Category Archives: consent

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR

ICO – HMRC must delete 5 million voice records

I have a piece on the Mishcon de Reya website, on news that the ICO has required HMRC to delete 5 million unlawfully gathered Voice ID records.

Leave a comment

Filed under consent, Data Protection, HMRC, Information Commissioner

Prospective customers and PECR

Who is a “prospective customer”, and can businesses rely on the PECR soft opt-in to send such persons unsolicited direct electronic marketing?

The law says – in terms – that one cannot send unsolicited direct marketing by electronic means (for instance by email) to an email address belonging to an “individual subscriber” (in broad terms, this will be a person’s home, or private, email address) unless the recipient has consented to receive it, or if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient, the marketing is in respect of the sender’s similar products and services only and the recipient was given the option to opt out of such marketing at the time their details were collected, and in any subsequent communication. This is what regulation 22 of the Privacy and Electronic Communications (EC Directive) 2003 (PECR) says, and has done for fifteen years (the General Data Protection Regulation (GDPR) has slightly altered what is meant by consent, but, other than that, is largely irrelevant here).

For the purposes of this blog post I want to focus on the following words in italics:

…if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service…

This clearly means that direct electronic marketing can be sent, in appropriate circumstances, to someone who is not yet, and indeed might not ever become, an actual retail customer of the sender.

In light of this, I’m surprised to note the following words in the Information Commissioner’s Office’s guidance on PECR

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts

It seems to me that “prospective customers” is capable of a range of meanings. On one hand, a prospective customer might be (as the ICO goes on to mention as an example) someone from a bought-in contact list, and with whom the sender who proposes to send electronic marketing has no relationship whatsoever. But, on the other hand, someone who enters into “negotiations for the sale of a product or service” is surely also a “prospective customer”?

I can’t see the ICO’s guidance here as anything but confusing and potentially misleading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under consent, Information Commissioner, PECR

GDPR doesn’t always mean “opt in”

TL;DR – the law says that when you’re buying something from them companies only have to offer you an opt out from marketing. GDPR hasn’t changed this.

I see a lot of criticism of companies on social media by people who accuse the former of not complying with the General Data Protection Regulation (GDPR). Here’s an example:

But the criticism is generally misguided. GDPR does not itself deal directly with direct marketing (other than to provide for an unqualified right to opt out of it (at Article 21(3)) and a statement in one of the recitals to the effect that the processing of personal data for the purposes of direct marketing may be regarded as carried out for a legitimate interest).

The operative law in the UK regarding electronic direct marketing is, and remains, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (which implement a 2002 European Directive).

These provide that one cannot send direct marketing to an individual subscriber* by unsolicited “electronic mail” (which these days largely boils down to email and SMS) unless the recipient has consented or unless the sender

has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient…the direct marketing is in respect of that person’s similar products and services only…and the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In plain language, this means that when you buy, or enter into negotiations to buy, a product or service from someone, the seller only has to offer an “opt out” option for subsequent electronic marketing. Nothing in GDPR changes this.

*”individual subscriber” means the person who is a party to a contract with a provider of public electronic communications services for the supply of such services- in effect, this is likely to be someone using their personal email address, and not a work one).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, GDPR, marketing, PECR

The “GDPR consent” email I’d like to receive

“Dear Jon

You know us. We’re that firm you placed an order with a few months ago. You may remember that at the time we took your order we explained we were going to send occasional marketing emails to you about similar products and services, but you could opt out then, and at any subsequent point.

We know that since 2003 (with the Privacy and Electronic Communications Regulations) (PECR) it’s been unlawful to send unsolicited marketing emails except in circumstances like those above.

We’re contacting you now because we’ve noticed a lot of competitors (and other firms) who are either utterly confused or utterly misrepresenting a new law (separate to PECR) called the General Data Protection Regulation (GDPR). They’re claiming it means they have to contact you to reconfirm your consent to receive marketing emails.

GDPR actually says nothing of the sort. It does explain what “consent” means in data protection terms in a slightly more strict way, but for companies like us, who’ve respected our customers and prospective customers all along, it makes no difference.

In fact, the emails you’re getting from those companies, asking you to “reconsent”, are probably actually direct marketing emails themselves. And if the companies don’t already have your consent to send them they may well be breaking the law in sending them. If you think we’re exaggerating, look at the fine the Information Commissioner’s Office (ICO) levied on Honda last year.

In fact, you’d do well to look at the ICO’s website – it’s got some good stuff on this, both for customers like you, and for companies who are confused by this.

It all really boils down to treating customers well, and not assuming you can send direct electronic marketing without actually looking at what the law says.

So yes, this is a marketing email, and yes, it is lawful, and yes, it is more than a little pompous.”

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

12 Comments

Filed under consent, GDPR, Information Commissioner, marketing, PECR, spam

Rennard, the facts

Has the former LibDem Campaigns guru been engaging in unsolicited electronic marketing?

If I want to market my product or service to you as an individual, the general rule is that I cannot do so by email unless I have your prior consent informing me that you wish to receive it. This applies to me (if, say, I’m promoting this blog by email), it applies to any business, it applies to political parties, and it also applies to Baron Rennard of Wavertree, when he is promoting his new memoirs. However, a recent media story about the Lord Rennard’s promotional activities suggests he may not be aware of his legal obligations here, and for someone who has held senior roles within the Liberal Democrats, someone renowned as a “formidable and widely respected practitioner of political campaigning”, this is rather concerning.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing (the exception to the general rule is that email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient” and if it is explained to the recipient that they can opt out – this is often known as the “soft opt-in“).

Lord Rennard is reported as saying

I have emailed people from my address book, or using publicly available email addresses, about the publication of a volume of memoirs

But just because one already holds someone’s email address, or just because an email address is in the public domain, this does not justify or permit the sending of unsolicited marketing. The European Directive which the PEC Regulations implement makes clear that people have a right to respect for their correspondence within the context of electronic communications, and that this right is a part of the fundamental rights to respect for protection of personal data, and respect for a private and family life. It may be a lot to expect the average person sending an email promoting a book to know this, but when the sender is someone whose reputation is in part based on his skills as a political campaigner, we should surely expect better (I say “in part” because, of course, the Lord Rennard is known for other things as well).

At a time when the use of digital data for political campaigning purposes is under intense scrutiny, it will be interesting to see what the Information Commissioner (who is said to be investigating Rennard’s marketing exercise) says. It might not seem the most serious of issues, but it encapsulates a lot.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Information Commissioner, marketing, PECR

Serious DCMS error about consent and data protection 

I blogged on Monday about the government Statement of Intent regarding the forthcoming Data Protection Bill. What I missed at the time was an accompanying release on the Department for Digital, Culture,  Media and Sport (DCMS) website.  Having now seen it, I realise why so many media outlets have been making a profoundly misleading statement about consent under the new data protection law: they have lifted it directly from DCMS. The statement is

The Data Protection Bill will require ‘explicit’ consent to be necessary for processing sensitive personal data

It should only take a second to realise how wrong this is: sensitive personal data will include information about, among other things, health, and criminal convictions. Is the government proposing, say, that, before passing on information about a critically injured patient to an A&E department, a paramedic will have to get the unconscious patient’s explicit consent? Is it proposing that before passing on information about a convicted sex offender to a local authority social care department the Disclosure and Barring Service will have to get the offender’s explicit consent? 

Of course not – it’s absolute nonsense to think so, and the parliamentary drafters of the forthcoming Bill would not dream of writing the law in such a way, not least because it would contravene our obligations under the General Data Protection Regulation (GDPR) around which much of the Bill will be based. GDPR effectively mirrors the existing European Data Protection Directive (given effect in our existing Data Protection Act 1998). Under these laws, there are multiple circumstances under which personal data, and higher-category sensitive personal data can be processed. Consent is one of those. But there are, in Article 9(2) of GDPR, nine other conditions which permit the processing of special category data (the GDPR term used to replicate what is called “sensitive personal data” under existing domestic data protection law), and GDPR affords member states the power to legislate for further conditions.

What the DCMS release should say is that when consent is legitimately relied upon to process sensitive personal data the consent must be explicit. I know that sentence has got more words on it than the DCMS original, but that’s because sometimes a statement needs more words in order to be correct, and make sense, rather than mislead on a very important point regarding people’s fundamental rights.

