The ICO’s recent decision to take enforcement action against a number of organisations (both in the form of investigations and regulatory fines) for sending unsolicited email and text based electronic marketing communications to individuals should serve to prompt organisations to take stock of the ways in which they promote their products and services using electronic marketing, especially if they rely on so-called ‘soft opt-in consent’, the subject of much of the ICO’s recent enforcement action.
We have sought in this article to set out a refresher of the rules that currently apply to electronic marketing as well as carry out a closer examination of soft opt-in consent.
In order to avoid complaints from individuals and enforcement action from the ICO, organisations seeking to rely on soft-opt in consent should ensure that they:
- only target individuals with whom they have a pre-existing relationship;
- only target individuals who have either previously purchased or shown a genuine interest in a product or service;
- only send marketing communications about products and services that are genuinely similar in nature to those that the individual has previously purchased or shown a genuine interest in purchasing;
- notify such individuals in advance of their intention to send them marketing communications about similar products and services; and
- always provide such individuals with an opportunity to opt out of receiving these electronic marketing communications.
The extent to which stricter ePrivacy rules could be introduced under the new European ePrivacy Regulation, as well as the extent to which the UK will follow any such stricter rules in a post-Brexit world is still unclear at this stage.
The relevant law
Under the General Data Protection Regulation (“GDPR”) as now incorporated into UK law by virtue of the European Union Withdrawal Act 2018, a company must be able to rely on one of the six available lawful bases in order to process personal data. Where a company wishes to send marketing communications to individuals, obtaining consent or relying on the legitimate interests condition are likely to be the most appropriate legal bases for the purposes of Article 6 GDPR.
Organisations in the UK also need to observe the requirements of the Privacy and Electronic Communications Regulations (“PECR”) in relation to electronic marketing communications. PECR was implemented in 2003 and sits alongside the UK GDPR. Under PECR, a company must not send electronic marketing communications by email or text, unless:
- the individual has given their explicit consent to receive such communications; or
- the organisation can rely on soft opt-in consent.
Given that PECR effectively imports the definition of consent from the GDPR, an organisation wishing to rely on explicit consent for carrying out electronic marketing for the purposes of PECR needs to ensure that the UK GDPR conditions (which stipulate that consent must be freely given, specific, informed and unambiguous) are met. Further, separate consents must be obtained for different types of electronic marketing, unbundled from any other consents that the organisation is seeking at the same time.
This can be an onerous undertaking and so organisations often seek to rely on soft opt-in consent, which provides a more practical alternative to legitimise sending electronic marketing communications to an existing customer base.
An organisation may rely on soft opt-in consent when the organisation receives an individual’s contact details in the course of making or negotiating a sale of a product or service, notifies the individual of their intention to market similar goods and services to them and provides the individual with the opportunity to opt-out of receiving those marketing communications, both at the outset and each time the individual receives any subsequent marketing communications.
In this scenario, the individual is presumed to be happy to receive marketing communications about similar products or services from the organisation, even where they have not provided any specific opt-in consent to this marketing activity.
PECR makes it very clear that in order to rely on soft opt-in consent, an organisation must only seek to promote its own products or services which are similar in nature to those purchased or under consideration by the individual at the initial point of contact, which means that organisations cannot rely on soft opt-in consent to send electronic marketing communications on behalf of a third party.
Recent ICO enforcement action
As stated above, the ICO has taken enforcement action against a number of organisations in relation to their electronic marketing activities, intervening following complaints from individuals about being sent electronic marketing communications by organisations with whom they had no prior relationship (and who they sometimes hadn’t even heard of) without being given any privacy notification in advance and/or the opportunity to opt out of receiving these electronic marketing communications.
In a lot of these cases, the offending organisations had sought to rely on soft opt-in consent to justify sending these electronic marketing communications to individuals where according to the ICO, they did not have the right to do so.
Issues interpreting soft opt-in
We set out below a breakdown of the criteria that an organisation must meet when seeking to rely on soft opt-in consent and the difficulties that organisations seem to face when interpreting these criteria.
