Cookie action and five steps to cookie compliance

November 2023

How to get to grips with your cookies and similar technologies

If you haven’t done it already, now’s the time to get your cookies in order!

The Information Commissioner’s Office has just issued warnings to companies operating some of the UK’s most popular websites. They’ve been given 30 days to make sure their cookies and similar technologies are compliant, or face further action. An update is expected from the Regulator in January 2024, to include details of the companies which have failed to address the concerns raised.

A key concern relates to the requirement to give users a fair choice over whether they are tracked for advertising purposes. The ICO is stressing organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’. To be clear, websites can still display adverts when users reject tracking, just not ones which are tailored to the person’s browsing habits.

In its announcement the ICO said their research shows many people are concerned about companies tracking them online. We’ve all probably had more than one moment when we are a little spooked by the adverts we see, knowing the advertisers clearly know something about us.

Our 5 steps for compliant cookies

So, how can we make sure we’re following the rules when we deploy cookies and other similar technologies? Here are some straight-forward steps to take:

1. Audit: Do a cookie audit. If you don’t know what cookies your website is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what cookies and similar technologies are currently deployed on your website(s). Establish what they are being used for and which are provided by third party providers and involve the sharing of data with the third party (for example Google, Meta, etc).

2. Spring clean: Get rid of the cookies you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies lurking on websites, serving no purpose. You might need to check with your colleagues which are still used.

3. Categorise: Categorise your cookies – what are they used for?

  • Strictly necessary (essential) cookies – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or a cookie which allows items to be added to a cart in an online store.
  • Analytics/Statistics/Performance cookies – for example, cookies which allow you to monitor and improve the site performance.
  • Functional cookies – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website.
  • Advertising/Targeting cookies – allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website.

4. Collect consent: The law tells us you need to collect consent for all cookies and similar technologies which are not ‘strictly necessary’ before cookies are dropped onto the users device. To achieve this, you may wish to select a specialist Consent Management Platform to handle notifications and consents for you, as a website ‘plug in’.

There are many CMPs on the market, some of which are free. Beware that not all of them meet the UK/EU cookie requirements, so care is required when selecting the right one. If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, your likely to need a paid solution.

5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include:

  • the cookies you intend to use;
  • the purposes they will be used for
  • any third parties who may also process information stored in or accessed from the user’s device; and
  • the duration of any cookies you wish to set.

There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice.

What are cookies and similar technologies?

Cookies are small pieces of information, which are used when users visit websites. The user’s software (for example, their web browser) can store cookies and send them back to the website the next time they visits.

The cookie rules also apply to any other technologies which stores or accesses information on a user’s device. For example, similar technologies could include, web beacons, scripts, tracking pixels and plugins.

What the law says

Contrary to what we often read in the papers, GDPR does not give us the rules for cookies and similar technologies. In the UK the rules are set out in the Privacy and Electronic Communications Regulations (PECR) which are derived from the EU ePrivacy Directive. The specific requirements can vary by country, so think about which countries your site users visit from.

In simple terms, you can’t ‘drop’ a file on a user’s device or gain access to information stored on their device unless:

a) You have provided clear and comprehensive information about your purposes for doing this, and
b) You have collected the consent of the user.

There is an exemption for strictly necessary cookies only. The cookie rules apply regardless of whether you’re processing personal data or not, i.e. these rule also apply to the automated collection of anonymised data.

Some points worth noting from ICO guidance

  • Consent needs to meet the requirements under GDPR for it to be a specific, informed, indication of someone’s wishes given by a clear affirmative action.
  • You must inform users about what cookies you use and what they do before they give their consent.
  • Where third-party cookies are used, you must clearly and specifically name who these third parties are and what they will do with the information collected.
  • Users must be given control over non-essential cookies, and should be able to continue to use your website if they don’t give consent.

It’s worth noting the ICO has determined analytics cookies are NOT essential and require consent. However, this is not always the case in other European countries. For example, the French regulator CNIL does not mandate the collection of consent for analytics cookies. They consider these cookies can be used under Legitimate Interests, which means they still require websites to notify users and give them the opportunity to object (opt-out).

What does the future hold?

In both the UK and in the European Union there’s a concerted desire to simplify the rules and remove the necessity for everyone to be faced with a barrage of cookie pop-ups on every website they visit. As yet however, a suitable solution has not been agreed.

