The Marketing Soft Opt-in – Pros and Cons

January 2025

Consent vs the Soft Opt-in Exemption

Consent is not always needed to send marketing emails (or text messages) to UK consumers. There’s an exemption for electronic marketing messages, which providing you can meet specific criteria allows businesses to provide people with an ‘opt-out’ instead. This is commonly (and rather ambiguously) known as the ‘soft opt-in’.

It has recently been confirmed the UK Data (Use & Access) Bill is set to pave the way to extend the use of the soft opt-in to charities. So I’ve taken a look at the advantages and disadvantages of adopting this approach. But first a little explainer of the rules…

The soft opt-in criteria

The exemption to consent under the Privacy and Electronic Communications Regulations (PECR) can currently be relied upon to send electronic marketing (e.g. emails and texts) if ALL of the following conditions are met:

A person’s contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
You only send marketing about your own similar products and services (not those of a third party).

Just a quick note: the rules on consent and the soft opt-in exemption apply to electronic marketing to ‘individual subscribers’ i.e. people’s personal email addresses. They don’t apply to emails to business contacts. See UK email marketing rules and ICO guidance on marketing to business contacts

Plans to permit charity use of the soft opt-in

The current strict criteria, in particular needing to collect a person’s contact details in the context of a sale (or negotiations for a sale), has meant charities have to date been very restricted in its use. For example, only being able to use the soft opt-in if they have a commercial arm such as an online shop, but not for gathering data via non-commercial activities.

However an amendment has been made to the DUA Bill, which is set to allow charities to send electronic marketing messages, where ALL of the following conditions are met:

The sole purpose of the direct marketing is for the charity’s charitable purpose(s)
Contact details were collected when the individual a) expressed an interest in the charity’s purpose(s) or b) offered or provided support to further the charity’s purpose(s).
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication.

Just to be clear this is not UK law yet – the DUA Bill is currently working its way through Parliament.

Weighing up the pros and cons of the soft opt-in

It isn’t necessarily a straight-forward step to switch from using consent and here are some some areas to consider (and there may well be others).

Back in 2017, DPN commissioned independent research into consumer attitudes when presented with a statement inviting them to opt-in (consent) or to opt-out to marketing (i.e. the soft opt-in). While this was some time ago, we believe our findings still have value and have referenced them where relevant.

More people to market to?

Collecting someone’s consent to send them marketing, obtaining a clear unambiguous tick (or check in a box) is undoubtedly a clear indication they would like to hear from you in future. However, asking people to take a positive action is recognised as negatively impacting on the volume of people you can communicate with. Hence why many commercial organisations adopt the soft opt-in (an ‘opt-out’) approach, whenever they are permitted.

It’s worth bearing in mind if people didn’t really want to hear from you by email or text, i.e. they ‘missed’ the opt-out box, they could be more likely to quickly unsubscribe. Which neatly brings me onto…

Potential for opt-out confusion

Relying on the soft opt-in means you can provide people with the ability to opt-out at the time they provide their contact details. This immediately raises a consideration: have people become expectant of being asked opt-in? If they have, there could be adverse consequences of switching to an opt-out.

For example, if you switch:

Will people accidentally tick the box, thinking they are opting in, but in effect be opting out?
Conversely, will people who don’t want to receive marketing, fail to tick the opt-out box (assuming it’s an opt-in) and inadvertently be saying ‘yes that’s okay’?

Our research showed when people were presented with an opt-out box, it lead to confusion about whether to tick it, or not. Our findings showed, even in a test environment, people had a tendency not to read statements carefully.

Attitudes to opt-out

Our research also showed when asked for their opinions, a significant majority disliked being presented with an opt-out. Some people viewed it as misleading or an attempt to try and ‘trick’ people into receiving marketing. There was a much more positive reaction to opt-in statements. Here’s just an illustration of the type of comments people gave in reaction to an opt-out box:

“This is a way of fooling the user to not tick the boxes and get loads of junk sent to them”
“Everyone knows doing it this way is to catch stupid people out.”

Could it be simpler to take an opt-out approach for ALL channels?

At the moment, organisations are presented with a dilemma if they collect consent for email (and/or text) marketing, but rely on legitimate interests for post and telemarking. Giving people a statement which mixes opt-ins and opt-outs really does create a muddle for people.

