Published on Apr 19, 2021
There are plenty of articles written about how to send marketing emails and stay within the bounds of UK privacy law. Some are accurate and well researched, while others are less so. It doesn't help that the advice and guidance offered by regulators relate to numerous different pieces of legislation and are therefore confusing. Marketers and business owners simply want to know what they can and can't do in terms of the processing of personal data.
One area that has recently received much-needed clarification relates to sending marketing messages contained within other emails. In this case, newsletters.
Newsletters are an essential part of the marketing toolbox. They're a way to keep in touch with existing clients, prospective customers, and other subscribers. Done well, they provide the recipient with information that they have an interest in, in return for a welcome reminder of the senders brand. There are obvious advantages for businesses to include marketing messages within newsletter emails. In some instances, this is permissible. In others, it may not be.
A recent decision from the Upper Tribunal Administrative Appeals Chamber (Upper Tribunal) has confirmed that organisations sending direct marketing content in a non-marketing communication such as a newsletter, will be committing a regulatory breach unless the recipient has given their consent or other limited exceptions apply.
In Leave. EU Group and Eldon Insurance Services Ltd v ICO, Leave.EU and Eldon Insurance appealed against the First-Tier Tribunal’s upholding of the ICO’s regulatory action against them.
The issue before the Upper Tribunal concerned the contents of 21 newsletters which were emailed to around 51,000 Leave.EU subscribers. The newsletters contained marketing promotions for Eldon Insurance. The subscribers have consented to receive the newsletters but not to marketing material concerning Eldon Insurance.
On the basis that both Leave.EU and Eldon Insurance had breached regulation 22 of the Privacy and Electronic Communications Regulations (PECR) the ICO issued a monetary penalty notice (MPN) against both Leave.EU (for £45,000) and Eldon Insurance (for £60,000), and an assessment notice to conduct an investigatory audit into each organisation. It additionally issued an enforcement notice against Eldon Insurance, but not against Leave.EU.
Regulation 22 of the PECR states that if an organisation has obtained the contact details of certain consumers during the sales or negotiation process for a product or service, they may send or instigate the sending of emails for direct marketing provided:
Leave.EU and Eldon Insurance argued that the provisions in the PECR were not intended "to cover content in a newsletter which a subscriber had signed up for but which happened to contain some marketing material", rather, they were designed to address "indiscriminate, automated industrial-scale spamming".
The Upper Tribunal disagreed, stating:
Also rejected was Leave.EU and Eldon Insurance’s argument that because the recipients signed up to receive the newsletters they were not ‘unsolicited communication’. The Upper Tribunal stated that it was not the sending of the newsletters that triggered regulation 22, it was the unsolicited marketing information contained in them. The PECR is not precluded from applying simply because the primary purpose of an email was not direct marketing.
Finally, Leave.EU and Eldon Insurance claimed that they had acquired consent from the Leave.EU newsletter subscribers to send direct marketing information. However, the Upper Tribunal concluded that the subscribers had not provided "freely given, informed, and specific" consent to receiving direct marketing information, only the newsletter.
There has been precious little case law on the PECR, therefore this decision provides welcome clarification regarding the scope of consent concerning email communications. It is also important to note that the PECR covers tracking technologies (known as cookies). If cookies are embedded in an email or within a website, a subscriber or website visitor must be provided "clear and comprehensive" information regarding how their data will be used and give their consent.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS