Plans to extend marketing ‘soft opt-in’ to charities

June 2022

Exemption to consent could be extended to not-for-profits

In a move welcomed by the Institute of Fundraising, the Government has confirmed it intends to extend the use of the ‘soft-opt in’ for electronic marketing to charities under UK data reform plans.

So, what is the ‘soft opt-in’, how does it currently work, and how might it work for charities?

What’s the ‘soft-opt-in’?

The laws governing electronic marketing are covered in the UK’s Privacy and Electronic Communications Regulations (PECR) which cover email, SMS and telemarketing.

Under PECR you need to have consent to send electronic marketing messages (e.g. email or SMS) to what are termed ‘individual subscribers’. These are people who personally subscribe to their email/SMS service provider (often referred to as B2C marketing).

But you don’t always legally need consent…

There’s an exemption under PECR for electronic marketing to existing customers. This is commonly known as the ‘soft opt-in’.  An ambiguous term as it permits the use of an ‘opt-out’!

Currently only available to commercial businesses, there are specific rules you need to follow when relying on this exemption:

  • Contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services; AND
  • You provide the ability to opt-out in every communication

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

Charities use of soft opt-in

The devil will be in the detail about how this might be applied in practice for charities. Daniel Fluskey, Director of Policy and Communications at the Institute of Fundraising points out:

“Charitable donations don’t normally count as a sale or transaction in law as it’s a one way transfer of money with nothing bought or expected in return. So, if what we get is a narrow application of this, then making a donation on a charity website wouldn’t count for the soft opt-in. But a supporter buying something (a ticket for a concert, a product bought through an online charity shop, or someone buying a charitable service, etc) would be able contactable via soft opt-in to offer them that similar product in the future.

Perhaps though, if a wide application is applied then donations could be counted for the soft opt-in to work. This would of course be a bit more of a game-changer and is one of the areas that we’ll have to see the wording of the legislation and accompanying guidance to see where it lands.”

It’s worth noting the rules on consent and the ‘soft opt-in’ under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email/SMS service. (Commonly referred to as B2B marketing).

To quote the ICO on this, here’s an extract the draft Direct Marketing Code of Practice:

“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”

You do however need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

Are changes also on the cards for political campaigning?

In another potential change to marketing rules, the Government says it will be considering whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).

It also intends to extend the soft opt-in to political parties and elected representatives. This could allow for contact with individuals who have previously shown an interest in the activities of the party without their explicit consent.

The examples given in the Government response to the data reform consultation include – ‘attending a conference’ or ‘making a donation’. Is this a possible sign charities will also be able to use the ‘soft opt-in’ when individuals make donations?

To find out more detail about the data reform plans, we’ve published key highlights: UK data reform plans revealed.

Nothing is certain yet. As the legislation progresses it will be subject to parliamentary scrutiny and possible changes.

The Golden Rules of Telemarketing

February 2022

How legitimate businesses avoid being ‘nuisance’ callers

My 83-year-old mum was recently called by someone trying to sell her a panic alarm. I’ve urged her to hang up on calls from anyone she doesn’t know, but she hails from a politer generation than mine.

He said, at her age and living on her own, she was at risk. I suspect the salesman elicited these details from her during the call. He urged her to have a panic alarm installed so she could alert family or a neighbour if she needed to.

Luckily, she told him she wasn’t quite ready to make a decision. Then she asked for his company name and phone number, so she could call back when she was.

You’re probably ahead of me here… of course he declined to give her this information.

It’s an all too familiar tale.

The call was, in my view, a disgrace. It shouldn’t have happened. I registered mum’s number with the Telephone Preference Service (TPS) years ago. However predators (and there are plenty of them) will always target the potentially vulnerable.

While nuisance calls are a key priority for the Information Commissioner’s Office (ICO), with frequent fines issued, it’s a game of whack-a-mole. Take out one chancer, and two more pop up somewhere else. And being potentially tarred with the same brush isn’t, as the kids say nowadays, a good look.

What do legitimate businesses need to do to avoid falling foul of the rules?

The rules aren’t complicated. There’s really no excuse! Here’s a quick 5-point guide:

1. Live marketing calls to individuals

The Don’ts
    • Don’t call anyone who’s told you they don’t want to hear from you
    • Don’t call anyone registered with the Telephone Preference Service unless you’ve obtained their consent to do so (And yes, that will be UK GDPR level ‘specific, informed and unambiguous’ consent)
The Do’s
    • Say who’s calling – be transparent
    • Always display your number (or an alternative contact number) to the recipient of your call
    • Provide an address or freephone contact number if asked
    • Keep a list of those who tell you not to call them and screen numbers against it before you make calls
    • Screen your lists against the TPS (unless you genuinely have consent)
    • Keep records of consent (if you rely on it)
    • Carry out a Legitimate Interests Assessment (if not relying on consent)
    • Make it easy to opt-out / withdraw consent. Make sure call handlers know how to respond when someone wants to opt-out.