We’ve noticed the way some charities have got round this is to state they will communicate by post and telephone, and then provide people with contact details for how to change their preferences (i.e. if they want to object).

A potential advantage of being able to provide an opt-out for email (and/or text) marketing messages is it could create the ability to provide more clarity and transparency. For example, statements could be amended to provide clear opt-outs for all channels.

Can your CRM handle a switch from consent?

If you’re considering switching to the soft-opt-in, be mindful this could present a technical challenge. You’ll need to be able to clearly distinguish on your database between:

those who previously provided their consent
those who were asked for consent but declined – or have subsequently opted-out, and
moving forward, those who were given a soft opt-in statement and have simply not opted out.

Some CRM systems may not have more than two statuses for each marketing channel.  In addition, when you gather new data via the soft opt-in (opt-out), you’ll need to make sure it’s mapped correctly to your CRM.

Legitimate interests, transparency & privacy notices

Relying on the soft opt-in (an ‘opt-out’) means the lawful basis for processing under UK GDPR will not be consent, it will be legitimate interests. Therefore it would be wise to conduct and document a Legitimate Interests Assessment (LIA). You’ll also need to make sure relevant privacy notices are updated to reflect this, clearly calling out where marketing is carried out based on legitimate interests.

At DPN we wholly support the planned changes in the DUA Bill to level the playing field between commercial businesses and charities. Giving charities a choice to rely on the soft opt-in exemption, should they wish to. However, we’d just caution the switch from consent shouldn’t be taken lightly. In my opinion, any change to using an opt-out will need to be made very clear to people.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK email marketing rules

January 2025

Is email marketing putting your business as risk?

Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules.

It continues to surprise me some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it.

Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies.

Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media.

Consent for business-to-consumer (B2C) marketing emails

Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address.

Soft opt-in exemption for business-to-consumer (B2C) marketing emails

There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met:

  • The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND
  • You only send marketing about your own similar products and services.

See PECR Regulation 22 and the ICO Guidance on Electronic Mail

This strict criteria means the ability for charities to rely this exemption is very limited. However, the UK Data (Use & Access) Bill which is currently progressing through Parliament looks set to change this: Soft opt-in set to be extended to charities.

Marketing emails to business contacts (B2B)

The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection.

For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this:

“The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.”

A couple of key points to bear in mind:

  • A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR.
  • Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required.

The right to object

Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again.

Global email marketing

If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing.

What about UK GDPR?

Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis.

Consent

If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’.

One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right?

Legitimate Interests

If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate.

It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to.

You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this.

Other areas to be mindful of

  • Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages
  • Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people (‘individual subscribers’) to ask them to consent to marketing.
  • ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent.

The above are all areas the ICO has taken action in the past.

On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers.

But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Big change as marketing ‘soft opt-in’ set to be extended to charities

January 2025

In a hugely significant move the Government has adopted an amendment to the Data (Use and Access) Bill (DUA), which paves the way for charities to be able to benefit from the ‘soft opt in’ exemption to consent for email and text marketing. This marks a clear move to level the playing field between charities and commercial businesses.

In December nineteen major UK charities joined the Data & Marketing Association (DMA) in urging the Government to make this change. The DMA estimates extending the soft opt-in to charities will increase annual donations in the UK by £290 million.

What is the soft opt-in?

There’s a common misconception consent is always needed for email marketing to ‘individual subscribers’ (i.e. B2C – business to consumer marketing). There’s always been an exemption available to commercial businesses, commonly referred to as the ‘soft opt-in’. Under the Privacy and Electronic Communications Regulations (PECR) this can be relied upon for marketing emails and texts if ALL of the following conditions are met:

A person’s contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
You only send marketing about your own similar products and services (not those of a third party)

This strict criteria, in particular the first point, has meant charities have been very restricted and have only technically been able to use this exemption in a commercial context. For example, when someone purchased a product from an online charity shop. But charities have not been permitted to use supporter data gathered via the soft opt-in for fundraising purposes.

