By me, on the Mishcon de Reya website.
Category Archives: Data Protection Bill
Soft opt in marketing for non-profits
Why can’t charities send speculative promotional emails and text messages to customers and enquirers, in circumstances where commercial organisations can? And should the law be changed?
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) deals with circumstances under which a person can send an unsolicited direct marketing communication by email, or text message.
In simple and general terms, a person cannot send an unsolicited direct marketing email or text message to an individual’s private email account, unless the individual has consented to receive it. “Consent”, here, has the stringent requirements imposed by Article 4(11) and Article 7 of the UK GDPR.
(The actual law is more complex – it talks of an “individual subscriber”. This is the person who is a party to a contract with a provider of public electronic communications (for which, read “email” and “text message”) services for the supply of such services. So, if you have signed up for, say, a gmail account, you have a contract with Google, and you are – if you are an individual – an individual subscriber.)
The exception to the requirement to have the recipient’s consent is at regulation 22(3) of PECR, which says that the sender of the marketing communication does not need the prior consent of the recipient where the sender: obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; the direct marketing is in respect of the sender’s similar products and services only; and the recipient has been given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.
This exception to the general “consent required” rule has long (and probably unhelpfully) been known as the “soft opt in”.
The notable requirement for the soft opt in is, though, that the recipient’s contact details must have been collected in the course of the sale or negotiations for the sale of a product or service.
There are various types of non-profit organisation which may well correspond with, and wish to send promotional emails and text messages to individuals, but which don’t as a rule sell products or services. Perhaps the most obvious of these are charities, but political parties also fall into the type.
The Information Commissioner’s Office (ICO) has long held that promotional communications sent by such non-profits do constitute “marketing” (and the Information Tribunal upheld this approach as far back as in 2006, when the SNP appealed enforcement action by the ICO). (I happen to think that there’s still an interesting argument to be had about what “marketing” means in the PECR and data protection scheme, and at one end of that argument would be a submission that it implies a commercial relationship between the parties. However, no one has yet taken the issue – as far as I’m aware – to an appellate court.)
But the combined effect of regulation 22(3) and the interpretation of “marketing” as covering promotional emails and text messages by charities, means that those charities (and political parties etc.) can’t send soft opt in communications.
The Data Protection and Digital Information Bill, which tripped and fell yards from the finishing line, when Mr Sunak, in a strategic master stroke, called the general election early, proposed, in clause 115, to extend the soft opt in where the direct marketing was “solely for the purpose of furthering a charitable, political or other non-commercial objective” of the sender.
Will the new Labour administration’s proposed Digital Information and Smart Data Bill revive the clause? The government’s background paper on the legislative agenda in the King’s Speech doesn’t refer to it, but that may be because it’s seen as a relatively minor issue. But, in fact, for many charities, the issue carries very significant implications for their operations and their ability effectively to fundraise.
It should be revived, and it should be enacted.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
HMRC sending spam
Have HMRC jumped the gun, and assumed that they can now (in advance of the Data Protection and Digital Information (No.2) Bill being passed) rely on the soft opt-in for email marketing?
In common with many other poor souls, I have in recent years had to submit a self-assessment tax return to HMRC. Let’s just say that, unless they’re going to announce a rebate, I don’t relish hearing from them. So I was rather surprised to receive an email from “HMRC Help and Support” recently, telling me “what’s coming up in May” and inviting me to attend webinars. A snippet of the email is here
This certainly wasn’t solicited. And, at least if you follow the approach of the Information Commissioner’s Office (ICO) was direct marketing by electronic means (“Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations“).
The only lawful way that a person can send unsolicited direct electronic marketing to an individual subscriber like me, is if the recipient has consented to receive it (I hadn’t), or if the person obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient (see regulation 22 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (“PECR”)). But HMRC cannot avail themselves of the latter (commonly known as the “soft opt-in”), because they have not sold me (or negotiated with me for the sale) of a product or service. The ICO also deals with this in its guidance: “Not-for-profit organisations should take particular care when communicating by text or email. This is because the ‘soft opt-in’ exception only applies to commercial marketing of products or services“.