The UK’s Data Protection and Digital Information Bill which is currently progressing through Parliament includes provision to expand the types of cookies which wouldn’t require consent. For example, the exemption from consent could extend to analytics cookies – although you’d still need to notify users and give them an option to object.

Meanwhile, many believe it’s only a matter of time before the use of third-party data cookies becomes obsolete, due to the inherent difficulties in collecting valid consent. It’s highly likely there will be a premium on first party data, collected compliantly and transparently from customers or prospects.

Instead of using third-party cookies to help target advertising, there are a growing number of contextual advertising solutions, which are less intrusive, and a growing interest in more privacy friend Edge Computing Solutions.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Incorrect use of BCC in emails major cause of data breaches

September 2023

The Information Commissioner’s Office has issued a stark warning about using the BCC field (blind carbon copy) to send email to multiple addresses. They say failure to use BCC correctly is one of the most common data breaches reported to them every year.

Such breaches can cause considerable distress and harm especially if sensitive personal information is involved. The Regulator says businesses should assess whether other secure methods would be more appropriate.

Many of us will use the BCC field, so the recipients can’t see each other’s email addresses. But it’s easy to make a mistake. The Regulator provides the following suggestions;

  • Setting rules to provide alerts to warn employees when they us the CC field.
  • Setting a delay, to allow time for errors to be corrected before the email is sent.
  • Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses.

Using BCC is not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information about recipients. Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses to consider having policies and training in relation to email communications.

HIV charity fine

The case of HIV Scotland provides a stark warning of how things can go wrong. The charity was fined in 2021 for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the ‘CC’ field. In fact, 65 of the addresses identified people by name.

Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented that assumptions could be made about individuals’ HIV status or risk from the data disclosed.

An investigation by the ICO found a number of shortcomings in the charity’s email procedures, including:

  • inadequate staff training
  • an inadequate data protection policy
  • incorrect methods of sending bulk emails by using the ‘BCC’ (blind carbon copy) method.

During their investigation the ICO discovered HIV Scotland had procured a new system back in July 2019 to enable bulk emails to be sent securely. However, at the time of the breach seven months later, they had failed to migrate the CAN email list over to the new email system. The charity still continued to use the ‘BCC’ method of emailing to the CAN list.

The BCC method of bulk email is open to human error. In this instance, the email addresses of recipients were mistakenly placed in the CC field instead of the BCC field.

The ICO’s Monetary Penalty Notice states HIV Scotland ‘failed to implement an appropriate level of organisational and technical security to its internal email systems’ which resulted in the breach of special category data.

What actions can we take?

Organisations which send bulk emails might wish to make sure:

  • staff who handle email communications have received sufficient training.
  • appropriate and robust email procedures are in place for staff to follow.
  • staff are regularly reminded of the correct procedures.

Clearly there’s a risk if you use the BCC method that email addresses could accidentally end up in the CC field rather than the BBC field, resulting in disclosure of personal data. The ICO is indicating this method of sending should be avoided. If you regularly send emails using the BCC method, you should look to implement a bulk email solution to prevent the risk of disclosing personal data to others.

The National Cyber Security Centre has a useful Email Security Checklist.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Marketing messages and service messages

September 2023

How to avoid falling foul of the PECR rules

Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply.

The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below.

The risk for businesses is it can take just one, or a handful of complaints to cause a problem.

What’s a service message?

Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information.

The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’.

Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include:

  • confirming an order/purchase
  • confirming a delivery date/time
  • providing necessary event information when someone has purchased a ticket (free or paid for)
  • notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight
  • informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed
  • communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information

What’s a marketing message?

If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature.

The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR.

It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning.

Regulatory communications

Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information.

The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing.

  • give advance warning of changes to terms, conditions or tariffs
  • explain about statutory complaint or compensation schemes
  • warn about fraud and how to report it
  • remind people of how to get in touch if they are struggling with payments
  • provide offers of support for those customers most at risk of harm.

Where businesses have got it wrong

Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered.

We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules.

American Express

In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing.

The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on.

The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied.

And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent.

In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”.

The ICO however assessed the content of the emails and found the following:

  • The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app
  • The emails were clearly of an advertising and promotional nature
  • None were “neutrally worded and purely administrative”

Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain.

The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability.

What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals).

It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint).

Halfords

In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny.

Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics.

This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link.

In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages.

However the ICO said the content of the email promoted Halfords, and was therefore a marketing message.

  • It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords.
  • People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’

The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar.

  • A lack of clarity was initially provided surrounding the numbers of emails delivered/received
  • No policies and procedures existed to guide staff in respect of PECR

It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked.

What lessons can we learn?

It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach.

These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK email marketing rules

September 2023

Is email marketing putting your business as risk?

Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules.

It continues to surprise me that some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it.

Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies.

Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media.

Consent for business-to-consumer (B2C) marketing emails

Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address.

Soft opt-in exemption for business-to-consumer (B2C) marketing emails

There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met:

  • The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND
  • You only send marketing about your own similar products and services.

See PECR Regulation 22 and the ICO’s Guide to PECR

Marketing emails to business contacts (B2B)

The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection.

For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this:

“The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.”

A couple of key points to bear in mind:

  • A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR.
  • Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required.

The right to object

Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again.

Global email marketing

If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing.

What about UK GDPR?

Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis.

Consent

If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’.

One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right?

Legitimate Interests

If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate.

It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to.

You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this.

Other areas to be mindful of

  • Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages
  • Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people to ask them to consent to marketing.
  • ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent.

The above are all areas the ICO has taken action in the past.

On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers.

But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Cookie compensation demands

June 2023

A quick buck for non-compliance?

What’s darkening our e-doormat this morning? It’s not a letter from the Information Commissioner’s Office.

It’s not ransomware or a phishing attempt.

No… it’s the dreaded cookie compensation demand!

Increasingly my colleagues and I, and friends in the data protection space, hear reports of official looking, legally-laden letters being received by companies. The simple message; your cookies are non-compliant, this is distressing me and I want money from you.

And everyone’s a potential target – any size of business, any sector. We know of small agencies through to blue chips receiving these letters. They aren’t complaining to a regulator, they‘re coming straight to your front door or in-box.

Unlike the well-known privacy group noyb, who threaten to raise a formal complaint with a regulator if the offending company doesn’t remedy violations within a specified time, these demands from individuals would appear to have the sole aim of earning a quick buck.

For me, such letters leave a nasty taste, especially when smaller businesses or not-for-profits are targeted and where cookie use is limited.

How do they know our cookies aren’t compliant?

It’s easy to find out what cookies are used by any website. There are a number of free tools which you can just pop a website domain name into, and hey presto! A scan is run, and the results returned, revealing any cookie sins you may have committed.

What’s the claim?

Generally the claim letters allege non-essential cookies are being dropped onto users’ devices automatically, without clear information about their purposes and without consent. If a cookie banner is present, the claim will be it’s not compliant with UK GDPR / Privacy and Electronic Communications Regulations (PECR).

The letters often assume personal data is captured by the cookies – which may or may not be true. However, remember the PECR rules apply to cookies and similar tech regardless of whether the data they collect is personal or not.

The letters will claim distress or damage has been caused as a result of the placement of cookies onto the user’s device. It’s worth noting the right to compensation isn’t automatic; the claimant must be able to prove ‘damage or distress.’

As for how much – this isn’t nearly as scary as the realms of ransomware, with typical compensation demands in the region of £500-£1000.

To pay, or not to pay?

Companies are of course taking different approaches. In our experience many are ignoring them, and never hear from the complainant ever again. Others are standing their ground and asking for evidence of distress or damage. While some take a look at their cookies and similar tech and think, okay, fair cop we aren’t compliant so we’ll pay.

If you pay out, do you need to quickly get your cookie house in order? There’s the risk if you don’t, they could be back in a few months’ time if you’ve not successfully resolved any issues.

What are the cookie rules?

Before we blame GDPR, the rules for cookies and similar technologies are in the UK set out in PECR. Other countries across Europe have similar (but not identical) rules derived from the European ePrivacy Directive.

In short, we need to provide meaningful information to people about the categories of cookies and similar tech we use, and gain consent for any cookies which are not strictly necessary.

Different regulators across Europe have taken slightly differing approaches to what would be considered strictly necessary. Here in the UK, for example website statistical cookies are not considered strictly necessary. (This could potentially change under government plans to reform data laws; you can read more about this here). However the French regulator, CNIL, for example, accepts statistical cookies as strictly necessary.

