UK ICO Updates Email Marketing Guidance and Enforces Against Direct Marketing Based on Purchase History Inferences
Free Article Limit This Month
On Oct. 18, 2022, the UK Information Commissioner's Office (ICO) updated its "Guidance on Direct Marketing Using Electronic Mail," providing refreshed FAQs regarding what constitutes electronic mail marketing, related rules and responsibilities, and miscellaneous clarifications to compliance questions such as "are tracking pixels covered by the electronic mail marketing rules?" (Short answer: technically no, but they are covered by different rules of the same law in the UK).
What follows below are high-level takeaways from the ICO's guidance, as well as a brief overview of an ICO enforcement case announced Oct. 6 involving alleged direct marketing and GDPR violations following a company's unconsented to use of purchase history to infer medical conditions that resulted in targeting customers with health-related products.
Although an organization's email marketing practices in relation to European residents must be evaluated on a country-by-country basis, as there are nuanced differences among the various EU Member States and the UK, the ICO's guidance is nonetheless helpful for understanding some of the considerations that will go into email marketing practices in 2023 and beyond.
The (EU) Privacy and Electronic Communications Directive 2002 (the "ePrivacy Directive") sets out minimum requirements for Member States' laws in relation to direct marketing, including email marketing. Each EU Member State implemented the ePrivacy Directive in its national laws, including the U.K. by means of the Privacy and Electronic Communications Regulations 2003 (PECR). Post-Brexit the PECR continues to apply in the UK, although the EU Courts no longer have jurisdiction over whether the PECR properly implements the ePrivacy Directive, and decisions of the EU Courts on the interpretation of the ePrivacy Directive need not be followed by the UK Courts.
Notably, however, "electronic mail" does not include online advertising, or the placement of ads on websites or even targeted advertising messages shown on news feeds, as PECR's definition qualifies electronic mail as being stored in a public electronic communications network or in the recipient's terminal equipment until it is collected by the recipient. This is because under separate PECR rules, GDPR-level consent is required in order to access and/or store information on an end user's device, whether via the use of a cookie, a pixel, a mobile app software development kit (SDK), a Local Shared Object, or other technologies applicable to browsers, smartphones, tablets, smart TVs or other devices. Such PECR/ePrivacy Directive consent often also serves as the GDPR lawful processing basis consent to process the data for interest-based targeted advertising purposes.
The PECR rules generally apply to anyone sending unsolicited messages by electronic mail for the purposes of direct marketing to recipients in the UK, which may only be done if either (1) the sender has the recipient's GDPR-level(i.e., prominent, concise, easy to understand and separate from things like general terms and conditions), or (2) the sender has met each of the " " requirements for a particular recipient.
PECR takes its standard of consent from the UK GDPR. This means that if seeking a "freely given, specific, informed and unambiguous indication of a data subject's wishes" to signify an affirmative agreement to email marketing (i.e., no pre-ticked opt-in boxes or assumptions from silence or inactivity), the sender must be clear that the consent covers its electronic mail marketing messages, can be withdrawn at any time without detriment, and is granular and unbundled. The ICO recommends keeping a time-/date-stamped record of the consent if needed for later accountability purposes.
Yes, the ICO takes the position that any consent must specifically cover receiving a particular type of electronic mail transmitted by a sender. Accordingly, the ICO instructs organizations to have separate consent for emails or separate consent for text messages, for instance, and that a blank checkbox merely indicating "Tick here if you would like to receive marketing from us about our services" would not be specific or informed enough consent to then send someone text messages. Likewise, the ICO notes that "If you are considering sending direct marketing by text message, remember that consent to use someone's phone number for live or automated calls doesn't automatically cover direct marketing by text message."
Similarly, because consent for electronic mail marketing must be freely given, it is unlikely that an organization may make consent to such marketing a condition of buying a product. This means that legacy messages at checkout such as "By submitting your order you agree to receive our marketing emails. Click HERE to submit your order" would likely not be in line with the current guidance.
The ICO makes clear its view that consent is not transferrable and, rather, must be specific as to the receipt of electronic mail marketing at a particular number or address that a person gives to the sender. For example, the consent someone gives to receiving direct marketing to their particular email address won't cover any other email addresses that the person might also use of which the sender becomes aware.