I tweeted Matt Hancock, the minister, about the error, but with no answer as yet. I’ve also invited DCMS to correct it. The horse has already bolted though, as a Google news search for the offending phrase will show. The Information Commissioner’s Office has begun a series of pieces addressing GDPR myths, and I hope this is one they’ll talk about, but DCMS themselves should still issue a corrective, and soon.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, DCMS, GDPR, Information Commissioner, Uncategorized

Public houses, private comms

Wetherspoons delete their entire customer email database. Deliberately.

In a very interesting development, the pub chain JD Wetherspoon have announced that they are ceasing sending monthly newsletters by email, and are deleting their database of customer email addresses.

Although the only initial evidence of this was the screenshot of the email communication (above), the company have confirmed to me on their Twitter account that the email is genuine.

Wetherspoons say the reason for the deletion is that they feel that email marketing of this kind is “too intrusive”, and that, instead of communicating marketing by email, they will “continue to release news stories on [their] website” and customers will be able to keep up to date by following them on Facebook and Twitter.

This is interesting for a couple of reasons. Firstly, companies such as Flybe and Honda have recently discovered that an email marketing database can be a liability if it is not clear whether the customers in question have consented to receive marketing emails (which is a requirement under the Privacy and Electronic Communications ((EC Directive) Regulations 2003 (PECR)). In March Flybe received a monetary penalty of £70,000 from the Information Commissioner’s Office (ICO) after sending more than 3.3 million emails with the title ‘Are your details correct?’ to people who had previously told them they didn’t want to receive marketing emails. These, said the ICO, were themselves marketing emails, and the sending of them was a serious contravention of PECR. Honda, less egregiously, sent 289,790 emails when they did not know whether or not the recipients had consented to receive marketing emails. This also, said ICO, was unlawful marketing, as the burden of proof was on Honda to show that they had recipients’ consent to send the emails, and they could not. The result was a £13,000 monetary penalty.

There is no reason to think Wetherspoons were concerned about the data quality (in terms of whether people had consented to marketing) of their own email marketing database, but it is clear from the Flybe and Honda cases that a bloated database with email details of people who have not consented to marketing (or where it is unclear whether they have) is potentially a liability under PECR (and related data protection law). It is a liability both because any marketing emails sent are likely to be unlawful (and potentially attract a monetary penalty) but also because, if it cannot be used for marketing, what purpose does it serve? If none, then it constitutes a huge amount of personal data, held for no ostensible purpose, which would be in contravention of the fifth principle in schedule 1 to the Data Protection Act 1998.

For this reason, I can understand why some companies might take a commercial and risk-based decision not to retain email databases – if something brings no value, and significant risk, then why keep it?

But there is another reason Wetherspoons’ rationale is interesting: they are clearly aiming now to use social media channels to market their products. Normally, one thinks of advertising on social media as not aimed at or delivered to individuals, but as technology has advanced, so has the ability for social media marketing to become increasingly targeted. In May this year it was announced that the ICO were undertaking “a wide assessment of the data-protection risks arising from the use of data analytics”. This was on the back of reports that adverts on Facebook were being targeted by political groups towards people on the basis of data scraped from Facebook and other social media. Although we don’t know what the outcome of this investigation by the ICO will be (and I understand some of the allegations are strongly denied by entities alleged to be involved) what it does show is that stopping your e-marketing on one channel won’t necessarily stop you having privacy and data protection challenges on another.

And that’s before we even get on to the small fact that European ePrivacy law is in the process of being rewritten. Watch that space.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, marketing, monetary penalty notice, PECR, social media, spam

Why what Which did wears my patience thin

Pre-ticked consent boxes and unsolicited emails from the Consumers’ Association

Which?, the brand name of the Consumers’ Association, publishes a monthly magazine. In an era of social media, and online reviews, its mix of consumer news and product ratings might seem rather old-fashioned, but it is still (according to its own figures1) Britain’s best-selling monthly magazine. Its rigidly paywalled website means that one must generally subscribe to get at the magazine’s contents. That’s fair enough (although after my grandmother died several years ago, we found piles of unread, unopened even, copies of Which? She had apparently signed up to a regular Direct Debit payment, probably to receive a “free gift”, and had never cancelled it: so one might draw one’s own conclusion about how many of Which?’s readers are regular subscribers for similar reasons).

In line with its general “locked-down” approach, Which?’s recent report into the sale of personal data was, except for snippets, not easy to access, but it got a fair bit of media coverage. Intrigued, I bit: I subscribed to the magazine. This post is not about the report, however, although the contents of the report drive the irony of what happened next.

