I suspect everyone is now fed up to the back teeth of emails from long-forgotten and sometimes never-known businesses and organisations claiming they need us to renew our consent to receive electronic marketing from them. In many cases we never wanted the marketing in the first place and therefore almost certainly never consented to receive it, according to how “consent” has been construed in the operative law (the Data Protection Act 1998 (DPA), and, specifically, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)). Everyone is probably equally fed up with similar emails from businesses and organisations we do have a relationship with, and from whom we do want to hear. I’m not going to rehash the law on this – I’ve written and commented multiple times elsewhere (search “Jon Baines +banging head against a brick wall”), as have other, more sage people (try Tim Turner, Adam Rose or Matt Burgess).
But I did notice that the Information Commissioner’s Office (ICO) recently issued a broadly helpful corrective to some of the misinformation out there. I say “broadly helpful” because it is necessarily, and probably correctly, cautious about giving advice which could be potentially interpreted as “do nothing”. Nonetheless, it makes clear that in some cases, doing nothing may be precisely the right thing to do: although the definition of “consent” from the General Data Protection Regulation (GDPR) will drop into PECR, replacing the definition which currently applies (the one at section 11 (3) of the DPA), this does not represent a significant reconfiguring. In general, if you had proper consent before GDPR, you’ll have proper consent under GDPR, and if you didn’t, well, you probably don’t have consent to send an email asking for consent.
Even though the ICO corrective was welcome, I’d actually already begun some slightly mischievous digging.
For a number of years, through various email addresses, I have subscribed to the ICO’s email newsletter (I invite thoughts, through the “comments” function on this blog, about the adequacy of the privacy notice given when one signs up to it, but this post is not directly about that). All the nonsense emails flying round got me to thinking – the ICO newsletter is probably “direct marketing” according to the law and the ICO’s own guidance, and when it is sent to an “individual subscriber” the PECR consent requirements kick in. So, I wondered, had the ICO reviewed whether it needed to get “GDPR-standard consent”, at least from those individual subscribers?
The answer, in response to my request for information under the Freedom of Information Act 2000, is yes – the ICO have reviewed, and no, they don’t think they need to “reconsent”.
They’ve told me that
We have reviewed our e-newsletter and consent as part of our preparations for the requirements of GDPR…we do think our newsletter constitutes direct marketing [but we] don’t think we need to seek re-consent from individuals who have already consented to receive the newsletter. The newsletter is only sent to people who asked to receive it, this was done on an opt in basis on the back of a clear question asked separately from other information. We have a record of the date they asked to receive the newsletter. There is an unsubscribe option at the end of each newsletter and we log when people tell us they don’t want to receive it anymore – we’ve reviewed that process to make sure it is robust.
Pretty clear, I think.
I post their response here in the hope it might assist those who are in a similar position are struggling to understand whether they need to send another of those stupid “reconsent” emails flying around.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 
Most definitely, the ICO need to review the Dransfield Vexatious BS Precedent as in the Court if Appeal decisionC3/2013/1855 dated May 2015
Hi Alan, what the blazes does this comment have to do with this blogpost?
Hi Jon,
I’ve been thinking about this a lot recently, and found this really useful so thank you!
Quick question – if an individual specifically up to receive an organisation’s newsletter, is the sending of the newsletter actually unsolicited? I’m wondering if in these cases PECR applies at all?
Sorry if this is a daft question. I’m fairly new to this.
Gail
Sorry – that should have been specifically signs up!
No, I think that’s spot on Gail! Maybe I could have dealt with that.
Great – thanks Jon. It’s good to know my thinking hasn’t been leading me up a blind alley!
It’s good to know that the ICO executed, and recorded, their email consent process properly, but we know that this is unusual.
I’ve been getting a lot of re-consent emails, but most of the organisations who send me email marketing have not asked for re-consent. Unfortunately, I don’t think that the house is being cleaned as much as it should be!
PS: I do hate the WordPress cookie handling (on the ICO site as well as yours). I waiting for the house cleaning on cookies to take place!
I’ve tried to pare the cookies back to the minimum, but still https://informationrightsandwrongs.com/2014/06/29/i-dont-know-what-im-doing/
Pingback: Blog de Jorge Garcia ¿Reconsent o no reconsent?. ¡Es el timing, idiota! - Blog de Jorge Garcia