2. Remember sector specific rules

There are stricter rules if you are making calls about claims management or pension schemes.

  • Claims management services: you must have consent
  • Pension schemes: you must have consent unless:
    • you are a trustee/manager of a pension scheme; or
    • a firm authorised by the Financial Conduct Authority; or
    • your relationship with the individual meets strict criteria.

3. Automated calls

For calls made by automated dialling systems which play a recorded message the rules are also stricter. You must have:

  • Specific consent from individuals indicating they’re okay to receive automated calls
  • Calls must include your organisation’s name and contact address or freephone number
  • You must display your number (or alternative contact number)

4. Marketing/sales calls to business numbers

The rules are the same for calling businesses as they are for individuals. (See the do’s and don’ts above).

Just remember, if you don’t have consent, you should screen your list against the TPS and the CTPS (Corporate Telephone Preference Service). This is because some businesses (sole traders and some partnerships) may be registered with the TPS.

5. Understand the difference between ‘service’ and ‘marketing’ calls

The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Telemarketing is absolutely in scope.

Routine customer service messages don’t count as direct marketing, but if you are treating it as a service call you need to be careful the script (or what your call handlers say in practice) doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts.

It’s worth noting a Trade Union was recently fined £45k. Telephone numbers hadn’t been screened against the TPS because the union didn’t believe its calls were direct marketing. The ICO disagreed. Just because you believe you’re acting in good faith doesn’t mean you are. How did a Trade Union fall foul of the marketing rules?

What are the applicable laws?

The rules governing telemarketing calls in the UK can be found in the Privacy and Electronic Communications Regulations (PECR) and are covered in ICO Telemarketing Guidance. As well as complying with PECR you should consider UK GDPR for your handling of personal data.

The rules can differ outside the UK, so if relevant its worth checking local laws. Many countries have a ‘do not call’ register similar to the Telephone Preference Service. The UK rules are covered in the .

IAB Europe TCF (Transparency and Consent Framework) under fire again

November 2021

The Belgium regulator (APD) is expected to announce that IAB is a data controller with TCF

What does the future hold for third-party cookies? The Belgium DPA has apparently notified IAB Europe that they will find them to be in breach of GDPR. An investigation has been carried out by Belgium DPA which will be shared with other Data Protection regulators across Europe. 

These regulators have 30 days to review the proposed ruling before it is adopted by Belgium DPA or referred to European Data Protection Board. If adopted IAB has six months to change its framework to comply. The IAB has robustly defended its position and says it will be able to comply. The IAB stated:

 “It will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD overseeing the execution of an agreed action plan by IAB Europe,” 

How did this start? 

This started in 2018 with a series of complaints made about the IAB’s Transparency and Consent Framework. In particular, the complainants contended that the use of personal data in the process to place digital advertising, known as Real-Time Bidding, represented a massive worldwide data breach. 

One of the complainants, ICCL (The Irish Council for Civil Liberties) noted:

“these (cookie) popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.”

The ICCL has also launched a privacy lawsuit against the IAB in Germany.

The Belgium DPA investigated these complaints and published their initial findings in October 2020. It appears that they are now about to announce formal action against IAB.

What is the problem?

At its heart is the issue of whether the IAB is a legal data controller. IAB has said that Belgium DPA considers them to be a legal data controller for the TC Strings – also know as:

“digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement” 

 “The APD is understood to consider these signals to be personal data,” 

IAB Europe has vehemently rejected the notion that they are anything but a data processor. They have consistently asserted that the AdTech providers they serve are the data controllers. 

What does this mean?

Potentially, all Real-Time bidding activity using TCF could be stopped. The more likely outcome is that IAB will rectify the problem within the 6-month period allocated to them. Longer-term, though, this is just another nail in the coffin for the use of third-party cookies for targeting digital advertising. 

For any marketing team who are not giving serious consideration to how they’re going to replace the Real-Time Bidding free for all, this is yet another warning that the world is changing. Even if IAB Europe does manage to fend off this particular attack, the future of the Transparency and Consent Framework is under threat. 

The future of third-party cookies

To many, it is obvious third-party cookies have had their day. Google announced that they would not be supported by Google Chrome from around now. Although their launch of the Google Sandbox has been delayed, this is a stay of execution, not a change. As Google controls more than 60% of the browser market, this was a game-changing announcement. 

What should marketers do?

  1. If you haven’t started your programme of first-party data collection, start now. This is data supplied by individuals through the course of a transaction or communication. It could be their address, email telephone number etc. Obviously ensuring you have used an appropriate lawful basis to use that data to create marketing segments is essential and that this activity is mentioned in your privacy notice. 
  2. Investigate how you can start to collect Zero party data. This is a newish term coined by Gartner in 2020. This means data that is collected by inviting individual users to volunteer information through surveys/questionnaires etc. By definition, the lawful basis for using this data will be consent but make sure that the use case is clearly communicated at the point of data capture. 
  3. Seek out contextual advertising solutions. These are programmatic advertising solutions that use context to understand the audience rather than those systems powered by segments built using third-party cookies. Several major media owners have already signed contracts with big providers such as Permutive. 
  4. Also, consider using any promotional solutions which employ Edge computing. Look for advertising solutions that do not suck a user’s data into a central hub but allow that data to stay on the user’s own device.
  5. Investigate the use of second-party data. This is permissioned data owned by one organisation that is sold directly to another for that organisations’ exclusive use. Also, look at data cooperatives, data marketplaces & exchanges and technical data environments – sometimes called clean rooms. These also use permissioned data to build audience insight. The key here is to interrogate the provenance of that data. Can the supplier provide a clear audit trail? 
  6. Consider the use of vertical networks – a blunter object than contextual advertising solutions but an effective way of promoting your services to special interest groups.

Whilst we remain in a state of limbo with third-party cookies, it may seem difficult to decide what to do next. The reality is that we need to assume that cookies will disappear and the sooner other compliant and more ethical targeting methods are used, the better. 

How risky are your bulk email communications?

November 2021

HIV charity fined for exposing personal data via email

The Information Commissioner’s has fined HIV Scotland £10,000 for failing to protect personal data, in a case that could raise alarm bells in other organisations.

What went wrong?

The penalty came about after an email was sent by HIV Scotland to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the ‘CC’ field. In fact, 65 of the addresses identified people by name.

HIV Scotland notified the Commissioner about the breach on 3 February 2020, contacted the Commissioner’s Helpline about the incident, and completed the necessary notification within two hours of the incident occurring.

Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented that assumptions could be made about individuals’ HIV status or risk from the data disclosed.

ICO findings

An investigation by the ICO found a number of shortcomings in the charity’s email procedures, including:

  • inadequate staff training
  • an inadequate data protection policy
  • incorrect methods of sending bulk emails by using the ‘BCC’ (blind carbon copy) method.

During their investigation the ICO discovered HIV Scotland had procured a new system back in July 2019 to enable bulk emails to be sent securely. However, at the time of the breach seven months later, they had failed to migrate the CAN email list over to the new email system. The charity still continued to use the ‘BCC’ method of emailing to the CAN list.

The BCC method of bulk email is open to human error. In this instance, the email addresses of recipients were mistakenly placed in the CC field instead of the BCC field.

The ICO’s Monetary Penalty Notice states HIV Scotland ‘failed to implement an appropriate level of organisational and technical security to its internal email systems’ which resulted in the breach of special category data.

Email breaches have happened before

The ICO considered that it had previously taken action against organisations for similar breaches. The risks of these kind of disclosures, and the consequences for the potential harm that might be caused to data subjects, are matters that had been reported on both mainstream and trade media.

The Charity’s Interim Chief Executive, Alastair Hudson, apologised unreservedly to anyone who had been affected by the data breach and said a new team and board of trustees had taken “robust steps” to improve information security.

The ICO recognised that HIV Scotland has completed procurement of the MailChimp email solution, implemented a training portal with mandatory UK GDPR training refreshed every year, and that it also took steps to try and mitigate the risks by asking all recipients to delete the email on the same day that it was sent. It has also added a message to its website.

ICO warns organisations about bulk emails

As a result of this case the ICO has issued a warning urging organisations to revisit their bulk email practices. This case should act as a reminder to organisations which handle special category or other sensitive data that their procedures, practices and technical measures need to be reviewed regularly to ensure they are fully up to scratch and don’t put people’s at risk from data being exposed.

What actions can we take?

Organisations which send bulk emails might wish to make sure:

  • staff who handle email communications have received sufficient training
  • you have appropriate and robust email procedures in place which staff should follow
  • you regularly remind staff of the correct procedures

Clearly there is a risk, if you use the BCC method, email addresses could accidentally end up in the CC field rather than the BBC field, resulting in disclosure of personal data. The ICO is indicating this method of sending should be avoided. If you regularly send emails using the BCC method, you should look to implement a bulk email solution solution to prevent the risk of disclosing personal data to others.

