Data Protection Network | Communications

Marketing messages and service messages How to avoid falling foul of the PECR rules Many businesses need to send important or essential messages to their customers by email or SMS, or may telephone them. But if the content of these messages strays into becoming promotional in nature, the marketing rules under the UK’s Privacy and Electronic Communications Regulations (PECR) will apply. The Information Commissioner’s Office has issued a number of fines over the years where marketing messages have been ‘disguised’ as service messages. I’ve included a few examples below. The risk for businesses is it can take just one, or a handful of complaints to cause a problem. What’s a service message? Essentially, a service message is a communication sent to individuals purely for administrative or customer service reasons. Such messages must be neutral in tone, providing just important and necessary information. The ICO tells us these must not include any advertising or promotional materials and that the key is in the ‘phrasing, tone and context’. Pure services messages can be sent to everyone provided they only contain essential factual information for your customer. Some examples would include: confirming an order/purchase confirming a delivery date/time providing necessary event information when someone has purchased a ticket (free or paid for) notifying people you require certain information to comply with the law, for example, an airline requesting passport information before an overseas flight informing service users about essential changes, for example, telling leisure centre members the swimming pool has been unexpectedly closed communication changes to the terms and conditions of a contract or agreement the individual has with you, or material changes to privacy information What’s a marketing message? If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing. This would include where part but not all of the message, or phone call, is of a promotional nature. The Data Protection Act 2018 defines direct marketing as: the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. A definition which applies under PECR. It’s a broad definition and covers any advertising, marketing or promotion of products and services directed targeted at a specific individual or individuals. It also includes promoting aims and ideals, so covers fundraising and campaigning. Regulatory communications Some businesses, for example in the financial sector, will be required by a statutory regulator such as the Financial Conduct Authority to make people aware of specific information. The ICO has published direct marketing and regulatory communications guidance. Again it depends on the context and tone of the message, but some examples are provided of messages which are unlikely to count as direct marketing. give advance warning of changes to terms, conditions or tariffs explain about statutory complaint or compensation schemes warn about fraud and how to report it remind people of how to get in touch if they are struggling with payments provide offers of support for those customers most at risk of harm. Where businesses have got it wrong Navigating the line between service messages and marketing messages can be tricky, as the following companies discovered. We all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules. American Express In 2021 AMEX was fined £90,000 for sending 4 million emails, which were judged to fall under the definition of direct marketing, to customers who’d not given their consent or who’d opted out of marketing. The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on. The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them. The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied. And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent. In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card. AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”. The ICO however assessed the content of the emails and found the following: The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app The emails were clearly of an advertising and promotional nature None were “neutrally worded and purely administrative” Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain. The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all). It’s also worth noting some people complained because AMEX refused to let them opt-out because they viewed the messages as service ones not requiring an opt-out capability. What struck me was the tiny percentage of complainants, especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals). It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint). Halfords In 2022 the ICO fined Halfords £30,000 for sending half a million emails without consent. This case shows how just one complaint directly to the ICO triggered unwelcome scrutiny. Halfords sent an email campaign to customers letting them know about a Government ‘Fix your Bike’ scheme during the Covid pandemic, whereby cyclists could take advantage of a voucher towards repairs. A voucher which could be used with any of a list of approved repairers or mechanics. This was sent to customers who had opted out of marketing in the past and the email contained a disclaimer stating; This is a service message and does not affect your marketing opt-in status. The email didn’t include an unsubscribe link. In exchanges with the ICO, Halfords claimed they were acting in the public interest to support a Government scheme in a one-off campaign during the pandemic. Halfords also pointed to the fact that 3,700 people took up the opportunity to claim the voucher, and only received seven complaints themselves from almost half a million ‘service’ messages. However the ICO said the content of the email promoted Halfords, and was therefore a marketing message. It was found to imply a connection between Halfords and the scheme, emphasising the service provided by Halfords. People were told to “Visit halfords.com to find out more now”. The regulator said this not only signposted individuals to the company’s website but included ‘a sense of urgency in the messaging, which is a typical marketing strategy.’ The enforcement notice reveals how much information companies need to provide when they end up on the ICO’s radar. A lack of clarity was initially provided surrounding the numbers of emails delivered/received No policies and procedures existed to guide staff in respect of PECR It goes to show it’s all very well to have a Data Protection Policy, but having specific marketing guidelines shouldn’t be overlooked. What lessons can we learn? It pays to carefully scrutinise any service messages which may be in danger of crossing the line. Give your staff clear policies/guides on the marketing rules and your internal approach. These cases and others before it, show the ICO takes a strict interpretation and a handful of complaints can put you firmly in their sights.

