Emails, texts and other kinds of electronic communications are one of the most effective ways a company can:
But direct, electronic marketing like this is tightly regulated by the Privacy and Electronic Communications Regulations (PECR). These regulations operate in tandem with GDPR. Businesses need to be aware of these restrictions because – as we’ll see – the Information Commissioner (the ICO) has wide powers to investigate complaints about spam emails and nuisance calls and to impose heavy fines on companies that breach the rules. Here we consider from a data protection perspective the factors our clients need to bear in mind before embarking on any kind of electronic marketing campaign. And to illustrate the repercussions of getting it wrong we look at two cases where the ICO imposed fines of £330,000 on companies for sending unsolicited marketing material.
PECR and GDPR are all about enhancing privacy rights and giving individuals control over their personal information. The penalties for sending electronic messages without appropriate consent can often be substantial.
The precise rule businesses need to follow when it comes to electronic communication with customers is Regulation 22 of PECR. It has the following effects:
This last rule is sometimes known as the ‘soft opt-in’ rule. Remember it concerns existing customers and can’t be used to justify sending electronic messages to prospective customers.
In March 2021 the ICO fined two companies for sending nuisance texts – a clear demonstration of the need for businesses to scrupulously follow PECR. Briefly the cases involved:
To give you a flavour of the type of message revealed by these investigations, one – sent out by Valca – read:
“*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify
Both these cases show how seriously the ICO takes the issue of illegal direct marketing. In the context of the global pandemic the nature of the marketing material in Valca and Leads Work was particularly egregious. In its decision notice the ICO was clear, stating that ‘if businesses believe they can exploit the pandemic and misuse personal data, they should think again’.
A close reading of the ICO decision in the Leads Works case in particular shows the extent of the breach. The website to which the offending text message directed individuals was, the ICO found, ‘vague and confusing’, and the consent statement and privacy statement were too lengthy. The ICO could find no mitigating factors in the information provided to it by Leads Work. In these circumstances any consent obtained could not have been freely given, specific or informed – as required by the rules.
From our client’s point of view it’s worth pointing out that the companies on which the large fines were imposed were not household names. They were relatively small entities and yet attracted thousands of complaints and large fines.
Compliance with PECR is not just something large organisations need to consider. If you:
then you need to regularly review the way you handle personal data and obtain the consent of all those clients you wish to contact electronically.
For more information on GDPR, PECR and electronic marketing protocols contact our director Shubha Nath at Nath Solicitors on 0203 983 8278 or contact the firm online.