However, the DUA Bill has now been amended to include a section on ‘Use of electronic mail for direct marketing by charities’. This states:

A charity may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a) the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes;
(b) the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient—

(i) expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or
(ii) offering or providing support to further one or more of those purposes; and

(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.

What do charities need to consider?

The Bill is still progressing through Parliament, so it’s not law yet. But once passed it will give charities a choice; stick with consent or start collecting new data using the soft opt-in.

Of course, the pros and cons, will need to be weighed up. This will raise some important questions, including (but not limited to):

Will your CRM system be able to store multiple permission statuses for legacy data alongside new data gathered under the soft opt-in?
Will supporters find it confusing if you suddenly switch?
Will people tick a box, thinking they’re opting in, when actually they’ll be opting out?

We’ve written more about this here: The marketing soft opt-in – pros and cons

It has always felt unbalanced that the commercial sector has been able to benefit from this exemption to consent, but charities have not been able to. Here are DPN we’re delighted the lobbying of the DMA and Charities has paid off.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cookie reprimand and more ICO investigations

September 2024

How to get to grips with your cookies and similar technologies

Following warnings issued to companies operating some of the UK’s most popular websites in relation to their use of advertising cookies, the ICO has issued a reprimand to a leading betting website. It’s also announced an investigation into a company which has failed to take action to meet cookie compliance requirements.

Bonne Terre Ltd, training as Sky Betting and Gaming, received a reprimand for ‘unlawfully processing people’s data through advertising cookies without their consent’. Third-party tracking technologies including cookies were dropped by the SkyBet website onto use devices, which collected personal data (e.g. device id and unique identifiers).

While the site had a cookie notification (pop-up) and a consent management platform (CMP), the ICO investigation found certain cookies were dropped onto user devices before visitors interacted with the CMP. This meant visitors’ personal information was being processed and made available to AdTech vendors without the visitors’ knowledge or prior consent.

In my experience this is often an area organisations often get wrong; cookies and other trackers being deployed onto user devices immediately, regardless of the CMP.

The ICO also looked into whether Sky Betting and Gaming were deliberately misusing people’s personal information to target vulnerable gamblers, but found no evidence of deliberate misuse. As a result of the ICO investigation, Sky Betting and Gaming made changes in March 2023 to make sure people could reject all advertising cookies before their personal information was shared down the AdTech supply chain.

Along with this reprimand the ICO has announced it will be investigating a gossip website; Tattle Life. Despite receiving an ICO warning, Tattle Life is said to have failed to engage.

What is the ICO’s key concern

The ICO is focusing on meeting the requirement to give users a fair choice over whether they are tracked for advertising purposes. Along with not dropping non-essential cookies on a user’s device automatically regardless of whether they have given their consent, the ICO stresses organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’.  To be clear, websites can still display adverts when users reject tracking, just not ones which are tailored to the person’s browsing habits.

Our 5 steps for compliant cookies

So, how can we make sure we’re following the rules when we deploy cookies and other similar technologies? Here are some straight-forward steps to take:

1. Audit: Do a cookie audit. If you don’t know what cookies your website is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what cookies and similar technologies are currently deployed on your website(s). Establish what they are being used for, which are provided by third party providers and which involve the sharing of data with the third party (for example Google, Meta, etc).

2. Spring clean: Get rid of the cookies you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies lurking on websites, serving no purpose yet still needlessly sharing data with third parties! You might need to check with your colleagues which are still used.

3. Categorise: Categorise your cookies – what are they used for?

  • Strictly necessary (essential) cookies – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or a cookie which allows items to be added to a cart in an online store.
  • Analytics/Statistics/Performance cookies – for example, cookies which allow you to monitor and improve the site performance.
  • Functional cookies – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website.
  • Advertising/Targeting cookies – allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website.

4. Collect consent: The law tells us you need to collect consent for all cookies and similar technologies which are not ‘strictly necessary’ before cookies are dropped onto the users device. To achieve this, you may wish to select a specialist Consent Management Platform to handle notifications and consents for you, as a website ‘plug in’.

There are many CMPs on the market, some of which are free. Beware that not all of them meet the UK/EU cookie requirements, so care is required when selecting the right one. If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, your likely to need a paid solution.

