Ok so hands up whose email inbox has recently been littered with emails inviting you to consent to receiving marketing communications or otherwise inviting you to update your marketing preferences. ‘Why is this happening?’ you may well ask? Well it’s happening because companies which want to be able to send you lots of nice marketing material for now and evermore are worried that, when the GDPR comes into force, with its new much stricter rules on consent, they won’t be able to send you such invitations and will get into trouble with the ICO if they do so. Which raises the interesting question of whether sending such emails is itself permissible under the existing legislative regime.
Obviously if you’ve already given DPA compliant consent to receive marketing communications from the particular company and that consent is still effective (i.e. you’ve not since opted out of receiving marketing communications), the sending of such communications will be lawful both under the DPA and under the domestic legislation governing the sending of direct marketing communications, namely the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”, see r. 22(2)). It will also generally be permissible if the company sending you the communication has obtained your contact details in the course of the sale or negotiation for the sale of a product or service to you and the communication is in respect of the company’s similar products and services (see the course of dealings exception in PECR, r. 22(3)). But what if you’re virgin marketing territory so far as the company is concerned: they have not previously dealt with you as a customer or potential customer and you have never consented to receiving direct marketing communications from that company? What happens if, in those circumstances, the company sends you out a very friendly and polite email saying something like: ‘Hey you, we don’t want to bother you but we think that we have a lot to offer you and we think you’d think so too if we were just able to send you lots of information about our services; so here we are offering you the opportunity to update your marketing preferences so as to allow us to send you some really interesting and life-enhancing marketing communications (you lucky thing!); and by the way here’s a really natty little online button which you can press (but only if you want to!) in order to opt in to receiving those communications? Well long story short the company is likely to find itself in pretty hot water, as the penalties issued by the ICO last year powerfully confirm.
On 27 March 2017, the ICO issued separate monetary penalties against two companies, Flybe and Honda Motor Europe Ltd – see here. In both cases, the company had sent out emails on a mass basis to individuals effectively seeking their consent to receiving direct marketing communications; the individual recipients of those emails were virgin marketing territory so far as the companies were concerned. In the first case, Flybe, an airline company, sent an invitation email to 3.3m individuals in circumstances were those individuals not only virgin marketing territory so far as the company but had positively confirmed that they did not want to receive marketing communications from the company. The ICO imposed a fine of £70,000. In the second case, Honda Motor Europe Ltd sent an invitation to some 289,270 individuals seeking to obtain clarification of the individuals’ marketing choices. Once again the individuals were virgin territory so far as the company was concerned. The company was fined £13,000. In both cases, the ICO took the view that the email invitation was itself a form of marketing, and as such was caught by PECR.
The ICO’s Head of Enforcement, Steve Eckersley, made the following powerful comments on the cases: “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law…. Businesses must understand they can’t break one law to get ready for another’. So there we have it: there is no marketing free for all under the existing regime; if you don’t have valid consent and cannot otherwise fall within the r. 22(3) PECR course of dealings exception, you cannot try to elicit e-marketing consent from individuals; even without the behemoth of the GDPR bearing down on you, you’re going to be liable.
Anya Proops QC