A recurring question from clients is whether they can send an email to individuals that have opted out of marketing to ask them if they would like to opt back in. Is that request in itself marketing? How should you refresh your marketing consents in advance of the General Data Protection Regulation (GDPR)?
A Monetary Penalty Notice issued by the Information Commissioner’s Office (ICO) considers just that issue. In short, the ICO ruled that sending such a message to an individual that had previously opted out of electronic marketing was a breach of the rules on electronic marketing.
The rules on electronic marketing (by email or SMS) are set out in the Privacy and Electronic Communications Regulations 2003 (PECR). The Regulations state that an organisation needs consent to issue electronic marketing and that individuals have the right to require the organisation to cease electronic marketing.
Under the fourth data protection principle, organisations must ensure that the personal data that they hold is accurate and, where necessary, kept up to date. The fifth data protection principle requires that data is not kept any longer than is necessary for the purpose.
To comply with the fourth and fifth principles, organisations often contact individuals and ask them to confirm that their contact details are correct and up to date. The tension arises when steps taken to comply with the fourth and fifth principles cut across the rights of individuals to opt out of marketing.
In this case, FlyBe deliberately instructed its marketing agents to issue an email to 3.3 million customers that had previously opted out of receiving electronic marketing asking them to confirm that their details were up to date but also including a link to update their marketing preferences. If the individual entered updated its marketing preferences then it would be entered in a prize draw.
The ICO held that this email itself constituted marketing and by deliberately sending it to individuals that had asked not to be sent electronic marketing Flybe had breached PECR. The ICO fined Flybe £70,000.
A separate investigation was carried out into Honda, which had sent a similar email. In Honda’s case, it believed that the email did not constitute marketing, but instead constituted a customer service email designed to help Honda comply with the fourth principle. Honda’s email was sent to just under 300,000 individuals.
Due to a design issue with the software portal through which the data was entered, Honda was unable to demonstrate to the ICO that the recipients had agreed to receive such emails as the database entries had neither an opt in nor opt out flag. The ICO concluded that as Honda did not have a record of whether those individuals had agreed to receive electronic marketing, Honda did not have consent. Honda was fined £13,000.
When is an email a marketing email?
The decision might come as a surprise to some, who may view an email asking individuals to review and update their contact details and preferences as being good data management. Indeed, under the GDPR, organisations are actively encouraged to regularly review and refresh their consents.
The approach taken by the ICO is to adopt a very broad interpretation of a marketing email. The ICO’s approach suggests that whilst an organisation should regularly contact individuals to ask whether they wish to continue receiving marketing emails, it does not work the other way around.
When sending emails to customers to check that their contact details are up to date, it is therefore important that the email does just that.
Some organisations use preference centres to allow individuals to manage their contact details and set their marketing preferences. Again, organisations will need to be careful to ensure that emails inviting individuals to review their details do not encourage them to change their marketing preferences.
The same issues apply when sending customer service emails (for example, order confirmations and account statement etc). This can be particularly difficult when an organisation wishes to communicate the availability of new functionality or benefits. At what point does an email cease to be a customer service email keeping the customer up to date about the service that customer is using and instead become marketing?
What about the GDPR?
The General Data Protection Regulation (GDPR) does not make any changes to PECR or the Directive that PECR implements. The Commission has published proposals for a new ePrivacy Regulation to replace that Directive which, if passed, would replace PECR. Under the current draft, the rules on electronic marketing do not really change much, though the draft ePrivacy Regulation does incorporate the GDPR’s definition of consent.
However, as I noted in a previous blog, the GDPR (and, if approved, the ePrivacy Regulation) may require organisations to “re-paper” their existing consents if those consents do not meet the requirements for consent under the GDPR.
The ICO’s draft guidance on consent does not provide much guidance on how this should be done, and organisations will be wary about doing this in a manner that may lead to previous consents for marketing lapsing and not being renewed by the individual. For that reason, it is understandable that there may be business pressure to see whether individuals that have previously opted out might want to opt back in again, or to assume that individuals for whom a clear preference has not been recorded are happy to receive electronic marketing.
These MPNs make clear that if an organisation does need to “refresh” its marketing consents for the purposes of GDPR and the ePrivacy Regulation, then it should not be using that as an opportunity to contact individuals that had previously opted out of electronic marketing to encourage them to opt back in.
Instead, it should be contacting only those individuals for whom it has pre-GDPR/ePrivacy Regulation consents for electronic marketing or ensuring that an email linking to a preference centre takes a very neutral approach in its call to action.
On March 28, 2017