When GDPR came into effect in 2018, consent needed to meet a higher standard. The days of implied consent were over. This is why we’re greeted by a barrage of cookie banners and notices wherever we go online.

The reason these compensation demands are possible is under PECR, people who have suffered damage or distress as a result of a contravention of the rules are entitled to bring proceedings against the offending party and seek compensation for that damage. Similarly under GDPR people have the right to receive compensation where they’ve suffered material or non-material damage due to an infringement of the law.

What can we do to protect ourselves?

The only way to completely avoid a cookie compensation demand is to understand what types of cookies and similar tech are used by our website(s), behave transparently with a clear notification and collect informed consent for any which aren’t strictly necessary. The ICO Cookie Guidance illustrates what type of cookies might be considered strictly necessary.

There are lots of cookie consent management platforms on the market, some of which are free. However, if your cookie use is quite sophisticated, or you have sub-domains, a free option might not be enough.

Alternatively the options are to ignore, stand your ground or pay out.

I’ve heard a little rumour, one of the posse of cookie claimants is an in-house DPO who does this as a side hustle. And if you ask me, it’s just not cricket.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO issues fine for invalid marketing consent

April 2023

How do we make sure the consent we collect is compliant?

The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’.

What did JTT get wrong?

It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific.

One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’.

Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’.

Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to.

Do we have to name third parties which rely on the consent we collect for them?

Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states:

Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.

It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’.

What does valid consent look like?

The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise:

  • A consent request must be prominent and separate from terms & conditions
  • People must take a positive action to opt in
  • Pre-ticked boxes must not be used
  • Clear and plain language must be used
  • It should be clear what we will use the data collected for
  • Any other organisation relying on consent must be named
  • People should be told, when they give their consent, they can withdraw it at any time
  • Consent shouldn’t be a precondition of a service

Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist.

SIGN UP FOR OUR NEWSLETTER
DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button.

Is consent always needed for email marketing?

The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case.

Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met).

When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests.

The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance.

Quick takeaways

  • Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive?
  • Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear.

For more detail see the ICO enforcement notice.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What could the marketing ‘soft opt-in’ mean for charities?

April 2023

Exemption to consent may be extended to not-for-profits

There seems to be a misconception consent is always needed for email marketing. It’s a point I’m often asked about. While consent might be seen as the most upfront and open way of collecting marketing permissions, it isn’t always legally required.

For business to consumer marketing (B2C) by electronic mail, there’s always been an exemption to consent available for commercial use, if specific conditions are met.

This exemption is known as the ‘soft opt-in’. A confusing term, as it essentially allows businesses to offer people the chance to opt-out. This exemption is why you might have come across opt-out boxes when, for example, purchasing a product online.

However, charities have been restricted to using this exemption for their commercial activities only. For example, if they have an online shop, and they’re not permitted to use supporter data gathered via the soft opt-in for fundraising purposes.

But the latest draft of the UK’s Data Protection and Digital Information Bill confirms plans to expand the use of the ‘soft opt in’ for not-for-profits and political campaigning.

What’s the ‘soft-opt-in’?

The laws governing marketing by electronic mail are covered in the UK’s Privacy and Electronic Communications Regulations (PECR).

Under PECR you need consent to send electronic marketing messages (for example by email and text) to what are termed ‘individual subscribers’, unless you can meet the conditions of the exemption. ‘Individual subscribers’ are people who personally subscribe to their email/SMS service provider.

The ‘soft opt-in’ exemption, can currently be used if the following criteria can be met:

  • Contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services (not those of a third party); AND
  • You provide the ability to opt-out in every communication.

This strict criteria, in particular the first point, means this exemption has largely only been used by commercial businesses.

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

What might change?

It’s proposed the soft opt-in exemption will be extended to non-commercial organisations and purposes. The latest draft of the Bill sets out this could be used when the direct marketing is:

  • solely for the purpose of furthering charitable, political or other non-commercial objectives
  • where contact details have been obtained during the course of a recipient expressing an interest or providing support, AND
  • where the recipient is given a clear and simple means of objecting to direct marketing at the point their details were collected, and in every subsequent communication.

What do charities need to consider?

There will be choice to make as to whether to stick with consent as the lawful basis, or start collecting new data using the soft opt-in. You’ll need to weigh up the pros and cons.