Why have cookies become such a muddle?

October 2021

What are the challenges and what next for cookie compliance

Some history

It is 10 years since the original EU Directive was adopted which gave individuals the right to refuse the use cookies that reduced their online privacy.

Back then, people talked a lot about “implied consent” which meant that gaining consent from individuals didn’t seem so hard. Pre-ticked boxes were everywhere. 

Roll on 10 years and two major changes have occurred:

1. The explosion of programmatic advertising which makes heavy use of third-party cookies to segment and target individuals.

2. The introduction of GDPR which strengthened the level of consent required to use cookies. This must be freely given – no more pre-ticked boxes!

The ICO “cookie” guidance

To support the introduction of GDPR level consent, the ICO published its “cookie” guidance in 2019. In this context, “cookies” is short for cookies and similar technologies.

In this guidance it was made clear unambiguous consent was required for all cookies except essential cookies (i.e. the ones that make your site work properly). 

To be clear, this meant tools such as Google Analytics required consent to process an individual’s data.

Rather unhelpfully, at a macro level, the rather benign anonymised Google Analytics data was bundled together with the rather less benign collection of data carried out by the large Ad Tech providers to target advertising. 

For those wanting to use anonymised analytics data there was a caveat in the guidance which stated: 

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. 

For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action. 

I’ve had a few conversations with clients about whether data processed by Google Analytics is first- or third-party data. I’m inclined to say it’s the former. It’s not used for anything else by Google and they clearly indicate they are a data processor in this capacity. 

In addition, the ICO guidance, made clear that inviting users to set cookie preferences in their browser was not considered adequate. 

To put it mildly, businesses were surprised by the hard-line approach taken by the ICO. It wasn’t as if the ICO were slavishly following their EU counterparts – some of the ICO guidance was stronger!

The business response

The upshot was a large swathe of websites became non-compliant overnight, and two years later you will still find a range of approaches to presenting cookie consent. There are four main types:

1. Do nothing: A site has no cookie notice or preference centre at all – increasingly rare but still occurring and clearly non-compliant.

2. Simple cookie notice: A cookie notice plus guidance to setting cookie preferences in the users’ browser. Deemed not compliant by ICO but still used by many.

3. Accept all cookie notice: A cookie notice delivered by a tech provider which sets out the different categories and encourages users to accept or manage their preferences.

4. Accept or Reject cookie notice: A detailed cookie notice, usually provided by a tech provider which sets out the different categories and encourages users to accept, reject or manage their preferences.

There are other permutations – some websites have pre-ticked boxes in the manage preferences section, some websites set cookies before the preferences have been set, the list goes on.  

In short, it’s a muddle and it seems businesses have largely taken a risk-based approach to decide how far to go.

This is obviously dependent on the importance of cookies to each organisation. It’s noticeable that some online retailers have taken quite a flexible view whilst others in highly regulated sectors are tending to be much stricter. 

Are consumers complaining about it? 

From a consumer’s perspective, their main gripe is that they see a wall of cookie notices which they largely ignore in order to get to the website.

However well-meant, the cookie rules have not served their purpose. No one appears to read them. 

There is a further less obvious problem – consumers don’t really understand what they’re signing up for.

There has been plenty of discussion about third-party cookies and how data is widely used for targeting advertising in a non-compliant manner. To date, very little has been done to address those concerns despite the ICO’s ongoing investigation into AdTech. 

Furthermore, if we look at the ICO log of cookie complaints, it remains pretty low at around 450 per quarter in 2021 although it’s increased from around 300 per quarter in 2019. 

Will ePrivacy make any difference? 

It is possible the ePrivacy regulation will soon come into force as negotiations are creeping towards a conclusion. There are a couple of points in this regulation that would certainly help clear the cookie muddle:

1. Allowing for other paths to consent via whitelists in browsers.

2. Allowing limited analytics.

However, as UK is no longer part of EU it’s not necessarily the case that we’ll adopt the new regulation. Having said that, we’ll need to create something to update the very old PECR regulation. The pragmatists amongst us might be minded to adopt ePrivacy when it’s approved. 

What about Elizabeth Denham’s intervention with G7?

In September, Elizabeth Denham attended the G7 summit to call on countries to work together to tackle cookie pop-ups.

In particular, she wanted to have a coordinated approach to enforcement to ensure nefarious activities didn’t go unchecked. 