In contrast to a consent-based approach to email marketing in the UK, the legitimate interests-based so-called "soft opt-in" approach is also a possible legal avenue. Although PECR does not refer to a "soft opt-in," Regulation 22(3) holds that an organization may send marketing electronic mail to an existing customers or prospect if five conditions are met:
- the organization obtained the contact details directly from the intended marketing recipient;
- it did so in the course of a sale or negotiation of a sale of a product or service (this includes the recipient actively expressing an interest, including by requesting a quote or asking for more details on offerings);
- it is marketing its own similar products and services (meaning that the soft opt-in does not apply to sending the marketing messages of other organizations);
- it provided an opportunity to refuse or opt-out when it collected the details (such as an opt-out checkbox to tick); and
- it gives an opportunity to refuse or opt-out in every subsequent communication.
In the UK, electronic mail must not disguise the identity of the sender and it must provide a valid contact address for people and businesses to opt-out or unsubscribe to further messages. This applies whether the message is solicited (specifically asked for by the recipient) or unsolicited (sent without being specifically requested by the recipient, even if the recipient has given consent more broadly to the sender's direct marketing). The use of an unsubscribe link in commercial marketing messages will be familiar to organizations complying with the U.S. CAN-SPAM Act or Canada's Anti-Spam Legislation.
It is possible to use a list compiled by, or purchased from, a third party to send direct marketing by electronic mail. However, in order to do so, the people on the list or within the database must have given their consent to receive such marketing from the sender. And the sender, of course, is responsible for complying with PECR, which means that if the underlying consent does not name the sender or cover the marketing channel, then sending to individuals on the purchased list may breach PECR. The ICO recommends posing the following questions, if a third party from whom an organization is purchasing a list claims that those on the list consented to direct marketing:
- What were people told?
- What did they consent to?
- Were you named on the consent request?
- When and how did they consent?
- Did they have a choice to consent?
- Is there a record of the consent?
Note that third-party marketing lists cannot be "soft opt-in compliant," as that consent exception requires the sender itself to have obtained the contact details, along with other required conditions.
PECR sits alongside the UK's data protection regime, which currently includes the UK GDPR and the Data Protection Act 2018. This means that if an electronic mail sender uses an email address that identifies a unique user, then data protection law must be complied with, such that the data processing must be fair, lawful, and transparent. The fairness prong requires not doing things with personal data that people would find unexpected, misleading or detrimental; lawful refers to having a lawful processing basis, such as consent or legitimate interests; and transparency refers to providing clear, open and honest disclosures to inform individuals as to how their personal data will be used. PECR is also enforced separately from the UK GDPR (which sets a maximum fine of €20 million (about £17 million) or 4% of annual global turnover - whichever is greater - for infringements), such that the ICO can issue an enforcement notice that requires an organization to stop sending direct marketing that is in breach of the law, and it can serve a monetary penalty notice imposing a fine of up to £500,000 against the organization or its directors.
Highlighting the seriousness with which the ICO views its direct marketing and data protection enforcement powers, last month the U.K. regulator announced a £1,350,000 fine against a catalog retailer for its practice of using 145,000 customers' personal data to predict their potential medical conditions and target them with health-related products without their consent.
The ICO found that when a customer purchased a product from the company's Health Club catalog, such as a jar opener or a dinner tray, the company would make assumptions about the customer's medical conditions for subsequent marketing solicitations—such as, in this case, inferring the customer has arthritis and calling the individual to market them glucosamine joint patches. Eighty of the company's 122 products in the noted catalog were "trigger products" that, when purchased, would lead to profiling the customer to target them with a corresponding health-related items.
The ICO found that individuals were unaware that the company was collecting and using their personal data for this purpose between August 2019-August 2020, as the company did so on an "invisible" basis in violation of GDPR Article 5(1)(a) (which it did, moreover, in the absence of a data protection impact assessment). This also resulted in the company making over 1.3 million unwanted marketing calls to individuals whose landline and mobile telephone numbers were registered with the Telephone Preference Service Ltd (TPS), the U.K.'s counterpart to the U.S.'s "Do Not Call" register. This PECR violation resulted in a separate £130,000 fine assessed to the company on top of the data protection fine.
Although not directly implicating email marketing, this case reinforces a number of the takeaways described above and evidences an interest and focus by the ICO and others on transparent and compliant direct marketing practices.
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.