to the email service provider themselves.

I’d also just add, where you don’t have consent for business-to-business marketing – marketing to corporate subscribers – you’d be relying on Legitimate Interests under UK GDPR. Legitimate Interests is subject to a balancing test, so it’s wise to conduct a written assessment (Legitimate Interests Assessment).

What constitutes direct marketing?

The Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which applies under PECR too.

It’s a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.

This latest guidance says; The definition doesn’t cover online advertising (eg advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (eg advertising messages shown on news feeds). This is even when organisations target these advertisements to a particular user of the site or platform.”

We’d point out targeted online advertising would fall under PECR rules where your using cookies and similar technologies.

For more information see: What is direct marketing?

Service messages

Messages sent for purely administrative or necessary customer service purposes are not considered direct marketing. However, if such messages include any promotional content, they’ll be considered direct marketing.

The ICO regularly issues fines where organisations have intentionally, or unintentionally, disguised marketing messages as service ones. An area I’ve written about before; Another ICO fine for a ‘service’ email deemed to be marketing.

Organisations have even been fined for sending messages asking people (who haven’t given permission or who’ve opted out) to confirm their marketing preferences. This in itself is judged to be direct marketing.

Solicited messages

If a customer specifically asks for information about your products and services, responding with the information requested will be considered a solicited message and won’t fall under the definition of direct marketing.

B. What constitutes valid consent?

There are specific requirements which the ICO says must be met for consent to be valid.

  • you must give people a free choice to consent so that they can refuse without detriment and you must keep the consent separate from other things, such as terms and conditions (‘freely given’);
  • you must make it clear that the consent covers your electronic mail marketing messages and you must give your name in the consent request (‘specific and informed’);
  • you must have no doubt that they are consenting to your electronic mail marketing messages (unambiguous indication); and
  • they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as an indicator of consent (clear affirmative action).

You should keep a record of the consent (e.g. who, when, how) so that you can demonstrate that it is valid. People can also withdraw consent and you must make it easy for people to do this.

For more information see: How do we use consent?

At DPN we’d recommend any permission statement also includes a clear link to your privacy notice. This is so you can be confident you meet UK GDPR requirements to provide privacy information when personal data is collected.

C. Using the soft opt-in

The guidance reiterates all of the following conditions must be met to compliantly rely on this exemption to consent.

  • You want to send marketing by electronic mail to individual subscribers (includes sole traders and some types of partnerships).
  • You collected their contact details directly from them
  • You collected their details during a sale, or negotiations for a sale, or your products and services
  • You want to use their details to send them marketing about your similar products and services
  • You gave them a clear, simple way to opt-out, or say no to your marketing, when you collected their details
  • You give them a clear, simple way to opt-out, or change their mind about your marketing, in each message you send.

Just to be very clear on the fifth point, you must tell people you want to send them marketing, and give them the ability to say no.

What constitutes a ‘sale’?

Currently, the soft opt-in under PECR specifically uses the word “sale” and refers to “products and services”. The ICO says this means the soft opt-in doesn’t apply to details collected where there’s no sale (or such a negotiation), or where there are no products or services involved.

For “negotiations for a sale” to be triggered the ICO says the customer must actively express an interest in buying your products or services. Examples given include:

  • A request for a quote
  • Specifically asking for more details about what you offer
  • Signing up for a free trial

The ICO says: The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.

What about other companies in the same group?

The ICO considers use of the soft opt-in to be only available to the same entity or single organisation that originally collected the contact details. It says this means it won’t apply to other companies within the same group as the collecting organisation.

Charities and the soft opt-in

The way it’s worded in PECR means the soft opt-in only currently applies to commercial marketing of products and services. The ICO says this does not apply to the promotion of aims and ideals, for example campaigning or fundraising.

However, it could potentially apply to any commercial services or products offered. For example, if a charity has an online shop, they could use the soft opt-in to send direct marketing emails about the shop’s products, assuming all other conditions are met. In other words, the marketing could only be about products, not fundraising.

Under UK Government plans to reform data protection law and PECR it’s been proposed the soft opt-in should be extended to cover charities and political campaigning. (At time of writing, with the current political turmoil, the future direction of the Data Protection and Digital Information Bill is not known).

For more information see: How do we use soft opt-in?

An important point to highlight here, if you’re using the soft opt-in, you’ll be relying on Legitimate Interests as your lawful basis to process personal data for this activity under UK GDPR. This would therefore be subject to a balancing test – a Legitimate Interests Assessment. This is covered in the guidance under: What else do we need to consider?