It’s not entirely clear what she was seeking to achieve. After all, the ICO has come in for quite a lot of criticism not least because GDPR/PECR already provides the necessary legislation for enforcement action but, so far, no-one has been fined. 

And now, the Government reform proposals?

DCMS also highlighted the cookie issues with their data reform proposals highlighting two options:

  • Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).

or

  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.

What does this all mean?

  • Sooner or later, something will happen although it’s not entirely clear who will make the first move – ePrivacy or UK government reforms seem the likeliest. 
  • The ePrivacy Regulation will eventually be approved and would address some of the muddle. It would make sense, but its adoption in the UK may become a largely political decision. 
  • In the meantime, it seems that users consider cookies a nuisance rather than really causing any harm.
  • Arguably the main cookie culprits are those using cookies for “nefarious” activities and are collecting third-party data. With Google stopping support for third-party cookies in 2023, this problem effectively goes away.
  • Businesses could help themselves. Many set cookies every time you visit a website. There is no rule to say that it’s required every visit and the barrage would be diminished if a sensible time frame was agreed. 
  • There is silence from the ICO when it comes to enforcement. Now that Covid is becoming less of an issue perhaps a few fines might make people comply? 

UK data reform: Direct Marketing

September 2021

What changes could be on the horizon for direct marketing?

The UK Government’s consultation on data regime reform mostly focuses on proposals to amend UK GDPR requirements, but it’s worth noting some changes for direct marketing could also be on the cards.

Changes which could be particularly significant for political parties and charities.

Marketing emails, SMS and calls are governed by the Privacy and Electronic Communications Regulations (PECR) and some tweaking of these rules is being proposed.

Furthermore, in what would be a substantial shift, political campaigning could no longer even be considered to be direct marketing.

So what’s be proposed?

Extending scope of the ‘soft opt-in’

PECR requires consent for email and SMS marketing to consumers, i.e. a positive action (such as a tick in a box) to say they’re happy to receive communications. However, commercial organisations can rely on an exemption to consent when it relates to existing customers.

This exemption, known as the ‘soft opt-in’, says email and SMS marketing messages are permitted without obtaining consent as long as the following conditions are met:

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and again in every subsequent communication
  • You only send marketing about your own similar products and services

At the moment not-for-profit organisations, such as political parties and charities, are not allowed to rely on this exemption and therefore must gain consent for email & SMS marketing. The Government is seeking views on whether this should be changed.

Clearly, this speaks to the difficulties organisations can face in trying to gain consent from people. The requirements necessary to make consent valid, were enhanced when GDPR came into force.

We all know from our own experience when buying products online that many commercial organisations rely on the ‘soft opt-in’, despite the Information Commissioner’s Office trying to push the message that consent is best.

To be fair, in research and testing we’ve conducted in the past, the general public perception is consent is much more open and honest. An opt-out can easily be missed and is often perceived as trying to trick people into being targeted with marketing.

But, I’m sure this move to extend permitted use of the ‘soft opt-in’ beyond the commercial uses would be very much welcomed by charities and political parties.

The big question though is will the public be happy with this move? A move which may also call into question the definition of ‘sale’ or ‘negotiations for a sale’. Would this only be permitted in certain situations where, for example, people had donated to a charity or political party or had purchased merchandise?

just to clarify the PECR rules on consent and the soft opt-in do not apply in the context of B2B marketing, where for example you are contacting individuals at their business email address. However, when relying on legitimate interests rather than consent you still need to fulfil transparency requirements and honour the right to object to direct marketing.

Removing political campaigning from ‘direct marketing’ rules

Another idea put forward in the consultation is to take things a step further for political parties…

Currently, political campaigning is included within the interpretation of the definition of direct marketing. The draft Direct Marketing Code states:

The DPA 2018 and PECR do not clarify what is meant by ‘advertising or marketing material’. However it is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.

It’s pointed out in the Government’s consultation that case law has established communications from political parties which promote ‘aims and ideals’ should be classed as direct marketing and are therefore subject to the PECR rules.

The Government says this has never been debated in Parliament. I’d suggest this is just as well, as to my mind they’d have a skewed view!

The consultation is therefore being used to seek views on whether electronic communications from political parties and other political entities should be subject to the same direct marketing rules as other organisations and businesses.

Examples of ‘other political entities’ are given as ‘candidates and third-party campaign groups registered with the Electoral Commission’.

The Government believes relaxing the rules would give organisations more freedom to engage with prospective voters and this could lead to increased voter turnout.

However, it’s accepted people may not wish to receive electronic communications of this nature in the same way as not wanting to receive commercial marketing.

We’ll have to wait and see what views the consultation elicits on this.