As I went through the online sign-up process, I arrived at that familiar type of page where the subject of future marketing is broached. Which? had headlined their report “How your data could end up in the hands of scammers” so it struck me as amusing, but also irritating, that the marketing options section of the sign-in process came with a pre-ticked box:

img_0770

As guidance from the Information Commissioner’s Office makes clear, pre-ticked boxes are not a good way to get consent from someone to future marketing:

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user.

The Article 29 Working Party goes further, saying in its opinion on unsolicited communications for marketing purposes that inferring consent to marketing from the use of pre-ticked boxes is not compatible with the data protection directive. By extension, therefore, any marketing subsequently sent on the basis of a pre-ticked box will be a contravention of the data protection directive (and, in the UK, the Data Protection Act 1998) and the ePrivacy directive (in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)).

Nothwithstanding this, I certainly did not want to consent to receive subsequent marketing, so, as well as making a smart-arse tweet, I unticked the box. However, to my consternation, if not my huge surprise, I have subsequently received several marketing emails from Which? They do not have my consent to send these, so they are manifestly in contravention of regulation 22 of PECR.

It’s not clear how this has happened. Could it be a deliberate tactic by Which?  to ignore subscribers’ wishes? One presumes not: Which? says it “exists to make individuals as powerful as the organisations they deal with in their daily live” – deliberately ignoring clear expressions regarding consent would hardly sit well with that mission statement. So is it a general website glitch – which means that those expressions are lost in the sign-up process? If so, how many individuals are affected? Or is it just a one-off glitch, affecting only me?

Let’s hope it’s the last. Because the ignoring or overriding of expressions of consent, and the use of pre-ticked boxes for gathering consent, are some of the key things which fuel trade in and disrespect for personal data. The fact that I’ve experience this issue with a charity which exists to represent consumers, as a result of my wish to read their report into misuse of personal data, is shoddy, to say the least.

I approached Which? for a comment, and a spokesman said:

We have noted all of your comments relating to new Which? members signing up, including correspondence received after sign-up, and we are considering these in relation to our process.

I appreciate the response, although I’m not sure it really addresses my concerns.

1Which? Annual Report 2015/2016

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Directive 95/46/EC, Information Commissioner, marketing, PECR, spam, subject access

Don’t be so soft

What’s behind the increasing practice of electronic receipts?

I’m good at a few things in life, OK at a few more, and pretty terrible at a lot. Into the last category falls car maintenance. Nonetheless, as a safety-conscious person I understand its importance. And so it was that I found myself in a local branch of a major retailer of car parts the other day buying a replacement headlamp bulb, and asking for it to be fitted (by the very helpful Louise – sorry Louise, I won’t be submitting the online customer feedback, for reasons which will probably become clear in this post). I paid for the service, and was then asked

Can I just have your email address to send the receipt?

Er, no.

I’d heard about this practice, but, oddly, this was the first time I’d encountered it. It was immediately obvious to me what was going on, or at least what I assumed was/is going on, but I thought it might be helpful to draw attention to it.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing. As much as this law is regularly flouted, it is both clear and strict. It is, however, subject to an important caveat – email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient”.

This is known as the “soft opt-in” and it seems clear to me that the practice of sending e-receipts is tied up with the gathering of email addresses for the purposes of sending marketing using the soft opt-in provisions. As much as we might be told how helpful it is for our own records management to have electronic copies of receipts, there is something in it for retailers, and that something is the perceived right to send electronic marketing.

I should add, though, that soft opt-in is subject to further qualifications – the marketing must be in respect of “similar products and services only”, and, crucially, at the point when the contact details are collected, the intended recipient must be given the chance to say “no” to the marketing. (See the guidance from the Information Commissioner’s Office for further details).

I wasn’t given the chance to say “no”, but I chose not to give my details. If I had given those details, and if I had then received email marketing, it would have been sent unlawfully. I would have known that, but a lot of people wouldn’t, and, importantly, it’s quite difficult to prove (or remember) whether one was given “a simple means of refusing” marketing at the time the sale was made. So it’s a relatively low-risk tactic for marketers.

So my advice is to say no to e-receipts, demand a paper one, and if you do want to retain a record, why not just photograph the receipt when you get home?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, marketing, PECR