Regulation 22 of PECR 2003 makes just about anybody working with marketing emails wince. It prohibits the sending of “unsolicited communications for the purposes of direct marketing” by electronic means (emails, texts, etc.) unless the recipient has consented, or unless the “soft opt-in” applies. How does this apply to emails with mixed content, i.e. that contain some bits of marketing material? Are these caught or not?
There has been precious little case law on this issue, and on PECR in general. Thankfully, Arron “Skippy” Banks has ridden to the rescue. His companies ran into trouble with the ICO for including marketing content – in particular, Skippy the Kangaroo flogging Eldon insurance products – in Brexit-related newsletters. Recipients had signed up for the newsletters, but not for marketing materials. The ICO issued two MPNs for spam emailing (£60k and £45k), an enforcement (a ‘stop sending spam emails’ order) and two assessment notices under the DPA 2018 (requiring the appellant companies to permit the ICO’s investigations). Team Banks’ appeal to the FTT was dismissed.
So too was its appeal to the Upper Tribunal, whose judgment in Leave.EU and Eldon Insurance Services v Information Commissioner was handed down earlier this week: Leave EU Eldon UT. The three-judge UT panel (the judgment reads to me like Judge Wikeley held the pen) has given us the leading authority on the approach to regulation 22 PECR of 2003. Here are some headline points:
Were these “mixed content” emails caught by regulation 22?
Yes. The definition of direct marketing under the DPA 1998 (“the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”) is “self-evidently a broad definition” ([29]).
The UT dismissed as excessively narrow the argument that the regulation 22 PECR 2003 prohibition (based on Article 13 of the 2002 Directive) was aimed at “indiscriminate, automated industrial-scale spamming”. See [36]:
“The principal purpose of the 2002 Directive is to protect privacy – see e.g. Recitals (2) and (3). Indiscriminate spamming is simply a symptom of a wider problem, albeit one of the most egregious examples of modern intrusions on individuals’ privacy. There is nothing in the 2002 Directive to suggest that the reach of Article 13 (and hence regulation 22 PECR) is exclusively confined to conduct that might be characterised as spamming. Rather, the tenor of the legislation is that it is an intrusion on an individual’s privacy if they receive direct marketing to which they did not consent…”
The UT’s key point of analysis as regards “mixed content” emails is that you need to focus on the information in question, rather than the email: if the email contains marketing information, that can suffice for a PECR breach, regardless of whether the email is a political newsletter, a service email, or whatever. See [37]:
“… the “unsolicited communications” for the purpose of regulation 22(2) are not the Leave.EU newsletters themselves. An email may contain different types of “information”, some of which is e.g. in the nature of political campaigning and some of which is direct marketing. The email is simply the vehicle by which the “communication” (which may contain different types of “information”) is delivered to the subscriber – it is not the “communication” itself”. Thus “when regulation 22(2) refers to “unsolicited communications for the purposes of direct marketing”, this is a proxy for “unsolicited information for the purposes of direct marketing”.”
So, because you need to focus on the content in question, you don’t get into analysing what the primary purpose of the email is.
What about the fact that recipients consented to receiving these email newsletters?
Sure, but they didn’t consent to receiving this kind of marketing communication (i.e. marketing information). There is solid confirmation here about the perils of excessively vague marketing “consents”. The Appellants’ all-encompassing statements could not secure freely-given, specific and informed consent. See [56]: “There was no indication that subscribers were doing anything other than signing up for a Brexit newsletter. As Mr Knight put it, agreeing to the very loosely drafted privacy policy amounted to signing a blank cheque”.
The Appellant pointed out that recipients did not seem to have been bothered about any of this: barely anyone had complained to the ICO. Fine, said the UT, but complaints to the ICO are not a good measure of whether valid consents were in place (see [54]).
So, these were unsolicited communications for the purposes of direct marketing, without valid consent being in place. Eldon was also on the hook, as it had “instigated” the sending of the kangaroo spam material in its Brexiteer buddies’ newsletters, having given “positive encouragement”. Again, the UT upheld the FTT’s analysis on this point.
Some points on the ICO’s enforcement actions
MPNs can only be issued for “serious” contraventions. The criteria for the issue of an MPN do not require a serious intrusion of individuals’ privacy rights – rather, they require a serious contravention of PECR 2003 (see [80]). The number of emails involved gives a sense of scale: on any reckoning, over a million emails (to around 51,000 recipients) is a serious number and the FTT was entitled to take that as a starting point (at [81]).
The ICO had not failed to adhere to its own Regulatory Action Policy: “the Commissioner exercised her powers in accordance with the statutory framework and there was nothing in the RAP that precluded her from so acting. Guidance cannot fetter discretion, so expecting it to be too prescriptive or interpreting it as if it were is not permissible” ([104]).
The ICO’s enforcement actions must be proportionate, but this test is not the same as the more stringent proportionality test that applies to interferences with fundamental rights.
It doesn’t really help anyone to draw comparisons with penalty amounts in other MPNs. “Each MPN has no precedent value in its own right and the cases inevitably turn on their own facts” (at [109]).
And as to assessment notices, there are no procedural stringencies built into the legislation, and the ICO has a wide discretion. This is to be expected, as assessment notices are investigative tools used where the ICO does not yet know the answers: they are to uncover the “Rumsfeldian unknown unknowns”.
There you have it: appeal dismissed, some strong clear stuff on marketing communications and PECR 2003, and a clean sweep of successful arguments for Chris Knight.
Robin Hopkins