While all the talk over the past year has been in relation to GDPR, the recent case discussed below highlights the need to go back to basics when it comes to your marketing campaigns. Simple due diligence could save you money and your reputation!
Facts
Grove Pension Solutions Limited (Grove)used a third party to undertake a lead generating campaign. As part of the campaign an ‘email provider’ was used to send out ‘pre-approved emails’ to opted-in subscribers on Groves behalf. Although subscribers had consented to receive marketing emails from the email provider, Grove was not specifically named as the sender and was not specifically named within the email providers privacy policy when the consent was obtained.
Furthermore, the privacy policy in question simply specified a number of categories of sectors the subscriber may receive marketing emails from, with no option to specify or limit the type of marketing they wished to receive.
From October 2016 to October 2017 some 1,942,010 emails were sent on Groves behalf, and following a number of complaints the Information Commissioners Office investigated the matter.
The Decision
The rules in relation to direct marketing are set out in the Privacy and Electronic Communications Regulations 2003 (PECR). Organisations cannot generally send marketing emails unless the recipient has notified the sender that they consent to such emails being sent by, or at the instigation of, that sender (in this case Grove).
Grove was the ‘instigator’ of the direct marketing emails and should have ensured valid consent had been acquired to send marketing emails. To satisfy validity, Grove should have ensured the consent was freely given, specific and informed. Consent could not be informed if the subscribers do not know what they are subscribing too.
The ICO found that ‘indirect consent’ (where subscribers inform one organisation that they consent to receive marketing emails from another organisation) would not normally be enough for texts, emails or automated calls, due to the fact that electronic messages are deemed more intrusive.
Groves actions were found not to be a deliberate breach of PECR, however, the company was found to be in breach of Regulation 22 of the in that they did not obtain valid consent to the email marketing from the subscribers. The Commissioner highlighted that when sending marketing emails, organisations must obtain specific consent from that subscriber to receive marketing emails, and that consent will not be valid if subscribers are asked to agree to receive emails from ‘partners’ or ‘third party’ organisations.
Furthermore, Grove had no prior relationship with the subscribers, and so could not rely on the ‘soft opt-in’ exception 22(3) PECR.
In mitigation, the Commissioner accepted that Grove had obtained professional data protection advice and legal advice prior to the marketing campaign (yes this is true!), that the number of complaints were minimal and there was no evidence of the direct marketing continuing beyond October 2017. In the circumstances, the Commissioner imposed a reduced monetary penalty of £40,000. In handing down the monetary penalty the Commissioner highlighted that the sending of unsolicited marketing emails was a matter of ‘significant public concern’ and that a significant portion of complaints the commission receives relate to unsolicited direct marketing.
Conclusion
When considering a direct marketing campaign, undertake simple due diligence and ensure that you have valid consent from potential subscribers (and good advice!).
