Direct marketing campaigns: Problems caused via a lack of consent
If you think your e-marketing campaign is safe, think again. Earlier this summer, an e-marketer in the UK was fined by an EU data protection regulator for sending unsolicited text messages and breaching EU laws controlling the sending of spam.
This case is a stark reminder of the pitfalls facing EU marketers when embarking on national or pan-European campaigns and underlines how doing some due diligence upfront can reduce significant headaches down the line.
In particular, on 11 May, Better for the Country Ltd., more widely known as the pro-Brexit campaign groups ‘Leave.eu’ and ‘The Know’, was fined £50,000 ($64534) for sending unsolicited text messages as part of a direct marketing campaign. The UK Information Commissioner’s Office (ICO) fined the group for sending 501,135 text messages, which generated 140 complaints, says Rafi Azim-Khan, head data privacy, Europe, Pillsbury Law and Steven Farmer, counsel, Pillsbury Law.
Though Leave.eu argued that they had obtained the necessary consent to send the messages the Commissioner ruled that this was not, in fact, the case.
This is not the first time that a campaign group has been fined for sending unsolicited messages. In December 2015, the Commissioner fined the Telegraph Media Group $38720 approx (£30,000) for sending hundreds of thousands of emails, on the day of the 2015 general election, asking its readers to vote Conservative, even though many had only signed up to receive editorial content.
More recently, David Lammy, the MP for Tottenham, was fined £5,000 ($6453 approx) (March 2016) for placing 35,629 unsolicited recorded calls in an attempt to generate support for his campaign to become the Labour Party’s candidate for London Mayor.
What gives the Leave.eu case particular significance, however, is the fact that the ICO intended this case to act ‘as a general encouragement towards compliance with the law’. It is therefore imperative that firms of all sizes have carried out the necessary checks before initiating a direct marketing campaign of the kind launched by Leave.eu.
Leave.eu believed that they had consent to send the messages. Many of the texts were sent to registered supporters of the group, and although a number were sent to individuals whose details had been purchased from a third party data supplier, Leave.eu were of the opinion that because the data was ‘double opt-in consented for government and local government marketing’, they had the necessary consent to contact the individuals.
The ICO, though, were of the opinion that group had breached Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by transmitting unsolicited communications.
Consent, in the meaning of Regulation 22(2), requires that the recipient of the electronic mail has notified the sender that he/she consents to messages being sent. Indirect consent, or third party consent, can be valid, ‘but only if it is clear and specific enough’. The ICO considered that Leave.eu had neither.
Ultimately, Leave.eu’s contravention of the law was deemed to have been on account of their negligence and was not a deliberate violation. That said, the Commissioner felt that Leave.eu ought to have been cognisant of the law.
To avoid similar violations, firms ought to ensure that, in line with the words of the Commissioner, consent to send messages as part of an e-marketing campaign is sufficiently ‘clear and specific’, especially when using a bought-in list of the kind used by Leave.eu.
Even though the group had gained contractual assurances from the third party supplier that necessary consent to send the messages had been obtained, the Commissioner still found Leave.eu negligent and liable. Proper, robust checks and due diligence, then, are essential.
Due diligence for firms involved in direct marketing might, according to the ICO, include the following checks.
- How and when was consent obtained?
- Who obtained it and in what context?
- What method was used—was it opt-in or opt-out?
- Was the information provided clear and intelligible?
- How was it provided—behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-inbox?
- Did it specifically mention texts, e-mails or automated calls?
- Did it list organisations by name, by description, or
- Was the consent for disclosure to any third party?
- Is the seller of the list a member of a professional body or accredited in some way?
A reputable list broker should be able to demonstrate that the marketing list for sale is reliable by explaining how it was compiled and providing full details of what individuals consented to, when and how, the Commissioner says. If the seller cannot provide this information, a buyer should not use the list.
The ICO hopes that this case will promote compliance with the PECR. The £50,000 ($64534) fine is a pertinent reminder for businesses, then, of the cost of falling foul of the law. Negligence, or ignorance, is no excuse, and firms must carry out the necessary checks, or seek legal advice, to ensure they are completely covered. In the words of Stephen Eckersley at the ICO, this case ‘reinforces the need for businesses to ensure that they are only texting those who consent to receive marketing’.
Although this case was brought in the UK by the ICO and related to the spamming of UK residents, the lessons learned here would equally apply where a UK marketer looked to send marketing communications to non-UK nationals outside of the UK.
Similarly, marketers based across the continent should take note of the ICO’s proactive approach in this case. To the extent a non-UK marketer had an establishment of some sort in the UK and it targeted UK nationals with spam, then the ICO may well have the appetite to similarly take action against them.
The author of this blog is Rafi Azim-Khan, head data privacy, Europe, Pillsbury Law and Steven Farmer, counsel, Pillsbury Law.
Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus