Refer a Friend - Viral Marketing Rules

February 2020

Can you ask your customers to send on your marketing to their friends?

The answer, according to the ICO’s draft Direct Marketing Code, is NO!

The regulator says for email/SMS this breaches the rules, as you won’t have the consent required for such electronic promotional messages. (I suspect email is the prime channel for this type of marketing).

But is the ICO taking a too literal approach? I’ll admit, I’m left wondering whether the GDPR and ePrivacy (i.e. UK PECR) rules were really designed for this. Is the Law of Unintended Consequences at work here?

I recently received a ‘refer a friend’ from a cosmetics company I’d used. This prompted me to go back to the draft code and read carefully what it said.

I seldom receive emails like this, and don’t think I’ve ever forward details to a friend. But what’s the problem? I can delete it. I can unsubscribe.  I am in complete control in a personal capacity if I choose to act upon it. If I do, the recipient (who will be known to me) can ignore it.  The company will only collect my friend’s details if they actively choose to engage.

Asking for contact details of friends/family

In the Direct Marketing Guidance (which the code will replace) the ICO previously referenced these types of viral marketing campaigns. The scenario of asking existing contacts to provide contact details for their friends and family was highlighted. And the clear advice was not to do it. This is because it would be difficult to ensure you had the permission of the friends/family members. But it went no further.

On this point, I completely agree – I wouldn’t be happy if a friend provided my details to a third party without my knowledge. Even if I’d agreed, the company would clearly have no lawful basis under GDPR for processing such information. They’d certainly have no evidence I’d agreed to this.

In this respect, the ICO guidance seems totally correct (and is repeated in the draft code).

‘Instigating’ marketing messages

However, the ICO is now taking this a step further. It says direct marketing rules cover companies who ‘encourage’ their customers to send on a marketing message to friends or family.

The Regulator takes the stance that as the ‘instigator’ of a direct marketing message, you’ll need to comply with direct marketing rules. It states;

“You still need to comply even if you do not send the messages yourself, but instead instigate individuals to send or forward these. Instigate does not necessarily mean that you have incentivised the individual to send your messages.”

It goes one to say:

“Actively encouraging the individual to forward your direct marketing messages to their friends without actually providing a reward or benefit still means that you are instigating the sending of the message and you therefore need to comply with PECR.”

As direct marketing emails and SMS messages require consent (in a business-to-consumer context), the ICO concludes it’s impossible to collect valid consent for a marketing message that arrives in a friend’s inbox. The following example is given:

“An online retailer operates a ‘refer a friend’ scheme where individuals are given 10% off their orders if they participate. The individual provides their own name and email address and the retailer automatically generates an email containing its marketing for the individual to send to their friends and family. The retailer is instigating the direct marketing therefore they have responsibility for complying with the PECR rules. Because the retailer does not have the consent of the friends and family these emails breach PECR.”

It’s clarified you are not responsible if individuals choose to send their friends a link to a product on your website or details of a promotional campaign. This is as long as you haven’t ‘encouraged’ them to do so.

Refer a friend links

In the above example the ICO specifically mentions an automatically generated email containing the organisation’s marketing content. From a purely personal perspective I don’t see this as being too much of a problem. It would be interesting to see the metrics from businesses who use this type of marketing and find it effective.

Of course, I accept the ICO may have specifically highlighted this because it has received complaints from people who are inundated with promotional emails from their friends.

However, this is not the only way refer a friend schemes operate. The email I recently received invited me to click to get a link which I could then share with my friends should I wish to. Both my friend and I would be rewarded should they go on to buy some cosmetics from the company.

I’ll reiterate – I wasn’t being encouraged to forward a marketing message. I was encouraged to copy a link. If I’d done this, I would have been completely in control of what I wrote in my email to a friend and I would be sending this in a personal capacity.

You’d also think this would rely on a good customer experience – people being likely to want to tell their friends about a good brand.

Refer a Friend Benefits

These type of campaigns are clearly attractive to companies who want to reach out to new customers.  They would appear to put the customer completely in control. Friends can simply ignore it if they wish.

