“It was obvious what its subscribers were consenting to” – Marketing consents, a fine overturned
The implementation of the GDPR last year forced many businesses to take a long hard look at their marketing databases as they engaged in the… Read more
The implementation of the GDPR last year forced many businesses to take a long hard look at their marketing databases as they engaged in the wider process of reviewing and documenting how they collect, process and store personal data. In the context of direct marketing, businesses had to review whether their existing procedures for collecting customer consent lived up to the enhanced requirements of the new data privacy regime.
Whilst communication with existing and potential customers is an essential part of doing business for many organisations, it is essential that the persons involved in sending those communications understand the applicable data privacy and e-marketing rules which apply to those activities.
The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act 2018 and the GDPR, imposing stricter requirements on sending marketing calls, emails, texts and faxes; monitoring of location data; and the placing of cookies and tracking technologies.
In the context of direct marketing, the PECR restrict the sending of unsolicited calls, emails, texts and faxes to individuals, unless the recipient has previously notified the sender that they consent to such messages. Unsolicited in this context means a communication which an individual has not specifically requested and is not otherwise expecting.
The GDPR introduced an enhanced level of consent (which has since been adopted under PECR), requiring consent to be freely given, specific, and informed, and that there must be an indication signifying agreement. The GDPR makes clear that the indication must be unambiguous and involve a clear affirmative action. In response to such enhanced requirements, businesses have had to revisit their marketing consents and existing marketing databases to assess compliance.
Although organisations can generally only send direct marketing with specific consent, organisations may also be able to rely on a ‘soft opt-in’ exemption when marketing to existing customers. Soft opt-in applies when (i.) a company has obtained the customers contact details in the course of negotiations/sale of a product/service; (ii.) the company is only marketing their own similar product/service; and (iii.) the recipient was given an opportunity to opt out of the marketing, both at the time of collecting the contact details and in each subsequent marketing communication.
The Xerpla case
In Xerpla Ltd v Information Commissioner, Xerpla Ltd (Xerpla) successfully appealed against a decision of the ICO which had imposed a fine of £50,000 for breach of the consent requirements of regulation 22 of the PECR for the sending of email marketing. Although the decision concerned Xerpla’s conduct prior to the implementation of the GDPR, the case remains useful when considering the issue of informed consent in the context of direct marketing, a requirement which pre-dated the implementation of the GDPR.
Xerpla, a direct marketing company offering design, advertising and marketing services, had between 6 April 2015 and 20 January 2017 transmitted 1,257,580 unsolicited emails promoting products and services of third parties. The emails were sent to individuals who had subscribed to Xerpla’s websites www.yousave.co and www.headsyouwin.co.uk for the purposes of receiving Xerpla’s newsletters containing online offers/deals and competitions.
The ICO concluded that the recipients of the emails could not have given sufficiently informed consent, because the true breadth of the material they were signing up to was not obvious from the terms of consent provided. It found that Xerpla’s breach of the PECR had been negligent, and that due to the number of emails involved the breach was sufficiently serious to warrant monetary penalty.
The First Tier Tribunal disagreed with the ICO’s assessment that the users of the website could not have given informed consent. They found that informed consent must be judged in context, and that it was obvious in the circumstances what the subscribers were consenting to due to the nature of the services offered by Xerpla. Had recipients wished to only receive marketing relating to only certain types of products and services, Xerpla’s website was not the service for them. Accordingly, the Tribunal overturned the monetary penalty notice demonstrating that sometimes the ICO is incorrect in its application of the law.
The case is significant because the Tribunal found that:
- informed consent must be judged by thecontext in which it is provided, and that the obvious nature of a product/service could influence an assessment of informed consent;
- the Tribunal rejected the ICO’s analogy to direct third-party marketing guidance, finding that there is ‘a qualitative difference’ between receiving direct marketing from a single entity with whom one has established a voluntary relationship, and receiving marketing directly from unknown third parties;
- the Tribunal agreed the very low number of complaints (0.0012% of recipients) indicated that subscribers knew what they were consenting to.
It is important to note that the decision concerned conduct pre-GDPR, and that it is likely that Xerpla’s processes would be unlikely to meet the enhanced consent requirements under the GDPR. Whilst the Tribunal’s findings in points 1-3 may offer some comfort to companies analysing their own direct marketing practices there are several useful learning points from the ICO’s analysis, which companies should seek to implement to improve their own procedures. These include:
- the avoidance of generic and wide-ranging descriptions when collecting marketing consents;
- in the context of third party use of personal data, including third party direct marketing, avoid listing categories of third parties as this will not give valid third-party consent.
 Xerpla Ltd v Information Commissioner  UKFTT 2017_0262 (GRC) (14 August 2018)
Share this blog
Need to talk about this?
Share this Blog
- Adtech & martech
- Artificial intelligence
- Cloud computing
- Complex & sensitive investigations
- Cryptocurrencies & blockchain
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- KLick DPO
- Open banking
- Software & services