Hogan Lovells 2024 Election Impact and Congressional Outlook Report
You may not have noticed it, but despite all of the distractions caused by Brexit and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the UK Information Commissioner’s Office (ICO) has been extremely active on the enforcement front in recent times. One of the features of this activity has been the variety of infringements targeted and, in particular, the focus on e-mail marketing. More specifically, the ICO has taken enforcement action by way of monetary penalties against well-known consumer brands such as Flybe, Honda, Morrisons and Moneysupermarket, for practices that might not have been seen as so out of order in the past. However, given the current tough stance taken by the ICO in connection with direct marketing practices, it would not be surprising to see future enforcement actions in this area.
First of all, let’s get the law right. In the UK, e-mail marketing is subject to the legal framework set out in both the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR). Nearly 20 years ago, the DPA established a right that is well known to marketers and consumers: the simple and absolute right to opt-out of all forms of direct marketing. The PECR are more elaborate because they set out different rules for direct marketing depending on the channel of communication. For e-mail marketing to consumers, the general rule is prior opt-in consent, but the law provides for an exception to this rule: e-mail marketing is allowed on an opt-out basis for existing customers if the content of the communication relates to the types of products or services bought. It is a little fiddly but hugely helpful to businesses, of course.
However, one of the main challenges is the interpretation of what ‘direct marketing’ is. Since day one, the ICO has adopted a broad interpretation of what amounts to direct marketing. For the UK regulator, the concept does not only cover the offer for sale of goods or services, but also any kind of indirect promotion of an organisation’s business, aims or ideals. The challenge in practice is that even if the primary intention of a communication is not promotional, the moment that some of the content falls within that category, it risks becoming direct marketing. Until recently, it is fair to say that there has been a degree of tolerance in this respect. But given the enforcement actions of the past few months, marketing departments need to pay much closer attention than ever before to where the boundaries lie.
The best clues are in the decisions to impose monetary penalties by the ICO. The Flybe decision will be of great concern to many businesses because a £70,000 penalty was imposed for an e-mail that was primarily aimed at ensuring that the contact details of customers were correct, which is in itself an obligation under data protection law. However, a breach was committed because the same e-mail offered individuals who had opted out of direct marketing the possibility of updating their marketing preferences. Simply offering that option was regarded by the ICO as an unsolicited marketing communication.
Equally concerning is the Honda decision. Although on this occasion the penalty was only £13,000, the ICO took action because Honda had e-mailed its customers in order to clarify the marketing preferences of those individuals that the company was uncertain of. Even though it was a one-off e-mail to confirm the customers’ preferred choice, it was also seen by the ICO as an unsolicited marketing communication in itself.
The circumstances of the Morrisons enforcement action were similar to the Flyby one, but the penalty was much smaller – £10,500 – because the number of individuals targeted was also considerably smaller. But it is perhaps the Moneysupermarket decision the one that shows better than any other what is allowed and what is not. In this case, nearly seven million e-mails with the subject ‘Terms and Conditions Update’ were successfully delivered to customers who had previously opted out of marketing communications. Despite the subject matter, Moneysupermarket was fined £80,000 because the e-mail also asked customers if they wished to reconsider their marketing preferences.
What does this all mean? It means that being creative about attempting to reach out to those who have opted out of marketing communications is a dangerous practice. Even politely approaching opted-out customers inviting them to update or change their marketing preferences is in breach of the law. And the good old practice of using a legitimate service communication as a vehicle to deliver marketing messages is now under the regulatory microscope. All in all, these decisions are a clear sign that when individuals expressly say ‘no’ to marketing, there is likely to be zero tolerance by the regulator to ways around it.
This article was first published in Data Protection Leader in August 2017.
Authored by Eduardo Ustaran