Gavin Walles from Mention Me, a company which specialises in referral marketing, says these refer-a-friend programmes are beneficial to both companies and their customers;

“The fact that the referrer is making an introduction means that the brand is not required to spend money on other less efficient marketing channels and so they are willing to share that saving with their customers. Therefore, brands are willing to offer incentives to both the referring customer and the referred friend for participation in their refer-a-friend programmes. These incentives offer real value to both the referrer and their friend, making it a mutually beneficial process for the consumers and giving them the opportunity to benefit from discounts and other rewards they would not otherwise have access to”.

In some ways, it could be alleged the ICO is trying to police the behaviour of private individuals around the information they choose to share… refer a friend is an invitation, not an instruction.

Robert Bond, partner at Bristows LLP comments, “There is also the issue as to how GDPR and PECR can apply to the action of the referrer as the individual is acting in a domestic or household capacity”.

I suspect, many companies would appreciate further clarification from the Regulator on these types of viral marketing campaigns.

Prospects, Leads, Bought-in lists … Don’t forget the right to be informed

Transparency, Control and the Right to be Informed

Let me take you back a year, to April 2018 – a time when there was a considerable flurry to ensure Privacy Notices (often called Privacy Policies) were updated to reflect the GDPR information requirements.

Organisations needed to cover the purposes of processing personal data, the relevant lawful bases, overseas data transfers, individual rights, work out what on earth to say about data retention periods… and so the list went on. Once the checklist of requirements was ticked, next was the challenge of presenting this information in a clear, easy to understand and concise way. No easy task.

Fast forward a year and I suspect your Privacy Notices have been tweaked along the way, but are you remembering to not just meet the requirements to provide information to individuals when you collect their personal details directly from them (Article 13), but also the requirements of Article 14? To comply with the latter you should provide privacy information to individuals whose data you process when you have NOT collected their details directly from them.

This could be personal information you may have received from a third party, or perhaps business prospects you have researched from openly-available sources (under your carefully assessed Legitimate Interests, of course). It’s important not to forget to provide privacy information to these individuals too.


Well, an interesting case popped up recently in Poland. The President of the Personal Data Protection Office (UODO), has fined a company 220,000 euros (yes, you read that correctly) for not fulfilling Article 14. The company was found to have obtained records from publicly-available sources, but had not informed many of those individuals that they were processing their personal data. This meant those individuals were denied the ability to exercise their rights.

Admittedly, in this case, the company was processing millions of publicly-sourced records – hence the size of the fine. However, it’s a wake-up call for all of us and tells us that regulators are prepared to enforce the law for Article 14. How can an individual exercise their right to object to processing or request erasure if they don’t even know you’re handling their personal information? And, remember personal data includes business contact information too, not just your customers.

What does Article 14 require organisations to do?

Article 14 sets out the information you should provide to individuals when you’ve sourced their personal data indirectly. This information should include:

  • The identity and contact details of the controller
  • Contact details for the DPO, where applicable
  • Purposes of processing and lawful basis
  • Categories of personal data concerned
  • Recipients or categories of recipients, if any
  • Transfers to a third country, and reference to appropriate or suitable safeguards
  • Data retention periods, or criteria used to determine that period
  • The legitimate interests pursued by the controller or a third party (if relevant)
  • The right to withdraw consent (if relevant)
  • Individual Rights, including right to lodge a complaint with a Supervisory Authority
  • Existence of automated decision-making, including profiling

This should all sound familiar, as it’s the information you would have ticked off as requirements for your Privacy Notice (under Article 13).

Furthermore Article 14, sets out when this information must be provided:

1. Within a reasonable period after obtaining the personal data, but at least within one month
2. If personal data are to be used for communications with the individual, at the latest in the first communication with them.

Plus, if a disclosure to another controller is expected, this information must be provided at the latest when the information is first disclosed.

Are there any exceptions?