5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include:

  • the cookies you intend to use;
  • the purposes they will be used for
  • any third parties who may also process information stored in or accessed from the user’s device; and
  • the duration of any cookies you wish to set.

There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice.

What are cookies and similar technologies?

Cookies are small pieces of information, which are used when users visit websites. The user’s software (for example, their web browser) can store cookies and send them back to the website the next time they visits.

The cookie rules also apply to any other technologies which stores or accesses information on a user’s device. For example, similar technologies could include, web beacons, scripts, tracking pixels and plugins.

What the law says

Contrary to what we often read in the papers, GDPR does not give us the rules for cookies and similar technologies. In the UK the rules are set out in the Privacy and Electronic Communications Regulations (PECR) which are derived from the EU ePrivacy Directive. The specific requirements vary by country, so think about which countries your site users visit from. Many EU countries have their own rules, all based on the same EU Directive but in the real world they have their own nuances.

In simple terms, you can’t ‘drop’ a file on a user’s device or gain access to information stored on their device unless:

a) You have provided clear and comprehensive information about your purposes for doing this, and
b) You have collected the consent of the user.

There is an exemption for strictly necessary cookies only. The cookie rules apply regardless of whether you’re processing personal data or not, i.e. these rule also apply to the automated collection of anonymised data.

Some points worth noting from ICO guidance

  • Consent needs to meet the requirements under GDPR for it to be a specific, informed, indication of someone’s wishes given by a clear affirmative action.
  • You must inform users about what cookies you use and what they do before they give their consent.
  • Where third-party cookies are used, you must clearly and specifically name who these third parties are and what they will do with the information collected.
  • Users must be given control over non-essential cookies, and should be able to continue to use your website if they don’t give consent.

It’s worth noting the ICO has determined analytics cookies are NOT essential and require consent. However, this is not always the case in other European countries. For example, the French regulator CNIL does not mandate the collection of consent for analytics cookies. They consider these cookies can be used under Legitimate Interests, which means they still require websites to notify users and give them the opportunity to object (opt-out).

The future and alternative solutions for cookies

In both the UK and in the European Union there’s a concerted desire to simplify the rules and remove the necessity for everyone to be faced with a barrage of cookie pop-ups on every website they visit. As yet however, a suitable solution has not been agreed.

Instead of using third-party cookies to help target advertising, there are a growing number of contextual advertising solutions, which are less intrusive, and a growing interest in more privacy friend Edge Computing Solutions.

However, there’s a sense these alternatives are not yet fully tried and tested. So we’ve seen a move by some organisations (particularly publishers) to a consent or pay model.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Yet more CC email data breaches

May 2024

Despite a stark warning from the Information Commissioner’s Office last year that a failure to correctly use the BCC field (Blind Carbon Copy) is one of the most common cause of breaches – the mistakes keep happening.

The ICO has recently fined and issued a reprimand to the Central YMCA for sending an email to individuals participating in a programme for people living with HIV. The CC field was used, thereby revealing the email addresses to all recipients. 166 recipients could be identified or potentially identified from this, and it could be inferred they were likely to be living with HIV.

Then we hear the Conservative party has reported a breach to the ICO, after hundreds of email addresses were visible to all recipients in an email communication promoting the party’s annual conference. Again a mistake in using CC rather than BCC. The latter would have kept email addresses private. And a mistake which has the potential to reveal people’s political affiliations.

Last year in response to the number of breaches of this nature, the ICO published specific email security guidance to try and help organisations make sure their email communications are more secure.

Such breaches can cause considerable distress and harm, especially if sensitive personal information is involved, or can be inferred from the context of the email. The Regulator provides the following suggestions:

  • Setting rules to provide alerts to warn employees when they us the CC field.
  • Setting a delay, to allow time for errors to be corrected before the email is sent.
  • Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses.
  • Making sure staff are trained about security measures when sending bulk communications by email
  • Using alternative more secure bulk email solutions.

The Central YMCA and Conservative Party are not the first to find themselves in the spotlight for incorrectly using CC. Sadly, I suspect they won’t be the last.

A couple of years ago, HIV Scotland was fined for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the CC field. Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented assumptions could be made about individuals’ HIV status or risk from the data disclosed. The ICO investigation found a number of shortcomings in the charity’s email procedures, including inadequate staff training and an inadequate data protection policy.