It’s crucial to be aware this will only be possible to use moving forward. It isn’t an opportunity to re-contact people who didn’t give you consent, where you don’t have adequate records or where people have opted out in the past.

It raises some important questions. Will your CRM system be able to store multiple permission statuses for legacy data alongside new data gathered under the soft opt-in? Will people find it confusing, having got used to opting in? Will people tick the box, thinking they’re opting in, when actually they’ll be opting out?

A positive change

The proposed changes are supported by the Chartered Institute of Fundraising. Daniel Fluskey, Director of Policy and Communications says; “We have long advocated for the soft opt-in to be extended so that it could be used by charities and very much welcome the development to bring this in through the new legislation. Charities should have the same opportunities to fundraise as businesses have to market their services and products. But more importantly than that, charities and supporters can benefit from this more flexible approach to email marketing by providing an opportunity to develop a relationship or encourage people to support a charity where they have already expressed an interest in doing so.”

Claire Robson, GOSH Charity Data Protection Officer, is also supportive of the move; “Here at GOSH Charity, we welcome the proposed change in law that will enable charities to decide whether they want to apply the soft opt-in for marketing communications. However, we also recognise this isn’t a silver bullet and must be done with thought and care, ensuring our donors and supporters hear from us in the ways that work best for them.”

What about B2B marketing?

The rules on consent and the ‘soft opt-in’ under PECR do not apply to business-to-business marketing by electronic mail. Marketing to what are termed ‘corporate subscribers’. ICO guidance on this can be found here.

There are no plans to change this, so it will remain a choice for B2B communications whether to collect consent or not. However, we do need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

Here at DPN we also welcome plans to extend the soft opt-in to not-for-profits, albeit we appreciate this move is likely to have been largely driven by aims to permit this for political campaigning purposes. We would just recommend charities carefully think through any changes to current practices.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO direct marketing guidance for email and other electronic mail

October 2022

The rules and regulatory expectations spelt out

The ICO has published guidance specifically outlining the rules for direct marketing using electronic mail. The guidance clarifies the position the regulator takes on consent, the soft opt-in, refer-a-friend campaigns, hosted emails, using bought-in lists and more.

The guidance specifically focuses on direct marketing by electronic mail to individuals (‘individual subscribers’). The term ‘electronic mail’ covers email, text, picture, video, voicemail, and in-app messages, as well as sending people direct private messages via social media.

The rules for sending direct marketing by electronic mail are covered by the UK’s Privacy and Electronic Communications Regulations (PECR). We’re also reminded to comply with UK GDPR if we’re handling personal data.

This summary covers the core rules under PECR, as set out in the guidance, picks up on specific areas where the ICO has clarified its position and includes an occasional soupçon from me.

Where italics are used, this is text lifted from the guidance itself – so the regulator’s words not mine.

A. Core direct marketing rules and definitions

Options for electronic direct marketing messages

PECR says you can only send direct marketing by electronic mail if:

  • You have consent; or
  • you can meet all of the requirements of the ‘soft opt-in’.

I’d just stress, this means the consent of the individuals the message is target to.

Importantly it’s made clear these rules only apply to what are termed ‘individual subscribers’. It says, you can send electronic mail marketing to a corporate subscriber without needing to comply with the above requirements.

The following definitions are given:

  • Corporate subscribers are corporate bodies with separate legal status (eg companies, limited liability partnerships, Scottish partnerships).
  • Individual subscribers are people but also include some types of businesses (eg sole traders and some types of partnerships).

Another way to put this is individual subscribers are people who’ve signed up to the email service provider themselves.

I’d also just add, where you don’t have consent for business-to-business marketing – marketing to corporate subscribers – you’d be relying on Legitimate Interests under UK GDPR. Legitimate Interests is subject to a balancing test, so it’s wise to conduct a written assessment (Legitimate Interests Assessment).

What constitutes direct marketing?

The Data Protection Act 2018 defines direct marketing as: “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which applies under PECR too.

It’s a broad definition and covers any advertising, marketing or promotion of products and services. It also includes promoting aims and ideals, so covers fundraising and campaigning.

This latest guidance says; The definition doesn’t cover online advertising (eg advertisements placed on websites). It also doesn’t cover some types of direct marketing using social media (eg advertising messages shown on news feeds). This is even when organisations target these advertisements to a particular user of the site or platform.”

