What is this about?
E-privacy legislation (the EC Directive Regulations 2001, commonly referred to as PECR) sets out rules with regard to direct marketing in the context of privacy and electronic communications – in particular, apart from when a certain exception applies, unsolicited emails for direct marketing cannot be sent unless an individual has consented to this.
What is the background to the case?
In this case a direct marketing organisation called Xerpla Ltd. (Xerpla) was fined £50,000 in October 2017 by the UK’s data protection regulator, the Information Commissioner’s Office (ICO) for sending 1,257,580 marketing emails promoting the products and services of third parties between 6 April 2015 and 20 January 2017 to its subscription base; the ICO had investigated on the basis of 4 complaints.
The ICO found an infringement of the rules on the basis that the necessary prior consent had not been obtained. Xerpla appealed the case before the UK’s First-tier Tribunal Information Rights (the Tribunal). The core issue of the appeal was whether Xerpla had obtained the consent of subscribers before sending them direct marketing by email, the ICO claiming that subscribers were unable to give informed consent.
What did the Tribunal decide?
The Tribunal (in a written procedure only, i.e. there was no oral hearing) decided that on the facts “it was obvious what [Xerpla’s] subscribers were consenting to. It was obvious because of the service Xerpla was offering. Whether consent is informed has to be judged in context. The nature of Xerpla’s discounts/deals website was that subscribers could be sent third party offers about any products and services. That is why they subscribed to it. Had they wished to subscribe to a service offering only certain types of products and services, this was not the website for them.” The Tribunal also agreed with Xerpla’s assertion that “it was obvious what subscribers were subscribing to is strongly supported to by the very small number of complaints received by the Commissioner – just 14 following over 1.25 m emails. As a percentage this is less than 0.0012%” (although, as the Tribunal pointed out, the ICO had only given details about four complaints).” And although the Tribunal said that rates of complaints have to be treated with caution “it cannot be said that the paucity of complaints is irrelevant. It indicates that the vast majority of Xerpla subscribers were content to receive direct marketing about a wide range of products and services – and that is likely to have been precisely because that is what they had signed up for. The Tribunal accepts Xerpla’s evidence that the complaint rate is very low by industry standards.” The Tribunal also rebuffed the ICO’s arguments based on the section in the ICO’s guidance material, the Direct Marketing Guidance, about indirect consent, and determined that Xerpla’s situation was in fact on point with a section of the guidance, which the ICO had not referred to in its appeal. The Tribunal therefore allowed the appeal.
What are the takeaways?
The main takeaway is that although Xerpla scored a victory against the ICO and do not have to pay a hefty fine, it is GDPR that we have to contend with now. This case pre-dates GDPR, which has a stricter definition of consent, and since GDPR entered into full application on 25 May 2018, consent for direct marketing must be GDPR compliant. When undertaking direct marketing consent has to be “freely given, specific, informed and an unambiguous indication of the individual’s wishes” and an individual must opt-in to direct marketing.
The Tribunal’s judgment can be found here: https://www.bailii.org/uk/cases/UKFTT/GRC/2018/2017_0262.html
Revised rules in this field are due to be enacted by the EU, which we have written FAQs about here: http://www.corderycompliance.com/proposed-eu-e-privacy-regulation/
We report about data protection issues including marketing here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
- For more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|