Direct marketing: household names fined for breaking the rules

September 2021

What did We Buy Any Car, Saga and Sports Direct get wrong?

The ICO has announced a series of fines for companies which have contravened the direct marketing rules under the Privacy and Electronic Communications Regulations (PECR).

Fines amounting to £495,000 have been issued to Sports Direct, We Buy Any Car, Saga Personal Finance and Saga Services.

Contraventions include not being able to evidence valid consent, not abiding by the conditions of the ‘soft-opt in’ exemption, and emails sent via affiliates without valid consent.

In the ICO blog announcing the fines, their Head of Investigations commented:

“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.”

It’s worth noting the Government’s data regime reform consultation proposes increasing the maximum fines under PECR to be in line with GDPR. So in future we could see much higher sums being levied for breaking the rules.

We Buy Any Car

Key finding: failure to meet all ‘soft opt-in’ conditions

We Buy Any Car (WBAC) has been fined £200,000 for sending 191.4 million marketing messages and 3.6 million SMS messages in contravention of the PECR rules.

WBAC came to the attention of the ICO due to complaints received directly to their online reporting tool. Between October 2019 and January 2020, the Regulator received 10 complaints from individuals, and a further two complaints from the same individual.

Much of the investigation focuses on email communications which were sent after people had requested a valuation. People can use the WBAC website to input details about their vehicles to get a valuation.

WBAC claimed it relied on the ‘soft opt-in’ exemption for such messages and said people would anticipate further email communications as part of what was described as ‘journey emails’.

The ICO found while people were informed about these communications, they were not given an opportunity to opt-out at the point their details were collected. This is one of the key conditions businesses have to meet when relying on the soft opt-in exemption.

A clear message to other businesses to assess whether they are taking any risks when relying on the ‘soft opt-in’.  Are you meeting these core conditions?

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication
  • You only send marketing about your own similar products and services

Saga

Key finding: inadequate consent obtain for marketing by affiliates/partners

Saga Services Limited (SSL) has been fine £150,00 for sending more than 128 million emails in contravention of the PECR rules. Saga Personal Finance (SPF) has been fined £75,000 for sending 28 million emails.

These cases focus on the potential risks when using partners or affiliates to send marketing on your behalf. Both SSL and SPF paid partners and affiliates to send promotional emails on their behalf for lead generation purposes.

The companies were relying on ‘indirect consent’. In other words they hadn’t collected people’s details directly from them, and were using other parties’ lists to promote their services.

The enforcement notice points to the ICO’s direct marketing guidance which states:

“organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.”

The guidance goes on to say ‘indirect consent’ may be valid, but only if it is clear and specific enough. Providing an individual with a long, seemingly exhaustive list of categories of organisations that may send marketing communications to them is not likely to be sufficient.

In summary, it was found that SSL and SPF were the instigators of these email communications, and the ‘consent’ collected by affiliates and partners was not sufficient.

A lesson here for all organisations using marketing affiliates and partners, to conduct due diligence. You can’t just simply accept claims by those sending emails on your behalf that they have a ‘fully consented list’.

Sports Direct

Key finding: inability to produce evidence of marketing permissions

Sports direct has been fined £70,000 for sending 2.5 million email messages without valid consent.

The company came to the ICO’s attention after the regulator received 12 complaints via is online reporting tool.

This case focuses on a ‘re-engagement’ campaign whereby Sports Direct had identified an ‘aged dataset’ to send communications to. These were described as records which had not unsubscribed – “a category of data that showed as being opted in to receive email marketing but had not received any marketing emails”.

Sports Direct informed the ICO it was either relying on the ‘soft opt-in’ or ‘consent’ to contact this ‘aged dataset’.

However, during the ICO investigations Sports Direct could not provide sufficient evidence it had valid permission to contact people.

In one case Sports Direct couldn’t identify a lawful basis, because the customer in question had asked for their details to be erased, so they had no record at all.

This ruling acts as reminder to all organisations to keep adequate records and specifically highlights the risks of emailing customers who you haven’t been in contact with for some time.

