Have HMRC jumped the gun, and assumed that they can now (in advance of the Data Protection and Digital Information (No.2) Bill being passed) rely on the soft opt-in for email marketing?
In common with many other poor souls, I have in recent years had to submit a self-assessment tax return to HMRC. Let’s just say that, unless they’re going to announce a rebate, I don’t relish hearing from them. So I was rather surprised to receive an email from “HMRC Help and Support” recently, telling me “what’s coming up in May” and inviting me to attend webinars. A snippet of the email is here
This certainly wasn’t solicited. And, at least if you follow the approach of the Information Commissioner’s Office (ICO) was direct marketing by electronic means (“Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations“).
The only lawful way that a person can send unsolicited direct electronic marketing to an individual subscriber like me, is if the recipient has consented to receive it (I hadn’t), or if the person obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient (see regulation 22 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (“PECR”)). But HMRC cannot avail themselves of the latter (commonly known as the “soft opt-in”), because they have not sold me (or negotiated with me for the sale) of a product or service. The ICO also deals with this in its guidance: “Not-for-profit organisations should take particular care when communicating by text or email. This is because the ‘soft opt-in’ exception only applies to commercial marketing of products or services“.
I raised a complaint (twice) directly with HMRC’s Data Protection Officer who (in responses that seemed oddly, let’s say, robotic) told me how to unsubscribe, and pointed me to HMRC’s privacy notice.
It seems to me that HMRC might be taking a calculated risk though: the Data Protection and Digital Information (No.2) Bill, currently making its way through Parliament, proposes (at clause 82) to extend the soft opt-in to “non-commercial objectives”. If it passes, then we must expect much more of This Type Of Thing from government.
If I’m correct in this, though, I wonder if, when calculating that calculated risk, HMRC calculated the risk of some calculated individual (me, perhaps) complaining to the ICO?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.