1. Marketing to pre-existing customers
As we have established, organisations may only market to individuals with whom they have a pre-existing relationship (as opposed to new customers) when seeking to rely on soft opt-in consent.
However, the question of whether an organisation has a pre-existing relationship with an individual is less clear-cut in scenarios involving multiple organisations facilitating a single sale transaction e.g. when online retailers work with payment solution providers and other third parties to deliver their service offering. In such cases, each of the organisations involved should consider whether the individual is aware of their role in the transaction and whether the individual would reasonably expect to receive marketing communications from them.
Organisations might seek to make individuals aware of their role in the transaction by ensuring that their privacy notice is incorporated into and is sufficiently prominently displayed as part of the customer journey and stating their intention in this privacy notice to process the individual’s personal data to market similar goods and services to them in the future.
2. Similarity of goods or services
As we have established, soft opt-in consent only allows organisations to send electronic marketing communications relating to products or services which are similar in nature to those purchased or considered by the individual at the time of the initial transaction. However, determining what amounts to an acceptable degree of similarity between products and services for this criterion to be met can be challenging for organisations, especially for multi-channel retailers/service providers who offer a broad range of products/services spanning multiple product/service categories.
For example, an individual purchasing an item of clothing on a fashion website may reasonably expect to receive an offer for a matching handbag. On the other hand, the same individual may not expect to receive an email or text message about a dining set, even if the fashion retailer has branched out and offers homeware products on its website.
Whilst what constitutes products or services which are similar in nature is dependent on the type of business and the context of the transaction, organisations should always consider whether the individual would reasonably expect messages about the product or service. Where a range of products or services is being offered, organisations should ensure they separate such channels for the purposes of sending electronic marketing messages.
3. Making or negotiation of a sale
As outlined above, a company is permitted to rely on soft opt-in consent where an individual has provided their details in the course of a sale. However, an organisation may also rely on this mechanism where the sale of a product or service was merely negotiated, e.g. if an individual contacts an organisation to enquire about the particular features of a product or service.
Whilst this allows for the organisation to rely on soft opt-in consent to contact potentially interested customers with whom they have had previous interactions but who have not necessarily purchased or ordered anything, organisations should be careful not to stretch this concept too far.
For instance, if an individual fills out a form to make a general enquiry about an organisation, e.g. to enquire about employment opportunities at a retail location and the organisation subsequently sends marketing emails using the details from the enquiry form, the organisation would find it difficult to defend its position given the general non-commercial nature of the initial interaction.
Whilst it may be difficult for organisations to determine the level of customer engagement/interaction for this criterion to be met, organisations should consider whether an individual has made contact to show genuine interest in a product or service, including taking positive action to affirm their interest such as requesting a quote before sending them electronic marketing materials in reliance on the soft opt-in consent principle.
In all three scenarios, individuals should be provided with a choice to opt-out of receiving marketing communications at the outset and at each subsequent time they receive a marketing communication. The opt-out prompt should be clearly visible and unobstructed – if an individual is left searching for a way to stop receiving the marketing communications, the ICO may deem the organisation’s reliance on soft opt-in consent to be invalid on the basis that the individual has lost control of their data and that the obfuscation constitutes an unnecessary barrier preventing the individual from exercising their rights.
Conclusion and legislative outlook
Although soft opt-in consent provides a convenient alternative to explicit consent for organisations wishing to carry out electronic marketing activities, organisations should be careful that they do not seek to rely on soft opt-in consent inappropriately to avoid enforcement action from the ICO.
Organisations should also bear in mind that changes to ePrivacy legislation are incoming as the European Union is in the process of replacing the Directive upon which PECR is based with the more onerous e-Privacy Regulation. However, whilst PECR continues to apply in the UK alongside the UK GDPR post Brexit, it is unclear the extent to which the UK will align its rules governing ePrivacy with the EU and whether changes imposed by the new European e-Privacy Regulation will be implemented into UK law.