D. Hosted email campaigns

The guidance doesn’t use the term ‘hosted’ email campaigns, but mentions how both the sender and the instigator of direct marketing by electronic mail will be responsible for complying with PECR.

It says you’re likely to be instigating if you; encourage, incite, incentivise or ask someone else to send electronic mail containing your direct marketing message.

We can take from this that if you ask another company to send your marketing messages to their customers, or you send a third-party’s marketing to your customers, the rules under PECR will apply.

The ICO doesn’t spell it out, but it’s clear it would not be possible to meet the conditions of the soft- in, and therefore consent would be required.

For more information see: Who is responsible?

It’s not unusual for companies to include an element of third-party marketing within their email campaigns, where this is perhaps not the main purpose. For example a travel company might include details of hire car companies within its own marketing messages.

The ICO has previously issued a fine to the Brexit Leave Campaign for including a promotion for an insurance company. In this case the promotion was totally unrelated to the content people might have expected to receive.

Where third-party content is incidental and relevant to the product or service, people are less likely to complain. Some companies may choose to take a risk-based approach here, balancing their commercial imperatives with the arguably lower likelihood of regulator enforcement action. A stand-alone message about a third party’s products and services would carry greater risks.

We’d stress here we do not know what stance the ICO would take should a complaint arise about a campaign which included some relevant and useful content promoting a third party.

E. Using bought-in lists

The message is clear – in order to use bought-in lists for electronic mail marketing to individual subscribers, the ICO says people must have given their consent to receive such marketing from your organisation. The ICO’s separate consent guidance states; Name any third party controllers who will rely on the consent.

For more information see: Can we use bought-in lists?

F. Viral marketing and refer-a-friend

The ICO says you must comply with the PECR rules if you engage in viral marketing, ‘refer a friend’ or ‘tell a friend campaigns. It’s stated: This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.

For the Regulator to consider you the ‘instigator’, just encouraging someone to send or forward the message is enough.

Essentially the ICO says encouraging customers to forward your emails or texts is a non-starter. You don’t have consent from the recipients, and you can’t rely on the soft opt-in.

However, the ICO says you can take steps to avoid being an instigator, such as:

  • Don’t create pre-populated emails for marketing which customers can send their friends and family
  • Avoid actively encouraging customers to forward on an email or text. (If they do it without being encouraged to, the PECR rules wouldn’t apply).

An example is given of a customer logging into their account which includes information about a rewards scheme for friends and family. This explains, if friends or family input the customer’s unique code when signing up to the company’s services, the customer will get a discount on their bill. The ICO says this approach would be okay.

The guidance doesn’t cover viral marketing via social media. We’re presuming the rules would only apply if you sent this as a private message encouraging people to forward it, as opposed to posting something let’s say on a forum.

For more information see: Can we ask people to send our electronic mail marketing?

G. Using publicly available contact details

The ICO says it’s unlikely you can use contact details sourced indirectly from social media accounts, websites or other online or offline sources for electronic marketing. The reason being you can’t comply with PECR as you won’t have their consent and can’t rely on the soft opt-in.

The guidance makes it clear, an exception would be where this is business contact details, where the requirement for consent or soft opt-in doesn’t apply. (We take this to mean ‘corporate subscribers’).

For more information see: Can we use publicly available contact details to send marketing by electronic mail?

The above is a summary of the guidance and we’d encourage you to read the full guidance, or at least any areas specifically relevant to your organisation. In saying this, I’d recommend not taking aspects of the guidance in isolation. If you’re relying on consent, read the ICO’s consent guidance. If you are relying on soft opt-in read guidance on legitimate interests.

I’d also highly recommend making sure you have tailored marketing guidance (or a policy) for employees (and/or your marketing agency). Training for specific teams is also likely to improve awareness and knowledge. A great way to prevent unnecessary mistakes.

Relevant teams should understand the rules and your internal approach. It’s clear in recent PECR fines the ICO sometimes discovers there is insufficient guidance given to staff.

Alongside this guidance on electronic marketing mail, the ICO has also published guidance on live telemarketing.

I think we can take from these specific pieces of guidance the Direct Marketing Code of Practice has been pushed further into the long grass. The draft consultation published back in 2020 is clearly on the backburner, perhaps until there’s a clearer picture of what is, or isn’t happening, with UK data reform?

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Is your marketing profiling lawful, fair and transparent?

October 2022

ICO fines catalogue retailer £1.35 million for ‘invisible processing’

Many companies want to know their customers better. This is not a bad thing. Information gathered about people is regularly used for a variety of activities including improving products and services, personalisation or making sure marketing campaigns are better targeted.

However, the significant fine dished out to catalogue retailer Easylife highlights why companies need to be transparent about what they do, have a robust lawful basis, be careful about making assumptions about people and take special care with special category data.

