The Information Commissioner has recently fined We Buy Any Car, SportsDirect.com and Saga a total of £495,000 for sending over 354 million unlawful direct marketing messages. As retailers gear their eCommerce businesses up for this peak selling season it’s a timely reminder that the Information Commissioner treats breaches of the ePrivacy Regulations seriously.
Prior consent for email marketing
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (ePrivacy Regulations) an individual’s prior consent is required for direct marketing by email or text.
For consent to be valid it must be “freely given”, “specific” and “informed”.
Soft opt-in
The term “soft opt-in” is used to describe the rule set out in the ePrivacy Regulations which allows an organisation to email or text its existing customers even if they have not specifically consented to receive direct marketing emails or texts. The soft opt-in rule can only be relied upon by the organisation that collected the contact details.
The requirements for the soft opt-in can be summarised as follows:
- The organisation has obtained the contact details of the individual recipient of the email in the course of the sale or negotiations for the sale of a product or service to that individual;
- the direct marketing is in respect of the organisation’s similar products and services only;
- Individuals must be given an opportunity to opt-out of direct marketing at the time their personal data is collected;
- If they do not opt out recipients must be given, on each communication, an opportunity to opt-out of direct marketing.
Evidence of compliance
UK General Data Protection Regulation’s accountability principle requires organisations who are responsible for personal data to maintain records of their processing activities and to be able to demonstrate compliance with the data protection principles.
Additionally, where an organisation relies on consent as its lawful basis for processing personal data the organisation must be able to demonstrate what the individual consented to.
This would include keeping a record of what they were told, and when and how they consented.
The cases
In September the Information Commissioner issued fines to 4 leading household names for breach of the ePrivacy Regulations.
Saga Services Limited and Saga Personal Finance Limited
Saga Services Limited and Saga Personal Finance Limited were fined £150,000 and £75,000 respectively for instigating the sending of more than 157 million direct marketing emails contrary to the ePrivacy Regulations.
The direct marketing emails were sent to subscribers on behalf Saga Services and Saga Personal Finance by their partners and affiliates. The Saga companies relied on “indirect consent” for their direct marketing – this is where one intended recipient has told an organisation that he or she consents to receiving marketing from another organisation. The Information Commissioner did not agree that valid indirect consent had been obtained for the marketing emails because the Saga companies were not specifically named in the consent statement or privacy policies of the affiliates or partners who collected the recipients’ contact details.
The Information Commissioner’s guidance does not rule out the possibility that indirect consent can be valid, however, indirect consent for direct marketing by text or email is likely to be difficult to secure because it will only be valid if the organisations from whom a subscriber agrees to receive direct marketing are clearly specified – consent to receiving email or SMS marketing from generic descriptions like “similar organisations” or “selected third parties” will not be valid.
SportsDirect.com Retail Limited
SportsDirect.com Retail Limited was fined £70,000 for sending over 2.5 million direct marketing emails as part of a “re-engagement campaign” in breach of the ePrivacy Regulations. SportsDirect was unable to provide evidence of consent for the marketing messages sent during the period from December 2019 to February 2020 and the Information Commissioner was not satisfied that SportsDirect could rely on the soft opt-in exception.
SportsDirect’s failure to maintain satisfactory internal consent records was an aggravating feature of its case which highlights the importance of keeping good records to demonstrate compliance with the ePrivacy Regulations and the UK GDPR.
We Buy Any Car
We Buy Any Car has been fined £200,000 for sending over 191 million emails and 3.6 million SMS without satisfying the requirements of the soft opt-in.
We Buy Any Car relied on the soft opt-in In relation to customers who requested a valuation. The soft opt-in rules require individuals to be given an opportunity to opt-out of direct marketing at the time their personal data is collected.
We Buy Any Car did not present these customers with an opportunity to object to receiving marketing messages at the time the customer provided their data instead customers were given the opportunity to object shortly afterwards when they received an email with their first valuation. We Buy Any Car argued that as there was a “minor temporal gap” between the 2 events, it was “simultaneous”.
The Information Commissioner did not accept We Buy Any Car’s position on this point and was satisfied that We Buy Any Car had not complied with the requirements for the soft opt-in. Organisations should ensure that customers are given opportunity to object to direct marketing at the time the data is collected.
In a statement about these cases Andy Curry, ICO Head of Investigations said: “Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”
Proposal to increase the fines
Breaches of the ePrivacy Regulations are currently capped at £500,000.
We do not know whether the direct marketing emails that were the subject of these decisions were effective in generating new business for these leading household names, but it raises the question of whether the fine was an adequate deterrent.
The Information Commissioner clearly does not think the amount of the fine is sufficient to discourage businesses from contravening the ePrivacy Regulations. The Department for Digital Culture, Media and Sports has recently announced a package of reforms to the way the Information Commissioner’s Office operates and these include a proposal to increase the amount of fines that the Information Commissioner’s Office can impose for breaches of the ePrivacy Regulations to the amount which is payable under the UK General Data Protection Regulation – currently 4% of annual worldwide turnover or £17.5 million.
Action required
The November-December winter holiday sales period is the busiest time of year for many retailers and as retailers gear their eCommerce business up for this peak selling season, they will be keen to engage with their existing customers and subscribers.
These cases are a timely reminder that an organisation that wants to send direct marketing by email or SMS must ensure that it obtains valid consent or complies strictly with the rules for the soft opt-in.
Businesses and marketers should take steps now to ensure that the processes and systems they use for direct marketing meet the requirements of the ePrivacy Regulations.
How Moore Barlow can help
If you need specific advice around this topic, please contact our expert team today.