Cookie compensation demands A quick buck for non-compliance? What’s darkening our e-doormat this morning? It’s not a letter from the Information Commissioner’s Office. It’s not ransomware or a phishing attempt. No… it’s the dreaded cookie compensation demand! Increasingly my colleagues and I, and friends in the data protection space, hear reports of official looking, legally-laden letters being received by companies. The simple message; your cookies are non-compliant, this is distressing me and I want money from you. And everyone’s a potential target – any size of business, any sector. We know of small agencies through to blue chips receiving these letters. They aren’t complaining to a regulator, they‘re coming straight to your front door or in-box. Unlike the well-known privacy group noyb, who threaten to raise a formal complaint with a regulator if the offending company doesn’t remedy violations within a specified time, these demands from individuals would appear to have the sole aim of earning a quick buck. For me, such letters leave a nasty taste, especially when smaller businesses or not-for-profits are targeted and where cookie use is limited. How do they know our cookies aren’t compliant? It’s easy to find out what cookies are used by any website. There are a number of free tools which you can just pop a website domain name into, and hey presto! A scan is run, and the results returned, revealing any cookie sins you may have committed. What’s the claim? Generally the claim letters allege non-essential cookies are being dropped onto users’ devices automatically, without clear information about their purposes and without consent. If a cookie banner is present, the claim will be it’s not compliant with UK GDPR / Privacy and Electronic Communications Regulations (PECR). The letters often assume personal data is captured by the cookies – which may or may not be true. However, remember the PECR rules apply to cookies and similar tech regardless of whether the data they collect is personal or not. The letters will claim distress or damage has been caused as a result of the placement of cookies onto the user’s device. It’s worth noting the right to compensation isn’t automatic; the claimant must be able to prove ‘damage or distress.’ As for how much – this isn’t nearly as scary as the realms of ransomware, with typical compensation demands in the region of £500-£1000. To pay, or not to pay? Companies are of course taking different approaches. In our experience many are ignoring them, and never hear from the complainant ever again. Others are standing their ground and asking for evidence of distress or damage. While some take a look at their cookies and similar tech and think, okay, fair cop we aren’t compliant so we’ll pay. If you pay out, do you need to quickly get your cookie house in order? There’s the risk if you don’t, they could be back in a few months’ time if you’ve not successfully resolved any issues. What are the cookie rules? Before we blame GDPR, the rules for cookies and similar technologies are in the UK set out in PECR. Other countries across Europe have similar (but not identical) rules derived from the European ePrivacy Directive. In short, we need to provide meaningful information to people about the categories of cookies and similar tech we use, and gain consent for any cookies which are not strictly necessary. Different regulators across Europe have taken slightly differing approaches to what would be considered strictly necessary. Here in the UK, for example website statistical cookies are not considered strictly necessary. (This could potentially change under government plans to reform data laws; you can read more about this here). However the French regulator, CNIL, for example, accepts statistical cookies as strictly necessary. When GDPR came into effect in 2018, consent needed to meet a higher standard. The days of implied consent were over. This is why we’re greeted by a barrage of cookie banners and notices wherever we go online. The reason these compensation demands are possible is under PECR, people who have suffered damage or distress as a result of a contravention of the rules are entitled to bring proceedings against the offending party and seek compensation for that damage. Similarly under GDPR people have the right to receive compensation where they’ve suffered material or non-material damage due to an infringement of the law. What can we do to protect ourselves? The only way to completely avoid a cookie compensation demand is to understand what types of cookies and similar tech are used by our website(s), behave transparently with a clear notification and collect informed consent for any which aren’t strictly necessary. The ICO Cookie Guidance illustrates what type of cookies might be considered strictly necessary. There are lots of cookie consent management platforms on the market, some of which are free. However, if your cookie use is quite sophisticated, or you have sub-domains, a free option might not be enough. Alternatively the options are to ignore, stand your ground or pay out. I’ve heard a little rumour, one of the posse of cookie claimants is an in-house DPO who does this as a side hustle. And if you ask me, it’s just not cricket.

ICO issues fine for invalid marketing consent How do we make sure the consent we collect is compliant? The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’. What did JTT get wrong? It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific. One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’. Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’. Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to. Do we have to name third parties which rely on the consent we collect for them? Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states: Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’. What does valid consent look like? The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise: A consent request must be prominent and separate from terms & conditions People must take a positive action to opt in Pre-ticked boxes must not be used Clear and plain language must be used It should be clear what we will use the data collected for Any other organisation relying on consent must be named People should be told, when they give their consent, they can withdraw it at any time Consent shouldn’t be a precondition of a service Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist. SIGN UP FOR OUR NEWSLETTER DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement. A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button. Is consent always needed for email marketing? The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case. Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met). When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests. The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance. Quick takeaways Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive? Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear. For more detail see the ICO enforcement notice.