I raised a complaint (twice) directly with HMRC’s Data Protection Officer who (in responses that seemed oddly, let’s say, robotic) told me how to unsubscribe, and pointed me to HMRC’s privacy notice.
It seems to me that HMRC might be taking a calculated risk though: the Data Protection and Digital Information (No.2) Bill, currently making its way through Parliament, proposes (at clause 82) to extend the soft opt-in to “non-commercial objectives”. If it passes, then we must expect much more of This Type Of Thing from government.
If I’m correct in this, though, I wonder if, when calculating that calculated risk, HMRC calculated the risk of some calculated individual (me, perhaps) complaining to the ICO?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection Bill, HMRC, Information Commissioner, marketing, PECR, spam
Data Protection reform Bill on ice
A piece by me on the Mishcon de Reya website on yesterday’s news that the Data Protection and Digital Information Bill has been paused
https://www.mishcon.com/news/data-protection-reform-progress-paused
Filed under Data Protection, Data Protection Bill
Data Protection reform bill – all that? or not all that?
I’ve written an “initial thoughts” analysis on the Mishcon de Reya website of the some of the key provisions of the Data Protection and Digital Information Bill:
The Data Protection and Digital Information Bill – an (mishcon.com)
On the breach
Failure to notify the ICO in a timely manner of a personal data breach under PECR carries a £1000 fixed penalty notice – why not something similar under wider data protection law?
When the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were amended in 2011 to implement the Citizens’ Rights Directive, an obligation was placed upon providers of a public electronic communications service (“service providers”) to notify personal data breaches to the Information Commissioner’s Office (ICO) “without undue delay”, and in 2013 article 2(2) of European Commission Regulation 611/2013 provided , in terms, that “without undue delay” would mean “no later than 24 hours after the detection of the personal data breach, where feasible”. The 2011 amendment regulations also gave the ICO the power to serve a fixed penalty notice of £1000 on a service provider which failed to comply with notification obligations.
Thus it was that in 2016 both EE and Talk Talk were served with such penalties, with the latter subsequently unsuccessfully appealing to the Information Tribunal, and thus it was that, last week, SSE Energy Supply were served with one. The SSE notice is interesting reading – the personal data breach in question (defined in amended regulation 2 of PECR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”) consisted solely of the sending of one customer email (containing name and account number) to the wrong email address, and it appears that it was reported to the ICO two days after SSE realised (so, effectively, 24 hours too late). If this appears harsh, it is worth noting that the ICO has discretion over whether to impose the penalty or not, and, in determining that she should, the Commissioner took into account a pour encourager les autres argument that
the underlying objective in imposing a monetary penalty is to promote compliance with PECR. The requirement to notify…provides an important opportunity…to assess whether a service provider is complying with its obligations under PECR…A monetary penalty in this case would act as a general encouragement towards compliance…
As any fule kno, the looming General Data Protection Regulation (“GDPR”) expands to all data controllers this obligation to notify the ICO of qualifying personal data breaches. Under GDPR the definition is broadly similar to that in PECR (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) and a breach qualifies for the notification requirements in all cases unless it is “unlikely to result in a risk to the rights and freedoms of natural persons”. Under GDPR, the window for notification is 72 hours.
But under GDPR, and under the Data Protection Bill currently in Parliament, there is no provision for similar fixed penalty notices for notification failures (although, of course, a failure to notify a breach could constitute a general infringement under article 83, attracting a theoretical non-fixed maximum fine of €10m or 2% of global annual turnover). Is Parliament missing a trick here? If the objective of the PECR fixed penalty notice is to promote compliance with PECR, then why not a similar fixed penalty notice to promote compliance with wider data protection legislation? In 2016/17 the ICO received 1005 notifications by service providers of PECR breaches (up 63% on the previous year) and analysing/investigating these will be no small task. The figure under GDPR will no doubt be much higher, but that is surely not a reason not to provide for a punitive fixed penalty scheme for those who fail to comply with the notification requirements (given what the underlying objective of notification is)?
I would be interested to know if anyone is aware of discussions on this, and whether, as it reaches the Commons, there is any prospect of the Data Protection Bill changing to incorporate fixed penalties for notification failures.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 