The government has recently given the ICO new powers to clampdown on nuisance calls, texts and emails. Potential fines of £500,000 could be imposed for making calls without appropriate consent.And this month the ICO has imposed a £60,000 fine on a relatively small direct marketing company for a breach of e communication regulations. It’s a reminder, if one were needed, of the urgent need for companies of all sizes to review their processes for obtaining consent from individuals before they use their personal data in a way that may breach data protection legislation. At Big Data Law in London we offer tailor-made guidance on data security law – and our advice always comes direct from a specialist solicitor.
ICO COMPAINT FIGURES SHOW MIXED PICTURE
Figures from the ICO show an explosion in calls to individuals about PPI, personal injury claims and other matters. Interestingly the same set of figures show the lowest ever number of complaints about unwanted emails. In fact, according to the ICO there were just 60 such complaints in July 2018. The ICO suggests that one reason for the large dip in email complaints could be that companies have reacted positively to the implementation of GDPR and introduced stricter personal data management processes. Of course this is to be welcomed. But the recent fine by the ICO on a direct marketing company shows there is no room for complacency when it comes to using email to market services. And post GDPR,ICO enforcement action is likely to be more common and more severe.
EVERYTHING DIRECT MARKETING LIMITED: THE FACTS
Stevenage-based Everything DM Limited (EDML) was fined £60,000 for sending almost 1.5 million emails without consent. The ICO found that between 2016 and 2017 the company charged its clients for sending the huge tranche of unsolicited marketing emails. And the company did so without taking the necessary steps to ensure they had complied with the Privacy and Electronic Communications Regulations (PECR).
WHAT IS PECR?
The PECR operate in parallel with GDPR. They are rules that provide individuals with greater protection when it comes to electronic communications. For our clients the relevant PECR provisions relate specifically to:
- Electronic marketing, including calls, texts and emails and faxes. Different rules apply when marketing to individuals and companies but usually specific consent is required – often obtained through an opt-in box enabling an individual to confirm they agree to receive electronic communications from you.
- Cookies and similar website tools. Visitors to a website must be made aware that there are cookies on the site and what they are for. Consent to store cookies on an individual’s device is almost always required.
PECR AND GDPR
Although the EDML fine relates to activity that occurred before GDPR it shows the data protection implications for companies engaged in unsolicited e marketing. While we have pointed out that GDPR compliance is possible without getting the consent of individuals to the use of their data, when you do need consent the way you obtain it is key. In the EDML decision the ICO was clear:
“Firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third party consent is not enough and companies will be fined if they break the law.”
GDPR is not a substitute for PECR. But when it comes to consent, GDPR has strengthened the privacy and electronic communications regime. That’s because the GDPR approach to consent applies to PECR, so companies must give individuals real choice and control about the use of their data.
CAN WE HELP?
At Big Data Law our team of solicitors works with companies across a range of sectors to ensure their data management processes are effective and fully compliant with all relevant regulations.We offer bespoke guidance on GDPR and related rules including PECR.
The sheer number of rules and the increased vigilance of regualtors can be daunting for many businesses. But it’s important to remember that not all rules will apply to every business. That said, if you use email or text marketing or have cookies on your website you should seek specialist advice to ensure GDPR and PECR compliance.
EDML has not just suffered the reputational damage of an ICO fine it must now also comply with an enforcement notice – scrutiny that will possibly disrupt its core business.With the right advice you can avoid this type of regulatory intervention and any negative impact it could cause.
You can contact us online or call for more information on 0203 670 5540.