In assessing one’s own compliance with the law, or in advising a client on the law, or in pontificating on one’s blog about the law, one is well advised to refer not only to the law itself (whether in the form of legislation or precedent at common law), but also codes of practice, and guidance. When the law in question is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which are enforced and overseen by the Information Commissioner’s Office (ICO), it is natural that one would refer – in addition to PECR themselves, and the European Directive 2002/58/EC to which PECR give domestic effect – to the ICO’s own PECR guidance, and, particularly when it comes to electronic marketing, the guidance on Direct Marketing.
So, when the latter guidance says
Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…
it would be reasonable to assume that an organisation which did not do this would be, at least if not in direct breach of PECR, sailing close to the wind. The relevant regulation (22(2)) of PECR says that
a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender
and recital 40 of the originating Directive says that electronic marketing requires that prior, explicit consent be given before electronic marketing can take place.
One could reasonably argue that, until such unsolicited electronic marketing takes place, there is no active breach of PECR, but it should surely be conceded that any practice of collecting email addresses, by – say – a political party, in circumstances where explicit consent to receiving subsequent electronic political marketing, is questionable.
I have blogged a number of times in recent weeks about such harvesting of email addresses, and it was prompted by a “widget” on the Labour Party website. I asked the ICO for a statement specifically about that “widget”, and this is what their spokesman said:
We have published detailed guidance for political parties for campaigning or promotional purposes. On 1 May 2014, the Information Commissioner wrote to the main UK political parties reminding them of the need to follow data protection and electronic marketing rules. Political campaigning is an area that attracts close public scrutiny. We shall continue to encourage political parties to demonstrate best practice and be open and upfront with people when explaining how their personal details will be used
Now, this is a reasonable and accurate statement about the collection of personal data and compliance with the first Data Protection Principle in Schedule One of the Data Protection Act 1998 – tell people what you are gathering their data for, and how it will be used, and you will probably have broadly complied with the duty to process personal data “fairly”.
However, it seems to overlook – with its reference to “general terms” – the specific requirements of PECR. It seems clear to me that any subsequent email from Labour will have been sent because they have inferred, rather than having received notification of, (explicit) consent.
PECR is not my strongest area. Seriously – am I missing something?