ICO publishes new guidance on marketing by electronic mail

The question

What does the ICO’s new guidance on the use of electronic mail in direct marketing mean for individual subscribers? And what does it say about the trickier areas, like “bought in” lists and using publicly available data for sending marketing by electronic mail? 

The key takeaway

The UK’s Information Commissioner’s Office (ICO) has released a new set of guidance regarding the use of electronic mail in relation to direct marketing when the target “subscriber” is an individual. The guidance strives to provide a more complete picture of direct marketing rules that is easier for organisations to digest.

The background

The new guidance is supplemental to existing guidance already in place in the form of the ICO’s Guide to the Privacy and Electronic Communications Regulations 2003 (PECR), as well as the draft Direct Marketing Code of Practice (DMCP). PECR and the DMCP endeavour to protect “subscribers” to a service, irrespective of whether these are individual subscribers or corporate entities. However, the additional guidance primarily aims to protect individual subscribers.

It must not be forgotten that an organisation’s responsibility under PECR is not in lieu of its obligations under the UK GDPR and the Data Protection Act 2018 – rather, they are designed to work in tandem with them, thereby providing “subscribers” with the full weight of protection.

The development

Electronic mail consists of emails, text messages, picture and video messages, voicemail messages, in-app messages, as well as direct messages on social media platforms. In these circumstances, the party required to comply with the guidance is the “sender”/”caller”/”instigator”. Due to this catch-all nature, multiple parties may be required to adhere to the guidance even if they are concerned with only one instance of a direct marketing communication. 

Remember that electronic mails sent for administrative or customer service purposes count as “service messages”, as opposed to direct marketing. However, this exemption falls away if there is a promotional element to the communication.

To send direct marketing communications, an organisation must either obtain consent or at least meet all the requirements for a “soft opt-in” exemption. Taking each in turn:

1. Direct consent

The UK GDPR sets out the standard of consent, requiring it to be: freely given, specific, informed, and unambiguous. Where electronic mail is concerned, the wording used to request consent must: 

• clearly refer to the marketing messages sent via electronic mail
• indicate the name of the organisation, and
• be separate from other requests aimed at the ‘subscriber’ such as the acceptance of terms and conditions.

It is also imperative that organisations keep a reliable record of the obtained consent so that its validity may be proved should a dispute arise.

2. “Soft opt-in” exemption

The key elements to comply with are:

• the subscriber’s contact details must have been directly obtained by the sender of the electronic mail. Therefore, a third party (ie a party other than the sender) may not rely on a soft opt-in exemption
• the contact details must have been obtained via a sale or the negotiation of a sale where the subscriber has demonstrated actual interest in the sale eg subscribing to a free trial for a product or a service
• the subsequent marketing must be of a similar nature to the product/service that the subscriber held an initial interest in
• the subscriber must be provided with the option to refuse or opt-out of the communications. This option must be provided both when the details were initially collected and in ensuing communications.

Provision of an option to opt-out

Organisations have an obligation to provide certain information when sending electronic mail for direct marketing purposes. This would apply to both individual and corporate subscribers regardless of whether the communication is solicited or unsolicited. They must:

• display identification information clearly by ensuring the sender’s identity is not hidden or disguised
• provide clear information on the marketing
• make it easy for the subscriber to refuse or opt-out by either enabling a “one-click” opt-out option or at least providing a valid contact address to opt-out, and
• keep an up-to-date record of those who have opted-out.

As long as the opt-out procedure is clear, an individual may have the option to opt-out of one type of communication method whilst staying on the communications list for another.

Third party data, “bought in” lists and publicly available data

Electronic mail may be sent using third party information contingent upon compliance with the relevant PECR rules. However, it is best practice for the organisation and the third party to have a contract in place where their duties are clearly presented. If personal data is processed, then there is a legal duty under the UK GDPR to have a contract in place. 

Any subscribers listed in a bought-in marketing list must have consented to receiving direct marketing via electronic mail from the ultimate sender. Therefore, the organisation must check:

• what the intended recipients were informed of
• whether the sender was named
• when and how they consented
• whether the subscriber had a choice to consent, and
• whether there is a record of the consent.

The guidance stresses that the sender of the electronic marketing is responsible for complying with PECR. By way of example, if the consent doesn’t name the sender or cover the method of electronic mail marketing that the sender intends to send, the consent will not be valid. It follows that the sending of any such electronic mail marketing would not be compliant with PECR.

Finally, to flag that the soft opt-in exemption does not apply to bought-in lists.

Although using publicly available contact details is not barred from being utilised for marketing purposes, it is clear that given the lack of consent obtainable and the inability to fulfil the requirements for a soft opt-in, that this data may not be used to send unsolicited electronic mail marketing. However, the guidance expressly states that an exception to this rule may be where the data in question is an individual’s business contact details on their employer’s website. If you are considering sending B2B electronic marketing, remember to check the ICO’s separate guidance note on this area.

Why is this important?

The additional guidance emphasises the need for organisations to re-evaluate the systems they have in place for the comprehensive recording of individuals who either: have consented to receiving electronic mails; are eligible through the soft opt-in option; or have not consented.

Importance is placed on ensuring that organisations have measures in place to allow an individual to easily opt-out of a mailing list. The position on third party and public data is also clarified which is particularly significant to organisations that make use of bought-in lists. The guidance is particularly helpful in that it highlights the key requirements to satisfy each category, so that organisations can comply with their obligations in the most unproblematic way. 

Any practical tips?

This new guidance serves as a proxy to the draft DMCP to provide clarity regarding direct marketing rules (ie while the DMCP is being finalised). Hence now is a good time for organisations to evaluate their marketing strategies prior to the official publication of the DMCP and to scrutinise the existing measures they have in place to identify any vulnerabilities form a data marketing compliance perspective. 
Not that slacking on electronic marketing compliance is ever a good idea of course, given the willingness of the ICO to investigate potential PECR breaches (by way of example, see the Snapshot in this edition on Halfords’ data marketing breach).

Winter 2022