We’d point out targeted online advertising would fall under PECR rules where your using cookies and similar technologies.

For more information see: What is direct marketing?

Service messages

Messages sent for purely administrative or necessary customer service purposes are not considered direct marketing. However, if such messages include any promotional content, they’ll be considered direct marketing.

The ICO regularly issues fines where organisations have intentionally, or unintentionally, disguised marketing messages as service ones. An area I’ve written about before; Another ICO fine for a ‘service’ email deemed to be marketing.

Organisations have even been fined for sending messages asking people (who haven’t given permission or who’ve opted out) to confirm their marketing preferences. This in itself is judged to be direct marketing.

Solicited messages

If a customer specifically asks for information about your products and services, responding with the information requested will be considered a solicited message and won’t fall under the definition of direct marketing.

B. What constitutes valid consent?

There are specific requirements which the ICO says must be met for consent to be valid.

  • you must give people a free choice to consent so that they can refuse without detriment and you must keep the consent separate from other things, such as terms and conditions (‘freely given’);
  • you must make it clear that the consent covers your electronic mail marketing messages and you must give your name in the consent request (‘specific and informed’);
  • you must have no doubt that they are consenting to your electronic mail marketing messages (unambiguous indication); and
  • they must take a positive action to consent, so you must not use pre-ticked opt-in boxes, silence or inactivity as an indicator of consent (clear affirmative action).

You should keep a record of the consent (e.g. who, when, how) so that you can demonstrate that it is valid. People can also withdraw consent and you must make it easy for people to do this.

For more information see: How do we use consent?

At DPN we’d recommend any permission statement also includes a clear link to your privacy notice. This is so you can be confident you meet UK GDPR requirements to provide privacy information when personal data is collected.

C. Using the soft opt-in

The guidance reiterates all of the following conditions must be met to compliantly rely on this exemption to consent.

  • You want to send marketing by electronic mail to individual subscribers (includes sole traders and some types of partnerships).
  • You collected their contact details directly from them
  • You collected their details during a sale, or negotiations for a sale, or your products and services
  • You want to use their details to send them marketing about your similar products and services
  • You gave them a clear, simple way to opt-out, or say no to your marketing, when you collected their details
  • You give them a clear, simple way to opt-out, or change their mind about your marketing, in each message you send.

Just to be very clear on the fifth point, you must tell people you want to send them marketing, and give them the ability to say no.

What constitutes a ‘sale’?

Currently, the soft opt-in under PECR specifically uses the word “sale” and refers to “products and services”. The ICO says this means the soft opt-in doesn’t apply to details collected where there’s no sale (or such a negotiation), or where there are no products or services involved.

For “negotiations for a sale” to be triggered the ICO says the customer must actively express an interest in buying your products or services. Examples given include:

  • A request for a quote
  • Specifically asking for more details about what you offer
  • Signing up for a free trial

The ICO says: The communication from the person must involve buying products or services. It’s not enough for someone to send any type of query.

What about other companies in the same group?

The ICO considers use of the soft opt-in to be only available to the same entity or single organisation that originally collected the contact details. It says this means it won’t apply to other companies within the same group as the collecting organisation.

Charities and the soft opt-in

The way it’s worded in PECR means the soft opt-in only currently applies to commercial marketing of products and services. The ICO says this does not apply to the promotion of aims and ideals, for example campaigning or fundraising.

However, it could potentially apply to any commercial services or products offered. For example, if a charity has an online shop, they could use the soft opt-in to send direct marketing emails about the shop’s products, assuming all other conditions are met. In other words, the marketing could only be about products, not fundraising.

Under UK Government plans to reform data protection law and PECR it’s been proposed the soft opt-in should be extended to cover charities and political campaigning. (At time of writing, with the current political turmoil, the future direction of the Data Protection and Digital Information Bill is not known).

For more information see: How do we use soft opt-in?

An important point to highlight here, if you’re using the soft opt-in, you’ll be relying on Legitimate Interests as your lawful basis to process personal data for this activity under UK GDPR. This would therefore be subject to a balancing test – a Legitimate Interests Assessment. This is covered in the guidance under: What else do we need to consider?

D. Hosted email campaigns

The guidance doesn’t use the term ‘hosted’ email campaigns, but mentions how both the sender and the instigator of direct marketing by electronic mail will be responsible for complying with PECR.