Direct marketing: household names fined for breaking the rules What did We Buy Any Car, Saga and Sports Direct get wrong? The ICO has announced a series of fines for companies which have contravened the direct marketing rules under the Privacy and Electronic Communications Regulations (PECR). Fines amounting to £495,000 have been issued to Sports Direct, We Buy Any Car, Saga Personal Finance and Saga Services. Contraventions include not being able to evidence valid consent, not abiding by the conditions of the ‘soft-opt in’ exemption, and emails sent via affiliates without valid consent. In the ICO blog announcing the fines, their Head of Investigations commented: “These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.” It’s worth noting the Government’s data regime reform consultation proposes increasing the maximum fines under PECR to be in line with GDPR. So in future we could see much higher sums being levied for breaking the rules. We Buy Any Car Key finding: failure to meet all ‘soft opt-in’ conditions We Buy Any Car (WBAC) has been fined £200,000 for sending 191.4 million marketing messages and 3.6 million SMS messages in contravention of the PECR rules. WBAC came to the attention of the ICO due to complaints received directly to their online reporting tool. Between October 2019 and January 2020, the Regulator received 10 complaints from individuals, and a further two complaints from the same individual. Much of the investigation focuses on email communications which were sent after people had requested a valuation. People can use the WBAC website to input details about their vehicles to get a valuation. WBAC claimed it relied on the ‘soft opt-in’ exemption for such messages and said people would anticipate further email communications as part of what was described as ‘journey emails’. The ICO found while people were informed about these communications, they were not given an opportunity to opt-out at the point their details were collected. This is one of the key conditions businesses have to meet when relying on the soft opt-in exemption. A clear message to other businesses to assess whether they are taking any risks when relying on the ‘soft opt-in’. Are you meeting these core conditions? The contact details are collected during the course of a sale, or negotiations for a sale, of a product or service An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication You only send marketing about your own similar products and services Saga Key finding: inadequate consent obtain for marketing by affiliates/partners Saga Services Limited (SSL) has been fine £150,00 for sending more than 128 million emails in contravention of the PECR rules. Saga Personal Finance (SPF) has been fined £75,000 for sending 28 million emails. These cases focus on the potential risks when using partners or affiliates to send marketing on your behalf. Both SSL and SPF paid partners and affiliates to send promotional emails on their behalf for lead generation purposes. The companies were relying on ‘indirect consent’. In other words they hadn’t collected people’s details directly from them, and were using other parties’ lists to promote their services. The enforcement notice points to the ICO’s direct marketing guidance which states: “organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.” The guidance goes on to say ‘indirect consent’ may be valid, but only if it is clear and specific enough. Providing an individual with a long, seemingly exhaustive list of categories of organisations that may send marketing communications to them is not likely to be sufficient. In summary, it was found that SSL and SPF were the instigators of these email communications, and the ‘consent’ collected by affiliates and partners was not sufficient. A lesson here for all organisations using marketing affiliates and partners, to conduct due diligence. You can’t just simply accept claims by those sending emails on your behalf that they have a ‘fully consented list’. Sports Direct Key finding: inability to produce evidence of marketing permissions Sports direct has been fined £70,000 for sending 2.5 million email messages without valid consent. The company came to the ICO’s attention after the regulator received 12 complaints via is online reporting tool. This case focuses on a ‘re-engagement’ campaign whereby Sports Direct had identified an ‘aged dataset’ to send communications to. These were described as records which had not unsubscribed – “a category of data that showed as being opted in to receive email marketing but had not received any marketing emails”. Sports Direct informed the ICO it was either relying on the ‘soft opt-in’ or ‘consent’ to contact this ‘aged dataset’. However, during the ICO investigations Sports Direct could not provide sufficient evidence it had valid permission to contact people. In one case Sports Direct couldn’t identify a lawful basis, because the customer in question had asked for their details to be erased, so they had no record at all. This ruling acts as reminder to all organisations to keep adequate records and specifically highlights the risks of emailing customers who you haven’t been in contact with for some time. It also confirms that, even if someone submits an erasure request, you should keep minimised but detailed enough records for a suitable period of time so you can adequately respond to any subsequent complaints. Full details of the above enforcement action can be found on the ICO website.