The message is simple: the BCC method of bulk email is open to human error, and not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information.

Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses have policies and training in relation to email communications. It’s also worth checking out the National Cyber Security Centre’s useful Email Security Checklist.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Quick Guide to UK GDPR, Marketing and Cookies

January 2024

How UK GDPR and PECR go hand-in-hand

Most have heard of GDPR. However, data protection law existed way before this new kid arrived on the block in 2018. And let’s not forget in the UK, GDPR has an equally important cousin called PECR.

The UK’s Privacy and Electronic Communications Regulations (PECR) have been around since 2003 before the days of smartphones and apps. Organisations need to consider both UK GDPR and PECR when it comes to marketing and cookies.

Why marketers need to pay attention

There are more fines issued by the Information Commissioner’s Office (ICO) for falling foul of the PECR marketing rules than there are under UK GDPR. Under UK data reform plans, the amount the Regulator can fine under PECR could be set to increase substantially to a maximum of around £17 million. Currently the maximum fine under PECR is £500k. So it’s worth taking notice.

This is a quick overview, and we’d encourage you to check the ICO’s detailed marketing guidance and cookie guidance.

What’s the difference between UK GDPR and PECR?

In a nutshell…

UK GDPR

✓ Tells us how we should handle personal data – information which could directly or indirectly identify someone.
✓ Sets out requirements organisations need to meet and their obligations.
✓ Provides us with seven core data protection principles which need to be considered whenever we handle personal data for any purpose, including marketing.
✓ Defines the legal standard for consent, which is relevant for direct marketing
✓ Gives people privacy rights, including an absolute right to object to direct marketing.

One of the principles is that processing of personal data must be lawful, fair and transparent. This includes making sure we have a lawful basis for our activities.

PECR

✓ Sets out specific rules for marketing to UK citizens, for example by emails , text messages or conducting telemarketing calls to UK citizens.
✓ Sets out specific rules when using cookies and similar technologies (such as scripts, tracking pixels and plugins).

PECR is derived from an EU directive, and EU countries have their own equivalent regulation which, whilst covering similar areas, may have different requirements, when marketing to their citizens.

We’ve written about the specific rules for email marketing and telemarketing here:
UK email marketing rules
UK telemarketing rules
The ‘soft opt-in’ – are you getting it right

How do UK GDPR and PECR work together?

Direct marketing

Marketers need to consider the core principles of UK GDPR when handling people’s personal information. Furthermore, they need to have a lawful basis for each data activity. Of the six lawful bases, two are appropriate for direct marketing activities; Consent and Legitimate Interests.

Consent: PECR tells us, for certain electronic marketing activity, we have to get people’s prior consent. UK GDPR tells us the standards we need to meet for this consent to be valid. Consent – Getting it right

Legitimate interests: If the types of marketing we conduct don’t require consent under PECR , we may choose to request consent anyway, or we could rely on legitimate interests. For example, marketing to business contacts rather than consumers.

Under GDPR, we need to be sure to balance our legitimate interests with the rights and interests of the people whose personal information we are using – i.e. the people we want to market to. ICO Legitimate Interests Guidance 

What about cookies?

PECR requires opt-in consent for most cookies or similar tech, regardless of whether they collect personal data or not. And we’re told this consent must meet the UK GDPR standards.

In simple terms, the rules are:

✓ Notify new users your website/app users about your use of cookies or similar technologies and provide adequate transparent information about what purposes they are used for.
✓ Consent is required for use of cookies, except a narrow exclusion for those which are ‘strictly necessary’ (also known as ‘essential’ cookies).
✓ Users need to be able to give or decline consent before the cookies are dropped on their device and should be given options to manage their consents at any time (e.g. opt-out after initially giving consent).

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

PECR fine for invalid marketing consent

January 2024

What lessons can we learn from the HelloFresh case?

HelloFresh used a marketing consent statement with a clear opt-in box for customers to tick, but the ICO has ruled the wording of the statement did not meet the requirements for consent to be specific and informed. The regulator has issued a £140k fine.

Sometimes, the ICO issues fines under PECR based on only a handful of complaints, however in this case thousands of complaints were raised via the ICO spam reporting tool.