The provision of information is not required if the individual already has this information, or the provision of this information proves impossible or would involve disproportionate effort (particularly in relation to processing for archiving purposes in the public interest, scientific or historical research, or statistical purposes). Disproportionate effort is difficult to demonstrate, the scope of the exceptions is limited and therefore to avoid falling foul of the rules it would be wise to endeavour to fulfil Article 14.

What should you do?

For example, with researched prospects, bought-in marketing lists and personal data received from another third party, you should contact the individuals concerned within a month, inform them you’re processing their personal data and why. You should also provide them with an opportunity to object and (at the least) present a clear link to your Privacy Notice to fulfil other requirements.

Philippa Donn, April 2019

Legitimate Interests: It’s legit, isn’t it?

“Legitimate interests is the most flexible lawful basis for processing,
but you cannot assume it will always be the most appropriate”
UK Information Commissioner’s Office

Let’s say you want to process personal data for a specific purpose and in this situation obtaining consent would be tricky or perhaps inappropriate.The activity isn’t covered by a contract, and certainly isn’t something which is in the individuals’ vital interests. This looks like a case of legitimate interests doesn’t it?

Just because you want to process personal data doesn’t mean you can – lawfully. Legitimate interests may be, in the words of the ICO “the most flexible lawful basis”, but the words “you cannot assume it will always be the most appropriate”, are equally important. You must make an assessment to balance your business interests with the interests and privacy rights of the people’s whose personal data you are processing. This will require some judgement: is your intended purpose really necessary and is it within the reasonable expectations of those whose personal data you are using?

If so we can move on to the ‘balancing test’. Now, we need to identify and evaluate the privacy rights of the individual and judge if these are affected by the intended processing. For example, people have a right to know how their data will be processed, so how will you inform them? Will you add additional information at the time of collection, or update your privacy notice? Will you enable them to object to this processing?

This balancing test must be conducted fairly, without biasing the scales in favour of your business interests. To ensure fairness, some people find it helpful to put themselves in someone else’s shoes. For example, consider whether your Dad (for instance) would expect this activity to be happening or maybe what your aunt would feel if she found out. Your business may think it’s legitimate, but would the people whose data is being used agree?

Some legitimate interests are fairly clear cut, for example processing for the prevention of fraud or for other strictly necessary reasons. But others require more careful thought and assessment.

What does GDPR say about Legitimate Interests?

Article 6 1(f) states:

‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child.’

Also take care to read Recital 39 which explains the need for transparency and specifically Recital 47, which explains the requirements to take into consideration reasonable expectations, a relevant and appropriate relationship and the need for a careful assessment. This Recital is important for marketers, as it confirms that direct marketing may be considered to be a legitimate interest.

What makes a purpose legitimate?

Let’s run through the steps. To ensure you are compliantly relying on legitimate interests you need to conduct a 3-stage test; what we at the DPN and the ICO term a Legitimate Interests Assessment (LIA). The 3 core elements of the test are:

1. The assessment of whether a legitimate interest exists (i.e. the purpose is a legitimate one)
2. Confirming the processing is necessary (i.e. there’s no alternative way to achieve the result)

and last but by no means least….

3. The performance of a balancing test to decide if a particular processing operation can rely on legitimate interests.

Be careful not to try and overplay your business interests into this assessment or undermine the rights of individuals. You need to take a holistic approach and properly consider your relationship with the individuals whose data is being used, whether you are being transparent, whether you have enabled individual’s to exercise their lawful rights and that the processing would be within their reasonable expectations.

If your reliance on legitimate interests is challenged you will need to be able to demonstrate that you fully considered the necessity of the processing, balanced this and came to a decision that people’s interests and rights did not override your interests. Conducting and documenting LIAs will show you did this, but remember it is no guarantee your decision will be upheld. Legitimate interests may be the most flexible lawful basis but it is risk-based.

For more information, case studies and an LIA template please see our industry-led Legitimate Interests Guidance, which was first published in July 2017 and now features 30 examples of its use. The ICO has also published detailed guidance.

What next for legitimate interests?

We are still in the early months of GDPR and have only seen limited enforcement by supervisory authorities across Europe under this new law. Challenges are likely to have already been made surrounding legitimate interests, more will come, and any regulatory action in this area will be watched with avid interest.

