ICO issues fine for invalid marketing consent

April 2023

How do we make sure the consent we collect is compliant?

The ICO has issued a £130,000 fine to a company which operated five recruitment websites. Join the Triboo (JTT) was found to have failed to collect valid consent for email marketing communications and in the words of the regulator, ‘bombarded people with spam emails’.

What did JTT get wrong?

It was ruled there was a failure to meet the requirements for consent to be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes. Statements used to collect ‘consent’ were judged to neither be informed, nor specific.

One ‘consent’ statement used stated ‘I agree to marketing activity’. Perhaps unsurprisingly, this was judged as not clearly telling people what types of communications subscribers could expect to receive, by what means, or from whom. The privacy policy stated marketing might be carried out on behalf of ‘third parties’ who operate in ‘any business sector’.

Another statement referred to emails on behalf of ‘selected companies’ and contained broad categories including ‘general’.

Again, the ICO rule this could not be considered specific or informed and jobseekers using JTT operated websites weren’t given enough information to understand what they were consenting to.

Do we have to name third parties which rely on the consent we collect for them?

Interesting, the enforcement notice in this case does not specifically spell out that third parties relying on consent must be named. It states:

Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.

It’s not clear if the use of the term ‘specific type of organisation’ marks a shift in the Regulator’s stance to date, that named consent is always required. The ICO’s consent guidance states; ‘Name any third party controllers who will rely on the consent’.

What does valid consent look like?

The ICO’s guidance on consent sets out its expectations of what constitutes valid consent. To summarise:

  • A consent request must be prominent and separate from terms & conditions
  • People must take a positive action to opt in
  • Pre-ticked boxes must not be used
  • Clear and plain language must be used
  • It should be clear what we will use the data collected for
  • Any other organisation relying on consent must be named
  • People should be told, when they give their consent, they can withdraw it at any time
  • Consent shouldn’t be a precondition of a service

Here at the DPN we use the following statement to collect consent for our email newsletter. We’re pretty confident we’ve followed the ICO’s checklist.

SIGN UP FOR OUR NEWSLETTER
DPN updates direct to your inbox. Get insight, free resources, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

A box is provided to enter an email address and a positive action is taken when clicking the ‘Subscribe’ button.

Is consent always needed for email marketing?

The short answer is no. There’s an exemption to consent for business-to-consumer email marketing known as the soft opt-in, which can be legally used if specific conditions are met. This exemption was not applicable in the JTT case.

Email marketing by a business to it’s business contacts is also permitted without consent (provided the requirements for a legitimate interest are met).

When not relying on consent, the lawful basis for processing data for marketing purposes under UK GDPR will be legitimate interests.

The rules for direct marketing by electronic means are governed by the Privacy and Electronic Communications Regulations (PECR). When PECR tells us we need consent, this consent must meet the UK GDPR standard. The ICO has recently updated its direct marketing guidance.

Quick takeaways

  • Be clear about what you’re asking people to consent to – what type of marketing can they expect to receive?
  • Tell people which media communications channel you will use. If you’re going to send people marketing by email, make this clear.

For more detail see the ICO enforcement notice.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.