The online meal order business was found to have sent over 80 million marketing email and text messages between September 2021 to February 2022 without first collecting valid consent.

When relying on consent for direct marketing under PECR, consent must meet the UK GDPR requirements; a freely given, specific, informed and unambiguous indication for an individual’s wishes, given by a clear affirmative action.

What ‘consent’ statement was used?

The consent statement HelloFresh used at the time was as follows:

“Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old”.

This was relied on to send marketing emails and texts to customers with an active or paused subscription, and to former customers who’d cancelled their subscription within the last 24 months, but had given their ‘consent’ for marketing.

Users were able to update their communications preferences via an app, but the settings did not allow users to set preferences individually by channel e.g. phone, text and/or email.

☛ Consent: Getting it Right

Key ICO findings

Two points were highlighted as being particularly relevant in this case:

  • for consent to be valid it is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.
  • ‘consent will not be “informed” if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print.

The ICO found HelloFresh’s statement did not satisfy the requirement for consent to be “specific” and “informed” because:

  • Consent for marketing was not clear, as it was bundled in with other aspects. It combined an age confirmation statement and consent to receive free samples with consent for marketing by email.
  • It failed to tell people about text messages and thereby failed to collect valid consent for marketing by text message.
  • Customers were not told they could receive direct marketing messages for up to 24 months after they’d cancelled their subscription.

Key takeaways (no fresh veg included I’m afraid)

✓ Collect consent separately for different aspects /activities – don’t bundle everything into the same tick box

In my opinion using; I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email would have been okay for email marketing.

The big problem was adding; By ticking this box I confirm I am over 18 years old. This clearly should have been separate, and the ICO found this was likely to ‘unfairly incentivise’ customers to agree.

✓ Collect consent separately for each marketing media channel you want to use for communications e.g. telephone, text and email

In my opinion, HelloFresh may have avoided regulatory scrutiny if the statement had at least mentioned ‘via email and text’. The safest approach (from a regulatory perspective) is to collect consent by channel. Also in our experience, people may want email, but not texts, so separating them can optimise email opt-in.

✓ Don’t assume you can continue sending marketing to people after they have cancelled a subscription with you

The last point is interesting and a little surprising. The ICO is indicating that even if a customer has consented to marketing when they take out a subscription, this may not be valid once the customer ends that subscription – unless people are made aware of this when they give their consent. I doubt this point would ever have been picked up if HelloFresh had clearly collected consent for marketing by text in the first place.

Picking through the detail of ICO fines under PECR is always worth doing. The findings can give a nudge to check you aren’t doing anything similar. The full details can be found in the ICO’s enforcement notice.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketing messages and service messages

September 2023

How to avoid falling foul of the PECR rules

Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply.

The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below.

The risk for businesses is it can take just one, or a handful of complaints to cause a problem.

What’s a service message?

Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information.

The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’.

Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include:

  • confirming an order/purchase
  • confirming a delivery date/time
  • providing necessary event information when someone has purchased a ticket (free or paid for)
  • notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight
  • informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed
  • communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information

What’s a marketing message?

If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature.

The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR.

It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning.

Regulatory communications

Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information.

The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing.

  • give advance warning of changes to terms, conditions or tariffs
  • explain about statutory complaint or compensation schemes
  • warn about fraud and how to report it
  • remind people of how to get in touch if they are struggling with payments
  • provide offers of support for those customers most at risk of harm.

Where businesses have got it wrong

Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered.

We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules.

American Express

In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing.

The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on.

The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied.

And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent.

In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”.

The ICO however assessed the content of the emails and found the following:

  • The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app
  • The emails were clearly of an advertising and promotional nature
  • None were “neutrally worded and purely administrative”

Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain.

The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability.

What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals).

It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint).

Halfords

In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny.

Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics.

This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link.

In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages.

However the ICO said the content of the email promoted Halfords, and was therefore a marketing message.

  • It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords.
  • People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’

The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar.

  • A lack of clarity was initially provided surrounding the numbers of emails delivered/received
  • No policies and procedures existed to guide staff in respect of PECR

It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked.

What lessons can we learn?

It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach.

These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.