UK advertising and marketing laws have just undergone the biggest shake-up ever with the arrival of the Consumer Protection from Unfair Trading Regulations 2008. But could these extend even further and increase risks for those abusing data protection laws? Phil Lee reports.
Who: The Information Commissioner / The Office of Fair Trading
When: 26 May 2008
Law stated as at: 21 May 2008
There has been a lot of commentary to date on the likely impact of the Consumer Protection from Unfair Trading Regulations 2008 ("CPUT Regs") which came into force on 26 May this year. However, one angle not often explored is the potential for the CPUT Regs to sneak in greater data protection enforcement powers through the back door.
For the uninitiated, the CPUT Regs implement the Unfair Commercial Practices Directive (2005/29/EC) and seek to harmonise legislation across the EU preventing business practices that are unfair to consumers. The CPUT Regs prohibit: (i) unfair commercial practices generally (reg. 3); (ii) misleading and aggressive practices (regs. 5 – 7); and (iii) 31 "blacklisted" practices in all circumstances (set out in Schedule 1).
Some of these prohibitions have a clear crossover with the Data Protection Act 1998 (the "DPA") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "PEC Regs"). Specifically:
- Persistent and unwanted solicitations: The CPUT Regs blacklist "persistent and unwanted solicitations by telephone, fax, e-mail or other remote media". This prohibition draws obvious comparisons to the opt-in/opt-out regimes for electronic marketing communications under the DPA and PEC Regs. Marketers who are already compliant with the DPA and PEC Regs will have little cause for concern; however, non-compliant spammers and cold callers should take note – they now face additional liability under the CPUT Regs.
- Giving false information to, or deceiving, customers: Regulation 5 prohibits traders from giving false information to, or deceiving, customers in a way that influences their decision to enter a transaction (and regulation 6 contains similar prohibitions against misleading omissions). This is similar to the DPA's requirement that businesses must provide accurate and unambiguous disclosures about how they will collect and use customers' personal data (i.e. "fair processing" disclosures). A business that makes misleading "fair processing" disclosures could now potentially incur liability under the CPUT Regs.
- Falsely claiming a trust mark or seal which the trader does not hold: Another blacklisted practice (of lesser relevance for the time being), but which may become more relevant if and when the European Privacy Seal (http://www.european-privacy-seal.eu) starts becoming widely used in the UK.
Enforceability of ICO guidance?
As noted above, the CPUT Regs also contain a general prohibition against "unfair commercial practices" that influence customer behaviour (Regulation 3). "Unfair commercial practices" are defined by the regulations to be practices that contravene the "standard of special skill and care which a trader may reasonably be expected to exercise towards consumers which is commensurate with either (a) honest market practice in the trader's field of activity, or (b) the general principle of good faith in the trader's field of activity, or both". Some commentators have argued that this definition is sufficiently wide to capture failure to comply with industry codes of practice – such as ICO guidance. If this is indeed the case, material failure to comply with ICO guidance may be treated as an "unfair commercial practice" attracting liability under the CPUT Regs.
Why this matters:
The significance of the overlap between the CPUT Regs and the DPA is principally one of enforcement, and there are two key points to note.
First is that failure to comply with the above CPUT Regs requirements is a criminal offence, which can attract personal liability for directors and which is punishable by unlimited fine and/or up to two years' imprisonment. Enforcing these requirements under the DPA would be a much more difficult – and much lengthier – process (entailing investigations, warnings and notices by ICO, before finally referring the matter in question to court for enforcement). Further, data protection breaches have not generally attracted criminal liability, but this may now be the case for breaches that overlap with the CPUT Regs. The CPUT Regs will therefore facilitate quicker, harsher enforcement than has previously been possible under the DPA regime.
Aside from increased enforcement penalties, the CPUT Regs also increase the likelihood that enforcement action will be taken. Historically, the ICO has found itself overstretched in trying to enforce data protection compliance. However, the CPUT Regs are enforceable by the Office of Fair Trading which can call upon its 203 local Trading Standards officers to monitor and enforce compliance, providing a much greater enforcement resource. This, combined with the royal assent of the Criminal Justice and Immigration Act 2008 (which introduces a power for ICO to impose monetary penalties on non-compliant data controllers) make the overall likelihood of future data protection enforcement activities much greater.
The message for non-compliant marketers is clear: now is the time to get your house in order. If you don't, ICO and the OFT may just come knocking at your door!