23 June, 2021
Over the last month, the ICO has announced it has fined 7 organisations for sending unlawful emails and/or text messages.
The ICO has taken action against the following organisations:
All of these fines have a common theme - the organisations involved have not complied with their obligations to obtain valid consent before sending marketing emails or text messages.
The sending of direct marketing emails and text messages is governed by the Privacy and Electronic Communication Regulations 2003 (PECR). PECR prohibits electronic direct marketing communications unless consent has been obtained. 'Consent' under PECR is defined by the UK General Data Protection Regulation (UK GDPR) which requires consent to be a freely given, specific, informed and unambiguous indication of an individual's wishes by a statement or by a clear affirmative action (i.e. consent must be a positive opt-in, rather than a failure to opt-out).
There is an exemption under PECR known as the "soft opt-in". This exemption allows organisations to send electronic marketing messages to customers whose details have been obtained for similar services, but offers a simple way for people to refuse or opt out. This exemption does not apply to new or prospective customers and existing customers must have been provided with the ability to opt-out in order for this exemption to be valid. When relying on the "soft opt-in" exemption organisations must give customers a clear chance to opt-out of their marketing when they collect the customers details.
The fines issued are a timely reminder of the importance of obtaining valid consent from customers. A wide variety of organisations across both the private and public sector do send marketing correspondence to their customers, even if they do not believe the correspondence is 'marketing' in the traditional sense such as marketing the sale of a product or service. The term 'marketing' includes all promotional or advertising material aimed at particular individuals and intended to promote the ethos, aims or beliefs of a particular organisation.
Organisations should therefore ensure that there is a clear organisational understanding of what constitutes marketing correspondence and requires consent and what is a service email and does not require consent. Processes should be put in place to obtain consent for marketing in order to avoid the potential for regulatory action from the ICO and complaints from customers.
Details of the regulatory action taken against the 7 organisations referred to in this article can be found on the ICO website - Action we've taken | ICO
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.