It also shows how profiling is not limited to the realms of online tracking and the adtech ecosystem, it can be a simpler activity.

What did the catalogue retailer do?

Easylife had what were termed ‘trigger products’ in its Health Club catalogue. If a customer purchased a certain product, it triggered a marketing call to the individual to try and sell other related products. This was done using a third-party call centre.

Using previous transactions to tailor future marketing is not an unusual marketing tactic, often referred to as ‘NBA – Next Best Action’. The key in this case is Easylife inferred customers were likely to have certain health conditions based on their purchase of trigger products.

For example, if a customer bought a product which could be associated with arthritis, this triggered a telemarketing call to try and sell other products popular with arthritis sufferers – such as glucosamine and bio-magnetic joint patches.

Data relating to medical conditions, whether provided by the individual or inferred from other data, is classified as special category data under data protection law and handling this type of data requires special conditions to be met.

The ICO’s ruling

To summarise the ICO’s enforcement notice Easylife was found have failed to:

  • have a valid lawful basis for processing
  • meet the need to have an additional condition for processing special category data
  • be transparent about its profiling of customers

It was found to have conducted ‘invisible processing’ of 145,000 customers.

There were no complaints raised about this activity; it only came to light due to a separate ICO investigation into contraventions of the telemarketing rules. The ICO says it wasn’t surprised no one had complained, as people just wouldn’t have been aware this profiling was happening, due to the lack of transparency.

It just goes to show ICO fines don’t always arise as a result of individuals raising complaints.

Key findings

Easylife argued it was just processing transactional data. The ICO ruled when this transactional data was used to influence its telemarketing decisions, it constituted profiling.

The ICO said while data on customer purchases constituted personal data, when this was used to make inferences about health conditions, this became the processing of special category data. The ICO said this was regardless of the statistical confidence Easylife had in the profiling it had conducted.

Easylife claimed it was relying on the lawful basis of Legitimate Interests. However, the Legitimate Interests Assessment (LIA) the company provided to the ICO during its investigation actually related to a previous activity, in which health related data wasn’t used.

When processing special category data organisations need to make sure they not only have a lawful basis, but also comply with Article 9 of UK GDPR.

The ICO advised the appropriate basis for handling this special category data was with the explicit consent of customers. In other words legitimate interests was not an appropriate basis to use.

Easylife was found to have no lawful basis, nor a condition under Article 9.

It was ruled there was a lack of transparency; customers hadn’t been informed profiling was taking place. Easylife’s privacy notice was found to have a ‘small section’ which stated how personal data would be used. This included the following:

*Keep you informed about the status of your orders and provide updates or information about associated products or additional products, services, or promotions that might be of interest to you.
*Improve and develop the products or services we offer by analysing your information.

This was ruled inadequate and Easylife was found to have failed to give enough information about the purposes for processing and the lawful bases for processing.

The ICO’s enforcement notice points out it would have expected a Data Protection Impact Assessment to have been conducted for for the profiling of special category data. This had not been done.

The Data Processing Agreement between Easylife and its processor; the third-party call centre, was also scrutinised. While it covered key requirements such as confidentiality, security, sub-contracting and termination, it failed to indicate the types of personal data being handled.

Commenting on the fine, John Edwards, UK Information Commissioner, said:

“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.

The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.”

Alongside the £1.35 million fine, Easylife’s been fined a further £130,000 under PECR for making intrusive telemarketing calls to individuals registered on the Telephone Preference Service. Currently the maximum fine for contravening the marketing rules under PECR is £500,000, much lower than potential fines under DPA 2018/UK GDPR.

Update March 2023: The ICO announces reduction in GDPR fine from £1.35 million to £250,000.

6 key takeaways

1. If you are profiling your customers, try to make sure this is based on facts. Making the type of assumptions Easylife was making will always carry risks.

2. Be sure to be transparent about your activities. This doesn’t mean you have to use the precise term ‘profiling’ in your privacy notice, but the ways in which you use personal information should be clear.

3. Make sure your clearly state the lawful bases you rely upon in your privacy notice. It can be helpful and clear to link lawful bases to specific business activities.

4. If you’re processing special category data, collected directly or inferred from other data, make sure you can meet a condition under Article 9. For marketing activities the only option is explicit consent.

5. If you’re conducting profiling using special category data, carry out a DPIA.

6. Always remember the marketing rules under PECR for whatever marketing channel you’re using. For telemarketing, if you don’t have the consent of individuals, be sure to screen lists against the TPS.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

  • This field is for validation purposes and should be left unchanged.