It says you’re likely to be instigating if you; encourage, incite, incentivise or ask someone else to send electronic mail containing your direct marketing message.

We can take from this that if you ask another company to send your marketing messages to their customers, or you send a third-party’s marketing to your customers, the rules under PECR will apply.

The ICO doesn’t spell it out, but it’s clear it would not be possible to meet the conditions of the soft- in, and therefore consent would be required.

For more information see: Who is responsible?

It’s not unusual for companies to include an element of third-party marketing within their email campaigns, where this is perhaps not the main purpose. For example a travel company might include details of hire car companies within its own marketing messages.

The ICO has previously issued a fine to the Brexit Leave Campaign for including a promotion for an insurance company. In this case the promotion was totally unrelated to the content people might have expected to receive.

Where third-party content is incidental and relevant to the product or service, people are less likely to complain. Some companies may choose to take a risk-based approach here, balancing their commercial imperatives with the arguably lower likelihood of regulator enforcement action. A stand-alone message about a third party’s products and services would carry greater risks.

We’d stress here we do not know what stance the ICO would take should a complaint arise about a campaign which included some relevant and useful content promoting a third party.

E. Using bought-in lists

The message is clear – in order to use bought-in lists for electronic mail marketing to individual subscribers, the ICO says people must have given their consent to receive such marketing from your organisation. The ICO’s separate consent guidance states; Name any third party controllers who will rely on the consent.

For more information see: Can we use bought-in lists?

F. Viral marketing and refer-a-friend

The ICO says you must comply with the PECR rules if you engage in viral marketing, ‘refer a friend’ or ‘tell a friend campaigns. It’s stated: This applies even if you don’t send the messages yourself, but instead instigate the sending or forwarding of these messages.

For the Regulator to consider you the ‘instigator’, just encouraging someone to send or forward the message is enough.

Essentially the ICO says encouraging customers to forward your emails or texts is a non-starter. You don’t have consent from the recipients, and you can’t rely on the soft opt-in.

However, the ICO says you can take steps to avoid being an instigator, such as:

  • Don’t create pre-populated emails for marketing which customers can send their friends and family
  • Avoid actively encouraging customers to forward on an email or text. (If they do it without being encouraged to, the PECR rules wouldn’t apply).

An example is given of a customer logging into their account which includes information about a rewards scheme for friends and family. This explains, if friends or family input the customer’s unique code when signing up to the company’s services, the customer will get a discount on their bill. The ICO says this approach would be okay.

The guidance doesn’t cover viral marketing via social media. We’re presuming the rules would only apply if you sent this as a private message encouraging people to forward it, as opposed to posting something let’s say on a forum.

For more information see: Can we ask people to send our electronic mail marketing?

G. Using publicly available contact details

The ICO says it’s unlikely you can use contact details sourced indirectly from social media accounts, websites or other online or offline sources for electronic marketing. The reason being you can’t comply with PECR as you won’t have their consent and can’t rely on the soft opt-in.

The guidance makes it clear, an exception would be where this is business contact details, where the requirement for consent or soft opt-in doesn’t apply. (We take this to mean ‘corporate subscribers’).

For more information see: Can we use publicly available contact details to send marketing by electronic mail?

The above is a summary of the guidance and we’d encourage you to read the full guidance, or at least any areas specifically relevant to your organisation. In saying this, I’d recommend not taking aspects of the guidance in isolation. If you’re relying on consent, read the ICO’s consent guidance. If you are relying on soft opt-in read guidance on legitimate interests.

I’d also highly recommend making sure you have tailored marketing guidance (or a policy) for employees (and/or your marketing agency). Training for specific teams is also likely to improve awareness and knowledge. A great way to prevent unnecessary mistakes.

Relevant teams should understand the rules and your internal approach. It’s clear in recent PECR fines the ICO sometimes discovers there is insufficient guidance given to staff.

Alongside this guidance on electronic marketing mail, the ICO has also published guidance on live telemarketing.

I think we can take from these specific pieces of guidance the Direct Marketing Code of Practice has been pushed further into the long grass. The draft consultation published back in 2020 is clearly on the backburner, perhaps until there’s a clearer picture of what is, or isn’t happening, with UK data reform?

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Join 7,600+ others with DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.