Who: Information Commissioner’s Office
When: Late 2013
Where: UK
Law stated as at: 1 February 2014
What happened:
In September 2013 the Information Commissioner’s Office published Direct Marketing Guidance (“DM Guidance”). There were aspects of this which caused the industry some concern.
These included an indication that, however clearly worded and explicitly consented to, a general opt-in to receive unsolicited third party marketing emails was too broad to be relied on.
There was also a suggestion that, as a rule of thumb, even where such “third party consent” was specific enough, third parties would lose the right to make use of that consent if they left it more than six months after the consent was given before getting in touch.
After six months, ICO reasoned, it would cease to be the consent “for the time being” required for unsolicited direct marketing emails or texts by the Privacy and Electronic Communications Regulations 2003 (“PCRs”).
The Direct Marketing Association (“DMA”) has queried these and a number of other passages in the DM Guidance and its discussions with ICO are ongoing.
In the meantime, however, and without any major announcement, the ICO has made consequential changes to its well-established Guide to Privacy and Electronic Communications (“PEC Guide”).
Changes to PEC Guide not shown
No mark-up showing the changes was made available, but we have done a comparison of the old and new passages relevant to the two points above and the results are of interest.
First, in the section of the PEC Guide dealing with the interpretation of the phrase “for the time being” as in the “consent for the time being” required for unsolicited marketing emails or texts, ICO has deleted:
“We interpret this to mean that until there is good reason to consider it no longer valid; for example, if it has been withdrawn or it is otherwise clear that the recipient no longer wishes to get such messages, the initial consent will remain valid if there are good grounds to believe that the recipient remains happy to get the marketing communications in question; for example, where the recipient has responded positively (that it has not objected to) to previous, reasonably recent marketing emails.”
In its place has been inserted:
“[consent for the time being] will remain valid as long as it is still reasonable to treat it as an ongoing indication of the person’s current wishes.
There is no fixed time limit after which consent automatically expires. However, someone can withdraw consent at any time-for example, by opting out, unsubscribing, or making a complaint. And even if consent is not withdrawn, it will become less reliable as time passes.”
What do we make of this change?
Need for “good grounds” changed to “is it reasonable”?
Before there needed to be “good grounds” for believing consent was still valid. Now the test is whether it is “reasonable” to treat the consent as ongoing. This suggests a slight softening in ICO’s approach.
Also, in contrast to the 6 month shelf life suggested for third party consent in the DM Guidance, which was the first time ICO had posited a specific period in such a context, the PEC Guide now says that there is “no fixed time limit” after which consent automatically expires.
Again, although the PEC Guide repeatedly states “see our guidance on direct marketing for more information,” it seems as if ICO is rowing back a little from the controversial suggestion on this point in the DM Guidance.
Third party mailing list changes
More changes are made in the “Third-party electronic mailing lists” section of the PEC Guide.
Before the PEC Guide stated:
“[the PCRs] do not expressly rule out obtaining consent through a third party. However if you are buying or renting a list from a broker, you will need to seek assurances from them about the basis on which the information was collected.
It is difficult to see how a third party list can be complied and used legitimately except where the individual subscriber expressly invites (solicits) marketing by electronic mail. This is because you may only send unsolicited marketing to an individual subscriber who has “previously notified the sender that they consent for the time being to such communications being sent, by or at the instigation of the sender.” Arguably you may obtain a person’s consent through a third party, but a lot will depend on the clarity and transparency of the information that third party gave the intended recipient when it collected their contact details.”
The above has now been replaced by the following:
“You need to be very careful when relying on indirect consent originally obtained by someone else. This is because the [PCRs] require that the customer has notified you that they consent to your messages. On a strict interpretation, indirect consent would not meet this test-as the customer did not directly notify you, they notified someone else. So it is best practice to only send marketing texts or emails if you obtained consent directly from that person.
However, we do accept that indirect consent might be valid in some circumstances, if it is clear and specific enough. In essence the customer must have anticipated that their details would be passed to you and that they were consenting to messages from you. This will depend on exactly what they were told when consent was obtained. For more information on indirect consent, see our guidance on direct marketing.”
The principal points made in both passages are the same, although it is interesting that “subscriber” has been changed to “customer” in a context where, almost by definition, the recipient of the communications has yet to become one. “Customer” might be more appropriate in the context of “customer soft opt-in” where contact details are obtained in the course of negotiations for a sale, but use of the term here seems more questionable.
Useful litmus test for third party consent wording?
The one significant difference, however, is the addition of the requirement that the “customer must have anticipated that their details would be passed to you and that they were consenting to messages from you.”
A useful further litmus test, maybe, to apply when drafting third party consent wording.
The point about clarity of disclosures made when obtaining consent is underlined in changes to the next section headed “If we buy in or rent a list, can we use it?” but query are the changes fully in line with the controversial pronouncements on third party consent in the DM Guidance?
Instead of the previous
“if you wish to buy in or rent a list from a third party, you may only use it if the intended recipient has actively consented to receiving unsolicited emails from third parties.”
We now have
“You should take extra care if you are using a bought-in list to send marketing texts or emails..You must have very specific consent for this type of marketing, and indirect consent (i.e. generic consent originally given to another organisation) will not always be enough.”
“Will not always be enough” is, the writer would suggest, a marked retreat from the clear (and much criticised) indication in the DM Guidance that far from “not always being enough,” generic third party consent was unlikely to cut the mustard except in exceptional cases.
Why this matters:
ICO’s September 2013 Direct Marketing Guidance signalled a much stricter approach to direct marketing consent.
The change clearly required consequential updates to its Privacy and Electronic Communications Guide, but it is interesting firstly that these amendments have been made with little publicity (although the DM Guidance did indicate in passing that changes would be made) and secondly that on two significant points where the DMA has pushed back on behalf of the industry, the changes appear to stop short of the strict position taken in the DM Guidance.
Perhaps the DMA’s lobbying has already borne fruit, depending of course on which takes precedence, the Guide or the Guidance.