Including marketing material in a newsletter without consent can breach PECR

Ann-Maree Blake, Data Protection and Corporate Partner

Including marketing material in a newsletter without consent can breach PECR

The recent decision in Leave.EU Group and Eldon Insurance Services Ltd v ICO provided some much-needed clarity on whether the inclusion of unsolicited communications for the purposes of direct marketing in consented-for communications breached the UK’s Privacy and Electronic Communications Regulations (PECR).  The Upper Tribunal Administrative Appeals Chamber (Upper Tribunal) ruled that organisations must gain adequate consent or have sufficient grounds for a soft opt-in for any direct marketing communications contained within consented for communications, e.g. a newsletter.

What is the PECR?

Derived from EU law, the PECR sits alongside the UK GDPR and the Data Protection Act 2018.  Amended several times, the latest version of the PECR came into effect on 29 March 2019.  It covers:

• Marketing, e.g. marketing emails, calls, texts, and WhatsApp.
• The use of cookies and other tracking software.
• The security of public electronic communications services.
• The privacy of customers using public electronic communication services,

If you engage in email marketing, marketing through other instant messaging products, and/or use cookies on your website, you need to comply with the PECR as well as the UK GDPR and Data Protection Act 2018.

One of the key differences between the PECR and the UK GDPR is that the former applies even if you are not processing personal data.  Its rules apply even if you do not know the person who is receiving your marketing communications.

Leave.EU Group and Eldon Insurance Services Ltd v ICO

The case of Leave.EU Group and Eldon Insurance Services Ltd v ICO related to 21 newsletters sent by Leave.EU to its 51,000 subscribers who had provided consent to receive the publications.  Each of the 21 newsletters contained marketing promotions for Eldon Insurance Services Ltd.  No consent had been provided in relation to the marketing material.

The ICO issued monetary penalty notices to Leave.EU and Eldon Insurance Ltd on the grounds they have breached regulation 22 of PECR.

Regulation 22 of the PECR states if contact details of certain consumers have been acquired by an organisation during the sales or negotiation process for a product or service, that organisation may send or instigate the sending of emails for the purposes of direct marketing as long as:

1. The content of the direct marketing material is related to similar products and services that have been purchased or are in the process of being purchased; and
2. the recipient has been provided with a way of declining the use of their contact details for the purposes of direct marketing at the time the details were first collected, or if consent was initially given, at the time of each subsequent communication.

Leave.EU and Eldon Insurance Ltd argued that PECR was not intended “to cover content in a newsletter which a subscriber had signed up for but which happened to contain some marketing material”; rather, they sought to regulate “indiscriminate, automated industrial-scale spamming”.  This was rejected by the Upper Tribunal, who declared that this was an “unduly narrow reading” of the regulations.

“The tenor of the legislation is that it is an intrusion on an individual’s privacy if they receive direct marketing to which they did not consent,”

The Appellants also argued they had received consent from the Leave.EU newsletter subscribers, and this covered the direct marketing information which was included.   This assertion was rejected by the Upper Tribunal, who declared subscribers had not supplied “freely given, informed, and specific” consent to receiving direct marketing material, only to the receipt of a newsletter.

“There was no indication that subscribers were doing anything other than signing up for a Brexit newsletter.  … agreeing to the very loosely drafted privacy policy amounted to signing a blank cheque. In sum [sic], Leave.EU’s approach frustrated the ability of its subscribers to consent to receive a political newsletter and nothing else. Accordingly, the FTT was entitled to find on the facts that subscribers did not “consent”, as that term is properly understood, to receiving direct marketing about Eldon’s insurance products.”

Regarding whether or not the marketing material constituted “unsolicited communication” under the PECR, the Upper Tribunal held it was not the sending of the emails that resulted in the breach.  Rather, it was the inclusion of the unconsented-for marketing material that triggered the regulatory provisions.

The appeal was dismissed.

Comment

Before the decision in Leave.EU Group and Eldon Insurance Services Ltd v ICO, little case law existed concerning the PECR.  The Upper Tribunals decision is welcome clarification on when the Regulations apply and a timely reminder that adequate consent must be obtained for any direct marketing material, even if it is included in a communication that the recipient has consented to.

To find out how we can advise you on all matters relating to privacy and data protection law, please get in touch with Ann-Maree Blake.

Please note – this article does not constitute legal advice.