As the General Data Protection Regulation (GDPR) is fast approaching, organisations are keen to understand what action they need to take to obtain or refresh consents for their marketing activities.
The GDPR raises the bar to a higher standard of consent and organisations will not be able to rely on consent for one purpose (such as the sale of goods) as consent to be contacted for other purposes (such as direct marketing).
A recent fine by the Information Commissioner's Office (ICO) reinforces the danger of sending emails to individuals who have opted out of marketing. Moneysupermarket were fined £80,000 in July for sending millions of emails to customers who had opted out of marketing, asking them if they would like to reconsider their marketing preferences. The decision shows that if an individual says 'no' to marketing, there is no scope for asking them to change their mind.
The ICO received a complaint in December 2016 about an email from Moneysupermarket advising of an update to its terms and conditions. The email also contained the following section entitled 'Preference Centre Update':
"We hold an email address for you which means we could be sending you personalised news, products and promotions. You've told us in the past you prefer not to receive these. If you'd like to reconsider, simply click the following link to start receiving our emails.”
Following a letter from the Commissioner, Moneysupermarket admitted that it had sent millions of these emails to customers who had previously opted out of receiving marketing emails from them.
The ICO considered the contravention to be serious and that Moneysupermaket had deliberately contravened regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Moneysupermarket had sufficient knowledge of the requirements under the Data Protection Act 1998 and PECR, and it was also aware of the ICO's marketing guidance. However, it chose to consciously establish an email campaign to customers who had opted out, under the guise of 'customer service'.
The ICO emphasised that 'organisations can't get around the law by sending direct marketing dressed up as legitimate updates.' If people opt out of marketing, organisations must stop sending it. Organisations cannot email or text an individual to ask for consent to future marketing messages, since that email or text is itself sent for the purposes of marketing.
The decision acts as a reminder that marketing departments do not have any scope for creativity in attempting to reach out to individuals who have opted out of marketing. The ICO has warned that it will continue to take action against companies who use legitimate service communications as an opportunity to drop in marketing messages.
Marketing teams should ensure that they are familiar with the ICO's direct marketing guidance [PDF], which was given statutory status this year by the Digital Economy Act 2017. The guidance emphasises that organisations must keep clear records of what an individual has consented to, and when and how this consent has been obtained. If a customer opts out at any time, their details should be suppressed from marketing lists as soon as possible and a record of the opt-out maintained to ensure an individual’s wishes are adhered to.
Although the position may be clear on contacting individuals who have opted out, uncertainty remains over what action could be taken to 'refresh' consents in preparation for the GDPR. Many organisations are waiting for the ICO to publish its final guidance on consent. However, the ICO has stated in a recent blog that organisations should start their preparations now and the draft guidance on consent published in March of this year is a good starting point.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms and conditions.