Electronic marketing: A recurring question from organisations is whether they can send emails to individuals who have opted out of marketing to ask them if they would like to opt back in. Is that request, in itself, “marketing”?
How should marketing consents be refreshed in advance of the General Data Protection Regulation?
Recent monetary penalty notices issued by the Information Commissioner’s Office (ICO) have considered just that issue. In short, the ICO ruled that sending such a message to an individual who had previously opted out of electronic marketing was a breach of the rules on electronic marketing.
The rules on electronic marketing (by email or SMS) are set out in the Privacy and Electronic Communications Regulations 2003 (PECR). PECR states that an organisation needs consent to issue electronic marketing, and individuals have the right to require organisations to cease electronic marketing.
Under the fourth data protection principle, organisations must ensure that any personal data they hold is accurate and, where necessary, up to date. The fifth data protection principle requires that data is not kept longer than necessary.
To comply with both principles, organisations often contact individuals and ask them to confirm their contact details are correct, however problems arise when these actions cut across individuals’ rights to opt out of marketing.
Earlier this year, FlyBe issued an email to 3.3 million customers who had previously opted out of receiving electronic marketing asking them to confirm their details were up to date. The email included a link to update marketing preferences and entry into a prize draw if an individual updated his or her marketing preferences.
The ICO decided that this email constituted “marketing” and, by deliberately sending it to individuals who had asked not to be sent electronic marketing, Flybe had breached PECR. The ICO fined Flybe £70,000.
More recently, Wm Morrison supermarkets plc sent over 230,000 emails to “Morrisons More” cardholders, inviting them to change their preferences in return for money-off vouchers, points and updates. The ICO again decided, that this email constituted marketing, and that Morrisons had breached PECR. The fine was £10,500.
When is an email a “marketing” email?
Under the GDPR, organisations are encouraged to regularly review and refresh their consents.
The ICO, however, has adopted a broad interpretation of a “marketing email”; whilst an organisation should regularly contact individuals to ask whether they wish to continue receiving marketing emails, it does not work the other way around.
Emails that ask customers to check their contact details are up to date, must be restricted to just that.
Some organisations use preference centres to allow individuals to manage their contact details and set their marketing preferences. Again, organisations need to ensure that emails inviting a review of details do not encourage changes to marketing preferences.
The same issues apply when sending customer service emails (e.g. order confirmations and account statements). This can be particularly difficult when an organisation wishes to communicate the availability of new functionality or benefits.
What about the GDPR?
The General Data Protection Regulation (GDPR) does not make any changes to PECR. However, the GDPR may require organisations to “re-paper” their existing consents if they do not meet requirements.
The ICO has not provided much guidance on how this should be done, and organisations will be wary about doing this in a manner that may lead to previous consents for marketing lapsing and not being renewed by the individual. For that reason, there may be business pressure to see whether individuals who have previously
opted out have changed their minds, or to assume that individuals who have not indicated a clear preference are happy to receive electronic marketing.
These monetary penalty notices make clear that, if an organisation needs to “refresh” its marketing consents to comply with data protection law, then it should not use it as an opportunity to contact individuals who previously opted out of electronic marketing to encourage them to opt back in. Instead, it should only contact those individuals for whom it has existing consents for electronic marketing or ensure that an email linking to a preference centre takes a very neutral approach in its call to action.
To find out more and to download our handy guides to the GDPR, visit our GDPR hub.