It also confirms that, even if someone submits an erasure request, you should keep minimised but detailed enough records for a suitable period of time so you can adequately respond to any subsequent complaints.

Full details of the above enforcement action can be found on the ICO website.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO says most public sector messages are not direct marketing

August 2021

One of the unwelcome side effects of the pandemic has been the proliferation of bogus emails and texts trying to illegally elicit personal data from us.

I speak with my elderly mother almost daily, repeating the same lines; ‘don’t click on the link’, ‘don’t respond if someone is asking you to enter your details’, ‘hang up’, ‘delete it’, ‘you haven’t ordered a package, please ignore it’.

However, we’ve also all received other communications which I feel have been largely helpful. Messages such as pandemic update emails from our local councils, notifications about vaccines from our GPs, and text messages about the NHS app.

But would some of these be regarded as direct marketing messages? Did some contravene the rules under PECR (the Privacy and Electronic Communications Regulations)?

Possibly, perhaps in some cases definitely (under existing guidance). But does it matter? Surely, there’s an argument to say some communications may not be strictly necessary but are informative and useful, and don’t unduly impact on our privacy.

This is clearly an area the ICO felt needed addressing. The Regulator has issued new guidance, which appears to alter the long-standing interpretation of direct marketing.

What does the new guidance say?

The ICO says public sector organisations can send ‘promotional’ messages which would not be classed as direct marketing, if they are necessary for a public task or function.

This is significant. ‘Promotional’ messages have always been considered as ‘direct marketing’ before, regardless of whether they are sent by commercial companies, not-for-profits or the public sector.

It also means, in the eyes of the Regulator, such public sector ‘promotional’ emails, SMS messages and telephone calls do not fall within the scope of the UK’s Privacy and Electronic Communications Regulations (PECR).

In a blog announcing the new guidance the ICO states:

“Any sector or type of organisation is capable of engaging in direct marketing. However the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.”

Anthony Luhman, ICO Director, goes on to say:

“Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.”

As said, until now any ‘promotional’ message was considered direct marketing. So this new guidance raises some questions:

  • Has the long-standing interpretation of the definition of direct marketing been changed?
  • Is this a sensible new interpretation?
  • Will this open the floodgates to us being spammed by public authorities?

What is the definition of ‘direct marketing’?

The definition is broad. Under section 122(5) of the DPA 2018 the term ‘direct marketing’ means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

A definition which also applies for PECR.

What exactly is meant by ‘advertising or marketing material’ is not clarified in the DPA 2018 or PECR, but the long-standing interpretation of this has been that it is not limited to commercial marketing and includes any material which promotes ‘aims and ideals’.

This interpretation is clear in the ICO’s Direct Marketing Guidance and more recently in the draft Direct Marketing Code, published in January 2020, which says of directly marketing;:

“It is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.”

When is a promotional public sector message not direct marketing?

In a nutshell, the new guidance states;

  • If you’re a public authority and your promotional messages are necessary for your public task or function, these messages are not direct marketing
  • If your messages by telephone, text or SMS are not direct marketing, you don’t need to comply with PECR. (But you still need to comply with UK GDPR).

The ICO is now drawing a distinction between promotional messages necessary to fulfil a public task or function, as opposed to messages from public authorities promoting services which a user pays for (such as leisure facilities) or fundraising activities. The latter would still be considered direct marketing.

The new guidance provides the following interpretation;

“In many cases public sector promotions to individuals are unlikely to count as direct marketing. This is because promotional messages that are necessary for your task or functions do not constitute direct marketing. We do not consider public functions specified by law to count as an organisation’s aims or ideals.”

This is in marked contrast to the wording of the draft Direct Marketing Code which says:

‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules.”

What types of messages are direct marketing and which aren’t?

The following examples are given of the types of promotional content a public authority might communicate which would NOT constitute direct marketing;

  • new public services
  • online portals
  • helplines
  • guidance resources

The ICO says promotional messages likely to be classed as direct marketing include:

  • fundraising; or
  • advertising services offered on a quasi-commercial basis or for which there is a charge (unless these are service messages as part of the service to the individual)

How do you decide if messages are necessary for public task or function?