ICO says most public sector messages are not direct marketing One of the unwelcome side effects of the pandemic has been the proliferation of bogus emails and texts trying to illegally elicit personal data from us. I speak with my elderly mother almost daily, repeating the same lines; ‘don’t click on the link’, ‘don’t respond if someone is asking you to enter your details’, ‘hang up’, ‘delete it’, ‘you haven’t ordered a package, please ignore it’. However, we’ve also all received other communications which I feel have been largely helpful. Messages such as pandemic update emails from our local councils, notifications about vaccines from our GPs, and text messages about the NHS app. But would some of these be regarded as direct marketing messages? Did some contravene the rules under PECR (the Privacy and Electronic Communications Regulations)? Possibly, perhaps in some cases definitely (under existing guidance). But does it matter? Surely, there’s an argument to say some communications may not be strictly necessary but are informative and useful, and don’t unduly impact on our privacy. This is clearly an area the ICO felt needed addressing. The Regulator has issued new guidance, which appears to alter the long-standing interpretation of direct marketing. What does the new guidance say? The ICO says public sector organisations can send ‘promotional’ messages which would not be classed as direct marketing, if they are necessary for a public task or function. This is significant. ‘Promotional’ messages have always been considered as ‘direct marketing’ before, regardless of whether they are sent by commercial companies, not-for-profits or the public sector. It also means, in the eyes of the Regulator, such public sector ‘promotional’ emails, SMS messages and telephone calls do not fall within the scope of the UK’s Privacy and Electronic Communications Regulations (PECR). In a blog announcing the new guidance the ICO states: “Any sector or type of organisation is capable of engaging in direct marketing. However the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.” Anthony Luhman, ICO Director, goes on to say: “Our new guidance will help you understand how to send promotional messages in compliance with the law. Done properly the public should have trust and confidence in promotional messaging from the public sector.” As said, until now any ‘promotional’ message was considered direct marketing. So this new guidance raises some questions: Has the long-standing interpretation of the definition of direct marketing been changed? Is this a sensible new interpretation? Will this open the floodgates to us being spammed by public authorities? What is the definition of ‘direct marketing’? The definition is broad. Under section 122(5) of the DPA 2018 the term ‘direct marketing’ means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. A definition which also applies for PECR. What exactly is meant by ‘advertising or marketing material’ is not clarified in the DPA 2018 or PECR, but the long-standing interpretation of this has been that it is not limited to commercial marketing and includes any material which promotes ‘aims and ideals’. This interpretation is clear in the ICO’s Direct Marketing Guidance and more recently in the draft Direct Marketing Code, published in January 2020, which says of directly marketing;: “It is interpreted widely and covers any advertising or marketing material, not just commercial marketing. For example it includes the promotion of aims and ideals as well as advertising goods or services. This wide interpretation acknowledges that unwanted, and in some cases nuisance, direct marketing is not always limited to commercial marketing.” When is a promotional public sector message not direct marketing? In a nutshell, the new guidance states; If you’re a public authority and your promotional messages are necessary for your public task or function, these messages are not direct marketing If your messages by telephone, text or SMS are not direct marketing, you don’t need to comply with PECR. (But you still need to comply with UK GDPR). The ICO is now drawing a distinction between promotional messages necessary to fulfil a public task or function, as opposed to messages from public authorities promoting services which a user pays for (such as leisure facilities) or fundraising activities. The latter would still be considered direct marketing. The new guidance provides the following interpretation; “In many cases public sector promotions to individuals are unlikely to count as direct marketing. This is because promotional messages that are necessary for your task or functions do not constitute direct marketing. We do not consider public functions specified by law to count as an organisation’s aims or ideals.” This is in marked contrast to the wording of the draft Direct Marketing Code which says: ‘If, as a public body, you use marketing or advertising methods to promote your interests, you must comply with the direct marketing rules.” What types of messages are direct marketing and which aren’t? The following examples are given of the types of promotional content a public authority might communicate which would NOT constitute direct marketing; new public services online portals helplines guidance resources The ICO says promotional messages likely to be classed as direct marketing include: fundraising; or advertising services offered on a quasi-commercial basis or for which there is a charge (unless these are service messages as part of the service to the individual) How do you decide if messages are necessary for public task or function? The ICO says it accepts all public authorities will have what it describes as ‘incidental powers’ to promote their services and engage with the public. It therefore says it is not necessary for a public authority to identify an ‘explicit statutory function’ to engage with promotional activity which is deemed ‘necessary’ for a task or function. However, the ICO does stipulate you can’t just say a direct marketing message is no longer direct marketing because the lawful basis has been stated as public