The new General Data Protection Regulation (GDPR) came into force on Friday 25 May 2018. Ironically, a law designed to protect peoples’ privacy in a digital age has unleashed a torrent of spam emails.
In recent weeks, many organisations, including lawyers, have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. Such emails, with catchy subject lines like ‘Let’s not say goodbye’ or ‘Don’t leave me this way’, are a misguided attempt at complying with GDPR. The irony is that by trying to comply with one law organisations could be falling foul of another.
It is a myth, which has been busted by the Information Commissioner on her blog, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are six legal bases set out in article 6:
(a) Consent: the individual has given clear consent to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract with the individual, or because they have asked the data controller to take specific steps before entering into a contract .
(c) Legal obligation: the processing is necessary for the data controller to comply with the law.
(d) Vital interests: the processing is necessary to protect someone’s vital interests e.g. life or property.
(e) Public task: the processing is necessary for the data controller to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for the data controller’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
GDPR does not fundamentally change the position set out in the previous Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA. Consequently, there is no need to send consent emails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for GDPR. It is important though to check that existing permissions meet the higher GDPR consent standard. The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service. Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the Article 29 Working Party Guidelines on consent as well as those of the ICO.)
But another equally important law has to be carefully considered. Where organisations are processing personal data to send out direct marketing, PECR may also apply. PECR is 15 years old yet many organisations still fall foul of it. Failure to comply could lead to a fine of up to £500,000. When the E Privacy Regulation eventually replaces PECR, the fines will be in line with the GDPR, that is up to 4% of gross annual turnover or €20m, whichever is higher.
PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, organisations must get their consent (unless they rely on the so called ‘soft opt-in’, namely where they have collected an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.
The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is itself a marketing email. In 2017, Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda could not provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled ‘Are your details correct?’ advising them to amend any out of date information and update any marketing preferences.
Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems than they will solve.
Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk) specialising in data protection law