The ICO says it accepts all public authorities will have what it describes as ‘incidental powers’ to promote their services and engage with the public.
It therefore says it is not necessary for a public authority to identify an ‘explicit statutory function’ to engage with promotional activity which is deemed ‘necessary’ for a task or function.

However, the ICO does stipulate you can’t just say a direct marketing message is no longer direct marketing because the lawful basis has been stated as public task.

Nor can you just decree a promotional message is ‘in the public interest’, this won’t automatically mean it isn’t direct marketing.

What the Regulator expects is for public authorities to identify a relevant task or function for the communication they wish to send.

There’s a risk here the ICO has not been clear enough. This could cause confusion and I suspect plenty of deliberation over which messages are or are not direct marketing.

Transparency

It’s made clear that even if you determine certain promotional messages are not direct marketing, this doesn’t mean you can ignore other basic data protection principles.

You still need to make sure people know what you are doing with their personal data, and this must be within their reasonable expectations.

In other words public authorities must make it clear to people they intend to send promotional messages which are necessary for a public task or function. Which may mean updating their privacy notices.

Right to object

People have an absolute right to object to direct marketing, but they also have a general right under data protection law to object to processing, which includes when organisations are relying on the lawful basis of public task. A right people should be made aware of.

The guidance makes it clear – if someone objects to a promotional message from a public authority, it will only be possible to continue sending messages if ‘compelling legitimate grounds’ to do so can be demonstrated.

The ICO makes the point it would be difficult to justify continuing to send unwanted promotional messages if this goes against someone’s wishes.

My advice would be to include a clear ability to opt-out on any promotional message; any message which isn’t an essential service message.

(Albeit, this could cause some configuration issues for public authorities who don’t have sophisticated systems which can distinguish between different types of messages and opt-outs).

Lawful basis for promotional non-marketing messages

The ICO points to two lawful bases under UK GDPR for sending promotional messages necessary for a public task or function, either public task or consent.

The guidance suggests just because you can rely on public task, doesn’t mean you shouldn’t consider consent, which may be considered appropriate for public trust reasons.

The ICO accepts that Public Authorities may be reluctant to rely on consent, due to a potential imbalance of power, but says it may be considered appropriate if the individual has a genuine free choice to give or refuse to consent to promotional messages.

A change in interpretation

This new guidance certainly seems to represent a marked change in the ICO’s previous interpretation of direct marketing.

It’s interesting to note the following pertinent examples which are present in the draft Direct Marketing Code (which I suspect may be altered in the final version).

Example

Scenario A
A GP sends the following text message to a patient: ‘Our records show you are due for x screening, please call the surgery on 12345678 to make an appointment.’
As this is neutrally worded and relates to the patient’s care it is not a direct marketing message but rather a service message.

Scenario B
A GP sends the following text message to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.’

This is more likely to be considered to be direct marketing because it does not relate to the patient’s specific care but rather to a general service that is available.

It seems to me Scenario B, under the new guidance could be classed as a promotional message, but NOT direct marketing.

(Personally, I would never have complained about Scenario B, it’s a helpful, informative message and hardly in the realms of the untargeted nuisance spam).

The draft Code goes on to confirm the following would be direct marketing;

  • a GP sending text messages to patients inviting them to healthy eating event;
  • a regulator sending out emails promoting its annual report launch;
  • a local authority sending out an e-newsletter update on the work they are doing; and
  • a government body sending personally addressed post promoting a health and safety campaign they are running.

The specific examples from the draft Code were used by people to question whether some of the messages they received during the pandemic contravened PECR.

Would these types of communications now no longer be direct marketing?

It would certainly seem like they aren’t if you go by the clear message from the ICO that; ‘the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.’

Will the above examples disappear from the final Direct Marketing Code?

In summary

This new guidance is likely to be welcomed by some who have been frustrated, or indeed bewildered their communications could be considered direct marketing.