Philippa Donn, January 2019

How the Morrisons liability case increases risks for employers

The Court of Appeal has ruled this week that Morrisons must pay compensation to thousands of employees who were victims of a data beach in 2014.

The supermarket chain had taken the case to the Court of Appeal following a High Court ruling in 2017 found the retailer legally responsible for the breach.

Following the Court of Appeal’s decision Morrisons has said it will take its fight to the Supreme Court, believing it should not be held vicariously liable for a malicious data leak by a former employee.

Vicarious liability means holding someone or an entity, such as a business, responsible for someone else’s actions – in this case, the malicious activities of a former employee.

Morrisons’ key argument is that they shouldn’t be liable for a malicious breach of this sort, because they had controls in place to protect the data. However, their stance was challenged by more than 5,000 current and former staff affected. So far, the judges have ruled in favour of the latter (see below). If Morrisons loses its battle it faces a vast compensation pay-out.

This case, if upheld by the Supreme Court, will have widespread repercussions for employers. This interpretation of vicarious liability could make them vulnerable to legal action from any individuals impacted by unsanctioned, even criminal, actions of rogue staff members or former employees.

Responding to the Court of Appeal ruling against Morrisons, Nick McAleenan, a partner and privacy law specialist at JMW Solicitors who represents the claimants said, “This judgement is a wake-up call for business. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.”

What happened?

Andrew Skelton was a disgruntled former Morrisons employee, disciplined for using the company’s postal facilities for his own use. In 2014, he made a private copy of the company’s entire payroll from an encrypted USB stick (which had been created at the request of external auditor, KPMG). He then posted 99,998 employees’ personal details on a file-sharing site. Skelton went on to link to this from various other places and sent CDs containing the personal data to several newspapers, one of which immediately contacted Morrisons. Skelton was jailed for eight years in July 2015 for fraud, securing authorised access to computer material and unauthorised disclosure of personal data.

The personal data breached included names, addresses, dates of birth, phone numbers, national insurance numbers, bank sort codes and account numbers and salary details.

This case raises a crucial question – what is the extent of corporate liability in cases when employees go rogue?

In brief: Morrisons’ position

Morrisons, unsurprisingly, believe they shouldn’t be held liable for Skelton’s actions. They claimed to have worked swiftly to ensure the personal data was no longer accessible, provided protection for those affected and offered reassurances they wouldn’t be financially disadvantaged.

The supermarket say they are not aware of anybody who suffered any direct financial loss as a result of Skelton’s actions.

Furthermore, Morrisons argues that previous rulings (and indeed this one) never blamed them for not protecting their employees’ personal data and that appropriate security measures were in place. To be held vicariously liable for Skelton’s criminal actions, they say, is grossly unjust.

A spokesperson for Morrisons, following the Court of Appeal Ruling said,“Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.” They went onto say, “We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

In brief: The Claimants’ position

In 2014 more than 5,000 affected individuals (both current and former staff) took a group action against Morrisons. The claimants’ case rests on the point that staff had the right to expect their personal details to remain confidential. A significant data leak led to staff being put at risk of fraud, identity theft and other problems.

Mr McAleenan says, “unsurprisingly, this caused a huge amount of worry, stress and inconvenience.” After the Court of Appeal judgement against Morrisons he said, “This latest judgement provides reassurance to the many millions of people in this country whose data is owned by their employer”.

This case looks set to continue to the highest court in the land, who will be asked to judge again whether Morrisons are vicariously liable or not.

For its part, the Court of Appeal believes the solution for businesses lies with being properly insured, which presumably means companies would be advised to take out cover for vicarious liability.

How businesses mitigate against this extended risk profile remains to be seen – will enhanced vetting and information security regimes be necessary for those entrusted with data, and at what cost?

Update April 2020: In a unanimous ruling, the Supreme Court found Morrisons was NOT vicariously liable for the data breach caused by a disgruntled employee.

Simon Blanchard,  October 2018