Increased fines for breaking the marketing rules

The Government is proposing to raise fines under PECR, which are currently limited to a maximum of £500,000, to be in line with UK GDPR fines.

This would be a significant rise as the UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for contravening the rules.

I suspect this is an element of the reform which will go through – so a clear warning for nuisance spammers, who seem to be the most common recipients of fines under PECR at this time.

What next?

For the time being nothing is carved in stone, and it will be interesting to see how things develop after the consultation closes on 19th November.
What’s clear is this has probably put the long-awaited final version of the current draft Direct Marketing Code of Practice, published in January 2020, on ice for a little longer.

Your views

If you would like to share you views on the above proposed changes, and other proposals in the UK data reform consultation take part in our survey.  The DPN will be submitting a formal response to the consultation, and we’d appreciate your thoughts.

Direct marketing: household names fined for breaking the rules

September 2021

What did We Buy Any Car, Saga and Sports Direct get wrong?

The ICO has announced a series of fines for companies which have contravened the direct marketing rules under the Privacy and Electronic Communications Regulations (PECR).

Fines amounting to £495,000 have been issued to Sports Direct, We Buy Any Car, Saga Personal Finance and Saga Services.

Contraventions include not being able to evidence valid consent, not abiding by the conditions of the ‘soft-opt in’ exemption, and emails sent via affiliates without valid consent.

In the ICO blog announcing the fines, their Head of Investigations commented:

“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.”

It’s worth noting the Government’s data regime reform consultation proposes increasing the maximum fines under PECR to be in line with GDPR. So in future we could see much higher sums being levied for breaking the rules.

We Buy Any Car

Key finding: failure to meet all ‘soft opt-in’ conditions

We Buy Any Car (WBAC) has been fined £200,000 for sending 191.4 million marketing messages and 3.6 million SMS messages in contravention of the PECR rules.

WBAC came to the attention of the ICO due to complaints received directly to their online reporting tool. Between October 2019 and January 2020, the Regulator received 10 complaints from individuals, and a further two complaints from the same individual.

Much of the investigation focuses on email communications which were sent after people had requested a valuation. People can use the WBAC website to input details about their vehicles to get a valuation.

WBAC claimed it relied on the ‘soft opt-in’ exemption for such messages and said people would anticipate further email communications as part of what was described as ‘journey emails’.

The ICO found while people were informed about these communications, they were not given an opportunity to opt-out at the point their details were collected. This is one of the key conditions businesses have to meet when relying on the soft opt-in exemption.

A clear message to other businesses to assess whether they are taking any risks when relying on the ‘soft opt-in’.  Are you meeting these core conditions?

  • The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication
  • You only send marketing about your own similar products and services

Saga

Key finding: inadequate consent obtain for marketing by affiliates/partners

Saga Services Limited (SSL) has been fine £150,00 for sending more than 128 million emails in contravention of the PECR rules. Saga Personal Finance (SPF) has been fined £75,000 for sending 28 million emails.

These cases focus on the potential risks when using partners or affiliates to send marketing on your behalf. Both SSL and SPF paid partners and affiliates to send promotional emails on their behalf for lead generation purposes.

The companies were relying on ‘indirect consent’. In other words they hadn’t collected people’s details directly from them, and were using other parties’ lists to promote their services.

The enforcement notice points to the ICO’s direct marketing guidance which states:

“organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.”

The guidance goes on to say ‘indirect consent’ may be valid, but only if it is clear and specific enough. Providing an individual with a long, seemingly exhaustive list of categories of organisations that may send marketing communications to them is not likely to be sufficient.

In summary, it was found that SSL and SPF were the instigators of these email communications, and the ‘consent’ collected by affiliates and partners was not sufficient.

A lesson here for all organisations using marketing affiliates and partners, to conduct due diligence. You can’t just simply accept claims by those sending emails on your behalf that they have a ‘fully consented list’.

Sports Direct

Key finding: inability to produce evidence of marketing permissions

Sports direct has been fined £70,000 for sending 2.5 million email messages without valid consent.

The company came to the ICO’s attention after the regulator received 12 complaints via is online reporting tool.

This case focuses on a ‘re-engagement’ campaign whereby Sports Direct had identified an ‘aged dataset’ to send communications to. These were described as records which had not unsubscribed – “a category of data that showed as being opted in to receive email marketing but had not received any marketing emails”.

Sports Direct informed the ICO it was either relying on the ‘soft opt-in’ or ‘consent’ to contact this ‘aged dataset’.

However, during the ICO investigations Sports Direct could not provide sufficient evidence it had valid permission to contact people.

