I suspect everyone is now fed up to the back teeth of emails from long-forgotten and sometimes never-known businesses and organisations claiming they need us to renew our consent to receive electronic marketing from them. In many cases we never wanted the marketing in the first place and therefore almost certainly never consented to receive it, according to how “consent” has been construed in the operative law (the Data Protection Act 1998 (DPA), and, specifically, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)). Everyone is probably equally fed up with similar emails from businesses and organisations we do have a relationship with, and from whom we do want to hear. I’m not going to rehash the law on this – I’ve written and commented multiple times elsewhere (search “Jon Baines +banging head against a brick wall”), as have other, more sage people (try Tim Turner, Adam Rose or Matt Burgess).
But I did notice that the Information Commissioner’s Office (ICO) recently issued a broadly helpful corrective to some of the misinformation out there. I say “broadly helpful” because it is necessarily, and probably correctly, cautious about giving advice which could be potentially interpreted as “do nothing”. Nonetheless, it makes clear that in some cases, doing nothing may be precisely the right thing to do: although the definition of “consent” from the General Data Protection Regulation (GDPR) will drop into PECR, replacing the definition which currently applies (the one at section 11 (3) of the DPA), this does not represent a significant reconfiguring. In general, if you had proper consent before GDPR, you’ll have proper consent under GDPR, and if you didn’t, well, you probably don’t have consent to send an email asking for consent.
Even though the ICO corrective was welcome, I’d actually already begun some slightly mischievous digging.
For a number of years, through various email addresses, I have subscribed to the ICO’s email newsletter (I invite thoughts, through the “comments” function on this blog, about the adequacy of the privacy notice given when one signs up to it, but this post is not directly about that). All the nonsense emails flying round got me to thinking – the ICO newsletter is probably “direct marketing” according to the law and the ICO’s own guidance, and when it is sent to an “individual subscriber” the PECR consent requirements kick in. So, I wondered, had the ICO reviewed whether it needed to get “GDPR-standard consent”, at least from those individual subscribers?
The answer, in response to my request for information under the Freedom of Information Act 2000, is yes – the ICO have reviewed, and no, they don’t think they need to “reconsent”.
They’ve told me that
We have reviewed our e-newsletter and consent as part of our preparations for the requirements of GDPR…we do think our newsletter constitutes direct marketing [but we] don’t think we need to seek re-consent from individuals who have already consented to receive the newsletter. The newsletter is only sent to people who asked to receive it, this was done on an opt in basis on the back of a clear question asked separately from other information. We have a record of the date they asked to receive the newsletter. There is an unsubscribe option at the end of each newsletter and we log when people tell us they don’t want to receive it anymore – we’ve reviewed that process to make sure it is robust.
Pretty clear, I think.
I post their response here in the hope it might assist those who are in a similar position are struggling to understand whether they need to send another of those stupid “reconsent” emails flying around.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.