task. Nor can you just decree a promotional message is ‘in the public interest’, this won’t automatically mean it isn’t direct marketing. What the Regulator expects is for public authorities to identify a relevant task or function for the communication they wish to send. There’s a risk here the ICO has not been clear enough. This could cause confusion and I suspect plenty of deliberation over which messages are or are not direct marketing. Transparency It’s made clear that even if you determine certain promotional messages are not direct marketing, this doesn’t mean you can ignore other basic data protection principles. You still need to make sure people know what you are doing with their personal data, and this must be within their reasonable expectations. In other words public authorities must make it clear to people they intend to send promotional messages which are necessary for a public task or function. Which may mean updating their privacy notices. Right to object People have an absolute right to object to direct marketing, but they also have a general right under data protection law to object to processing, which includes when organisations are relying on the lawful basis of public task. A right people should be made aware of. The guidance makes it clear – if someone objects to a promotional message from a public authority, it will only be possible to continue sending messages if ‘compelling legitimate grounds’ to do so can be demonstrated. The ICO makes the point it would be difficult to justify continuing to send unwanted promotional messages if this goes against someone’s wishes. My advice would be to include a clear ability to opt-out on any promotional message; any message which isn’t an essential service message. (Albeit, this could cause some configuration issues for public authorities who don’t have sophisticated systems which can distinguish between different types of messages and opt-outs). Lawful basis for promotional non-marketing messages The ICO points to two lawful bases under UK GDPR for sending promotional messages necessary for a public task or function, either public task or consent. The guidance suggests just because you can rely on public task, doesn’t mean you shouldn’t consider consent, which may be considered appropriate for public trust reasons. The ICO accepts that Public Authorities may be reluctant to rely on consent, due to a potential imbalance of power, but says it may be considered appropriate if the individual has a genuine free choice to give or refuse to consent to promotional messages. A change in interpretation This new guidance certainly seems to represent a marked change in the ICO’s previous interpretation of direct marketing. It’s interesting to note the following pertinent examples which are present in the draft Direct Marketing Code (which I suspect may be altered in the final version). Example Scenario A A GP sends the following text message to a patient: ‘Our records show you are due for x screening, please call the surgery on 12345678 to make an appointment.’ As this is neutrally worded and relates to the patient’s care it is not a direct marketing message but rather a service message. Scenario B A GP sends the following text message to a patient: ‘Our flu clinic is now open. If you would like a flu vaccination please call the surgery on 12345678 to make an appointment.’ This is more likely to be considered to be direct marketing because it does not relate to the patient’s specific care but rather to a general service that is available. It seems to me Scenario B, under the new guidance could be classed as a promotional message, but NOT direct marketing. (Personally, I would never have complained about Scenario B, it’s a helpful, informative message and hardly in the realms of the untargeted nuisance spam). The draft Code goes on to confirm the following would be direct marketing; a GP sending text messages to patients inviting them to healthy eating event; a regulator sending out emails promoting its annual report launch; a local authority sending out an e-newsletter update on the work they are doing; and a government body sending personally addressed post promoting a health and safety campaign they are running. The specific examples from the draft Code were used by people to question whether some of the messages they received during the pandemic contravened PECR. Would these types of communications now no longer be direct marketing? It would certainly seem like they aren’t if you go by the clear message from the ICO that; ‘the majority of messages that public authorities send to individuals are unlikely to constitute direct marketing.’ Will the above examples disappear from the final Direct Marketing Code? In summary This new guidance is likely to be welcomed by some who have been frustrated, or indeed bewildered their communications could be considered direct marketing. However, it could also muddy the waters. It leaves the public sector needing to clearly define different types of communications and make sure relevant teams are adequately briefed to understand the difference. As I see there are three types of communication: a) Service messages – essential messages relating to the provision of a service b) Promotional messages for public task or function (which are highly likely to need an opt-out) c) Direct marketing messages (must have an opt-out to honour the individual’s absolute right to object). I just wonder whether the term ‘promotional messages’ could have been avoided in this guidance. I am not sure I have a satisfactory alternative, but perhaps something like ‘information messages’ – i.e. messages that are not essential service messages but provide helpful information. I also wonder whether there could have been a carve out for important health-related messages, rather than applying this new interpretation to any ‘promotional’ message from any public authority. Let’s hope the public sector now pays due care and attention to transparency, provides an opt-out to all but essential messages, and doesn’t abuse this new-found power to engage with us beyond what is actually necessary.