However, it could also muddy the waters. It leaves the public sector needing to clearly define different types of communications and make sure relevant teams are adequately briefed to understand the difference.

As I see there are three types of communication:

a) Service messages – essential messages relating to the provision of a service
b) Promotional messages for public task or function (which are highly likely to need an opt-out)
c) Direct marketing messages (must have an opt-out to honour the individual’s absolute right to object).

I just wonder whether the term ‘promotional messages’ could have been avoided in this guidance. I am not sure I have a satisfactory alternative, but perhaps something like ‘information messages’ – i.e. messages that are not essential service messages but provide helpful information.

I also wonder whether there could have been a carve out for important health-related messages, rather than applying this new interpretation to any ‘promotional’ message from any public authority.

Let’s hope the public sector now pays due care and attention to transparency, provides an opt-out to all but essential messages, and doesn’t abuse this new-found power to engage with us beyond what is actually necessary.

 

 

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketing and the ‘soft opt-in’ – are you getting it right?

June 2021

The ICO has recently issued a £10,000 fine to a pizza company for sending ‘nuisance marketing messages’ to its customers.

Papa Johns claimed it was relying on the exemption to consent, known as the ‘soft opt-in’, but it was found to have not abided by the rules of this exemption.

So, what is the ‘soft opt-in’ and how can you use it, within its limitations, and not fall foul of the rules? What did Papa John’s get wrong?

What is the soft-opt-in?

The laws governing electronic marketing are covered in the UK’s Privacy and Electronic Communications Regulations (PECR) and these govern email, SMS and telemarketing.

Under PECR you need to have consent to send electronic marketing messages (e.g. email or SMS) to what are termed ‘individual subscribers’. These are people who personally subscribe to their email/SMS service provider (this is often referred to as B2C marketing).

But you don’t always legally need consent…

There’s an exemption under PECR for electronic marketing to existing customers. This is commonly known as the ‘soft opt-in’. An annoyingly ambiguous term as it permits the use of an ‘opt-out’ mechanism!

When relying on the ‘soft opt-in’ you need to be careful to make sure you follow the rules about when this exemption applies, which can be summarised as:

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services; AND
  • You provide the ability to opt-out in every communication

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

It’s worth noting the rules on consent and the soft opt-in under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email/SMS service. (Commonly referred to as B2B marketing).

To quote the ICO on this, here’s an extract the draft Direct Marketing Code of Practice:

“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”

You do however need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

What did Papa John’s get wrong?

The ICO says it received 15 complaints from Papa John’s customers about the unwanted marketing they were receiving by text and email. The Regulator points out, ‘the complaints noted the distress and annoyance the messages were causing’.

Subsequent ICO investigations found the pizza company sent more than 168,000 messages to its customers without valid consent.

Papa John’s claimed it was relying on the ‘soft opt in’ exemption in order to send these marketing messages. But the ICO ruled they were unable to rely on this exemption for customers who’d placed orders over the telephone, as people had not been given the opportunity to opt-out at this point. The ICO also makes the point that customers were not provided with a privacy notice.

Andy Curry, ICO Head of Investigations said:

“The law is clear and simple. When relying on the ‘soft opt in’ exemption companies must give customers a clear chance to opt-out of their marketing when they collect the customers details. Papa John’s telephone customers were not given the opportunity to refuse marketing at the point of contact, which has led to this fine.

“We will continue to take action against companies who may be gaining unfair advantage over those companies that adhere to the law and comply with electronic marketing law”.

The message is clear, you need to tell people you’d like to send them marketing and give them an opportunity to object when you collect customers’ details in order to rely on the ‘soft opt-in’. You can read more from the ICO about this case here.

This latest fine comes hot on the heels of action against another company for falling foul of PECR. A case which focused on the often fine line between a service message and a marketing one. I wrote about this here; Are your service message actually direct marketing?

Both these fines act as warnings to organisations, and provide a good opportunity to review practices and check you aren’t taken any unnecessary risks.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.