In one case Sports Direct couldn’t identify a lawful basis, because the customer in question had asked for their details to be erased, so they had no record at all.

This ruling acts as reminder to all organisations to keep adequate records and specifically highlights the risks of emailing customers who you haven’t been in contact with for some time.

It also confirms that, even if someone submits an erasure request, you should keep minimised but detailed enough records for a suitable period of time so you can adequately respond to any subsequent complaints.

Full details of the above enforcement action can be found on the ICO website.

UK data regime change consultation: 12 highlights

September 2021

The Government’s consultation on UK data protection reform contains a number of sensible proposals to ease the burden on business. There are also a few surprises likely to raise eyebrows in Brussels. The headlines are:

  • The UK is not about to become the ‘Wild West’ for data, as some may have feared
  • Changes to both UK GDPR and the UK’s Privacy and Electronic Communications Regulations (PECR) look likely
  • A probable relaxation of several areas of UK GDPR, with a focus on outcomes rather than prescribed processes
  • Plans to increase fines under PECR to match those under GDPR, a clear warning to those flagrantly disregarding marketing rules
  • The consultation is a ‘direction of travel’ – nothing’s carved in stone. It’s business as usual for now

The Government’s overall aim is to drive economic growth and innovation and strengthen public trust in use of data.

The way they want to achieve this is to alleviate some of the more prescriptive GDPR obligations on business, whilst retaining a robust data protection regime built largely on existing laws.

This approach is in keeping with the UK’s common law tradition, also used in Australia, New Zealand, Jamaica, Pakistan and Singapore (to name a few), as opposed to the statute law system used across Europe. Common law is viewed by its proponents as more flexible. It’s also why legal proceedings tend to move more quickly in UK courts than those in the EU.

It’s clear the UK Government hopes any changes will be compatible with EU equivalency, enabling the UK to retain adequacy.

Data regime proposals 12 highlights

1. Accountability & Privacy Management Programmes (PMPs)

Changes to the accountability framework are proposed, with businesses expected to have a Privacy Management Programme in place. This approach to accountability is long-established in countries such as Australia, Canada and Singapore.

It’s argued this would allow organisations to implement a risk-based privacy programme based on the volume and sensitivity of personal data they handle, and the types of activities they’re involved in.

By doing this, the proposal seeks to do away with some of the accountability obligations under the current UK GDPR, which may be considered to be more burdensome.

Organisations will still need to know where their data is, what its used for, apply lawful bases, implement robust security measures, manage suppliers, assess privacy risks and fulfil privacy rights. But there could be more flexibility and control over how you achieve this.

This doesn’t mean ripping up all the hard work you’ve done to comply with GDPR.

When the dust has settled, many organisations may choose to stick with the tried and tested framework they’ve already established. Others may jump on the opportunity to adapt their approach.

And let’s not forget, UK businesses operating in Europe will still be governed by EU GDPR.

2. No mandatory Data Protection Officers

The consultation proposes removing the mandatory requirement to appoint a DPO.

Under GDPR, a DPO must be appointed by public authorities – and in the commercial sector – if organisations meet specific criteria. It also sets out requirements and responsibilities for the role.

It’s proposed the requirement for a DPO is replaced with a requirement to designate a suitable individual (or individuals) responsible for overseeing compliance. However, the new law wouldn’t lay down specific requirements & obligations for this role.

3. No mandatory requirement for Data Protection Impact Assessments 

Currently, GDPR makes a DPIA mandatory for high-risk activities. It also sets out core elements such an assessment must include.

Furthermore, it requires supervisory authorities to establish a list of processing operations which definitely require a DPIA.  This led authorities, including the UK’s ICO, to dutifully publish lists of where DPIAs would be considered mandatory, as well as best practice.

The Government is proposing removing this mandatory requirement, although this won’t mean throwing out screening questionnaires and DPIA templates, which are often very useful.

The onus would be on organisations to take a proportionate and risk-based decision on when they consider it appropriate to carry out impact assessments and how they go about this.

4. More flexible record keeping

Completing and maintaining up-to-date records, known as Records of Processing Activities (RoPA) has been one of the more onerous aspects of GDPR.

Again, current law and guidance is prescriptive about records keeping requirements – although small and medium sized organisations (with less than 250 employees) are exempt from this.

It’s proposed a more flexible model for record keeping is introduced.

Maintaining a central record of what personal data you hold, what it’s used for, where it’s stored and who it’s shared with is a sensible and valuable asset for any organisation. Many feel such records are vital to effective data risk management.

So again, you don’t need to rip up your current ROPA, but you may soon be allowed to adapt your record keeping to suit your business and perhaps make your records easier to maintain.

