In assessing one’s own compliance with the law, or in advising a client on the law, or in pontificating on one’s blog about the law, one is well advised to refer not only to the law itself (whether in the form of legislation or precedent at common law), but also codes of practice, and guidance. When the law in question is the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which are enforced and overseen by the Information Commissioner’s Office (ICO), it is natural that one would refer – in addition to PECR themselves, and the European Directive 2002/58/EC to which PECR give domestic effect – to the ICO’s own PECR guidance, and, particularly when it comes to electronic marketing, the guidance on Direct Marketing.
So, when the latter guidance says
Organisations must give the customer the chance to opt out – both when they first collect the details, and in every email or text. Organisations should not assume that all customers will be happy to get marketing texts or emails in future…It must be simple to opt out. When first collecting a customer’s details, this should be part of the same process (eg online forms should include a prominent opt-out box…
it would be reasonable to assume that an organisation which did not do this would be, at least if not in direct breach of PECR, sailing close to the wind. The relevant regulation (22(2)) of PECR says that
a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender
and recital 40 of the originating Directive says that electronic marketing requires that prior, explicit consent be given before electronic marketing can take place.
One could reasonably argue that, until such unsolicited electronic marketing takes place, there is no active breach of PECR, but it should surely be conceded that any practice of collecting email addresses, by – say – a political party, in circumstances where explicit consent to receiving subsequent electronic political marketing, is questionable.
I have blogged a number of times in recent weeks about such harvesting of email addresses, and it was prompted by a “widget” on the Labour Party website. I asked the ICO for a statement specifically about that “widget”, and this is what their spokesman said:
In general terms, if an organisation wishes to retain individuals’ contact details it should make them aware of this before their information is collected. This appears to be the case in the NHS baby number service. We also advise organisations that web pages should explain how personal information will be used, and this can be via a link to the organisation’s privacy policy. We would also want to ensure that individuals can unsubscribe from emails if they receive them, as appears to be the situation here.
We have published detailed guidance for political parties for campaigning or promotional purposes. On 1 May 2014, the Information Commissioner wrote to the main UK political parties reminding them of the need to follow data protection and electronic marketing rules. Political campaigning is an area that attracts close public scrutiny. We shall continue to encourage political parties to demonstrate best practice and be open and upfront with people when explaining how their personal details will be used
Now, this is a reasonable and accurate statement about the collection of personal data and compliance with the first Data Protection Principle in Schedule One of the Data Protection Act 1998 – tell people what you are gathering their data for, and how it will be used, and you will probably have broadly complied with the duty to process personal data “fairly”.
However, it seems to overlook – with its reference to “general terms” – the specific requirements of PECR. It seems clear to me that any subsequent email from Labour will have been sent because they have inferred, rather than having received notification of, (explicit) consent.
PECR is not my strongest area. Seriously – am I missing something?
informationrightsandwrongs 
Is now a good time to forward to the ICO the Lib Dem’s recent admission in writing to me that they bought my email address from a quite clearly dodgy email list? I think it may be…
I think so – yes!
The email sent as a result of using the baby website asks recipients to do a ‘survey’. The survey has two aims – to promote ‘Labour achievements’ and to ask for donations (twice). It is impossible to exit the survey unless you go to the Labour donation page. PECR is not about content, it is about the purpose of the communication. If the communication is designed for a direct marketing purpose (soliciting donations), it does not matter if the communication itself does not contain the request.
In short, Labour is breaching PECR (and I suspect they know they are, but think they will get away with it). The ICO is thinking only with its DPA hat on, and has now backed itself into a corner. They should tell Labour to stop but they probably won’t feel able to change their position now. This means the other parties will follow suit.
Bloody marvellous.
Pingback: Online privacy – a general election battleground | informationrightsandwrongs