5. Data breach notification threshold changes

It’s clear GDPR has led to data protection authorities being inundated with data breach reports. The ICO, for one, has highlighted a substantial amount of over-reporting.

This isn’t surprising when there’s a legal obligation for organisations to report a personal breach if it is likely to represent a ‘risk’ to individuals.

Its proposed organisations would only need to report a personal data breach where the risk to the individual is ‘material’.  The ICO would be encouraged to produce clear guidance and examples of what would be ‘non-material’ risk, and what would or would not be considered a reportable breach.

6. Data Subject Access Requests changes

The stated purpose of a subject access request is to give individuals access to a copy of their personal data so they can ‘be aware and verify the lawfulness of processing’ (although many organisations might question if this is why some submit requests).

The consultation recognises the burden of responding to DSARs has on organisations, especially smaller businesses which often lack the resources to handle them.

The possibility of charging a nominal fee could be reintroduced. It’s also proposed the threshold for judging when a request may be vexatious / manifestly unfounded is amended.

7. Cookies

Headlines surrounding UK data reform usually focus on ending the barrage of cookie pop-ups. The consultation proposes two main options:

  • Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).

or

  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.

The Government says it is keen to hear feedback on the most appropriate approach.

8. Legitimate Interests

There’s a proposal to create an exhaustive list of legitimate interests which organisations could rely on without needing to conduct the balancing test, i.e. no Legitimate Interest Assessment (LIA) required.

The following are some of the examples given:

  • ensuring bias monitoring, detection and correction in AI systems
  • statutory public communications and public health & safety messages by non-public bodies
  • network security
  • internal research and development projects

Where an activity is not on the list, we’re assuming assessments using the current 3-step test would still be needed.

9. Extended use of the ‘soft opt-in’

PECR currently permits email and SMS marketing messages where consent has been given, or for existing customers only, when the soft opt-in requirements are met.

This exemption to consent for existing customers is only currently available to commercial organisations. It’s proposed this could be extended to other organisations such as political parties and charities.

This could be great news for charities, but could it lead to a deluge of unwanted messages from political parties?

10. Research purposes

The Government wants to simplify the use of personal data for research, with a specific focus on scientific research.

Considerations include establishing new lawful grounds for research (subject to ‘suitable safeguards’) and incorporating a clear definition of ‘scientific research’.

11. Artificial intelligence

It’s proposed certain automated decision-making should be permitted without human oversight.

GDPR prohibits this unless necessary for a contract with an individual, authorised by law or based on explicit consent. The consultation suggests Article 22 is scrapped.

The aim is to ‘deliver more agile, effective and efficient public services and further strengthen the UK’s position as a science and technology superpower’.

It’s hoped this can be achieved by developing a safe regulatory space for responsible AI development, testing and training which allows greater freedom to experiment.

In the consultation press release, an AI partnership between Moorfields Eye Hospital and the University College London Institute of Ophthalmology is highlighted.  Researchers have trained machine-learning technology to identify signs of eye disease, which is more successful than using clinicians.

This is cited as a clear example of the type of data use which should be encouraged, not hindered by law.

12. Reform of the ICO

The Government wants to assert greater control over the UK’s data protection regulator, the Information Commissioner’s Office.

They propose to introduce a new, statutory framework to set out the ICO’s strategic objectives and duties and a power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities.

This would will bring the ICO into line with other UK regulators such as Ofcom, Ofwat and Ofgem.

The proposals also include introducing a new overarching objective for the ICO, in addition to its other functions, tasks and duties with two key elements:

  • Upholding data rights and safeguard personal data from misuse
  • Encouraging trustworthy and responsible data use, to uphold the public’s trust and confidence in use of personal data

Summary

Yes, a shake-up of UK data laws and enforcement is on the horizon, but the final outcome remains unknown, and a healthy debate will surely follow.

The consultation closes on 19th November 2021, and there will undoubtedly be some time before any changes become law.

For the time being its business as usual, but this document gives us a clear idea of what the future might look like.

Meanwhile, the EU will be keeping a very close eye on developments, and it’s possible the UK could be deemed to be going a step to far – it’s easy to see EC adequacy decisions being held over the UK Government like the Sword of Damocles.

The UK Government’s objective is to give organisations more control and flexibility around data protection management within a less burdensome regime, which supports the data economy and drives innovation.

In some ways, it could even be seen as a move towards giving organisations who don’t take data protection seriously more rope to hang themselves with.

The full consultation document is worth a read and can be found HERE.

Simon Blanchard, Phil Donn & Julia Porter – September 2021