Who: Roddy Mansfield and John Lewis
Where: Mr Mansfield’s local County Court
When: June 2014
Law stated as at: 10 June 2014
The first fully argued case in which damages have been claimed for breach of consent laws for unsolicited marketing email has ended in victory for the claimant.
Roddy Mansfield was browsing the Waitrose website to check the cost of home delivery to his address. In order to obtain this information he had to register on the site. and provide his email address. As part of the registration process, he was presented with an opportunity to opt out of receiving further emails with news and offers.
The precise wording of the disclosure against the option box is not clear from reports of the case published so far, but by all accounts, the mechanism used was “soft opt-in” and used a pre-ticked option box. The wording would have stated that by unticking the box, Mr Mansfield would be indicating that he did not want to receive the specified marketing emails.
Mr Mansfield did not untick the box.
Subsequently he received marketing emails from John Lewis, sister company to Waitrose in the John Lewis Partnership.
Mr Mansfield sues for compensation for damage suffered by email
Mr Mansfield then sued John Lewis in his local county court for breach of Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (“PCRs”).
In doing so he was exercising his rights under Regulation 30 of the PCRs. This states:
A person who suffers damage by reason of any contravention of [the PCRs] by any other person shall be entitled to bring proceedings for compensation from that person for that damage.
In their defence John Lewis cited the so-called “soft opt-in” provisions of Regulation 22. These provide an exception to the normal rule that unsolicited marketing emails (“UME”) should not be sent unless the recipient has notified the sender that they consent to this.
See “The Law” section below for full details of how “soft opt-in” works and the “Guidance” section below for details of relevant ICO Guidance, but for these purposes its key elements are that:
(i) the email address in question must have been captured “in the course of [a] sale or negotiations for the sale of a product or service” from company X;
(ii) and the prospective customer must be given, at point of data capture, a simple means of opting out of receiving future UME from company X marketing its “similar” products or services.
Based on the process Mr Mansfield followed when registering with Waitrose, the judge was not satisfied that Mr Mansfield had “negotiated” with John Lewis for a sale, or otherwise had a business relationship with John Lewis such as to allow the soft opt-in provisions of the PCRs to be engaged.
In light of this finding, John Lewis’s only remaining defence was that the normal consent requirement of Regulation 22 of the PCRs for UME had been satisfied. However, the court was not persuaded that by not opting out of UME, Mr Mansfield had effectively notified John Lewis that he consented to receiving it.
Accordingly judgment was given in favour of Mr Mansfield and apparently compensation and presumably costs awarded, although the figures are not yet available for either.
John Lewis are not apparently planning to appeal. A spokesperson was quoted as saying that the case was based on a “very specific set of circumstances” and although the retailer disagreed with the decision, they would abide by the ruling.
Why this matters:
As a county court judgment, this decision sets no precedent and does not bind any other court or tribunal to apply the same reasoning.
There are also uncertainties surrounding a number of key aspects that are essential to understanding fully the reasoning behind the judgment and its implications.
(i) was the subsequent UME which triggered the proceedings actually sent by Waitrose Ltd or was it was sent by a separate company in the John Lewis group? If it was the latter, then by definition, soft opt-in could not apply as soft opt-in only allows UME from the same legal person that captured the email address in the first place;
(ii) what was the precise wording of the disclosure beside the pre-ticked option box? Did it make clear that by failing to untick it, the individual was consenting to receiving UME from Waitrose only, promoting its similar products or services, or did it refer for example to future UME from other John Lewis Partnership companies? If the former, then again, John Lewis UME would not have been legitimised by any registration even if the box had been left ticked;
(iii) did the registration procedure include a separate, positive action which could be characterised as a “positive indication of consent,” such as clicking on a button with wording “Create account” as now appears on the John Lewis site? If so, the court’s finding that this did not amount to notification of consent seems to throw into doubt ICO Guidance on cases where failing to untick a box may deliver consent to UME;
(iv) what “damage” did Mr Mansfield argue that he had suffered and what compensation, if any, was awarded for such damage? So far we have only two previous reported cases where damages have been awarded for spam. In one £1300 was awarded against Transcom Internet Services and in the other £810 awarded against Jean Patrique Cookware. Both were default judgments where no proper reasoning is available as to the process whereby the quantum of damage was assessed.
If and when we have more clarity on these aspects, there will be further learnings to be derived. For the moment, however, the case underlines two key points:
1. pre-ticked opt-in boxes should be handled with extreme care if they are being used to legitimise future UME;
2. in a soft opt-in context, a court may well interpret the meaning of “negotiations for a sale” less liberally than ICO has indicated in its guidance and look for a “business relationship”.
For instance, previously ICO has indicated that an individual entering an obviously promotional prize draw or competition will for the purposes of Regulation 22 be regarded as involved in “negotiations for a sale.” Query will this approach be followed by a county court judge?
Regulation 22 of the CPRs provides that except in a scenario where the UME recipient provides their email address in the course of a sale or negotiations for a sale and the other elements of “soft opt-in” are present, UME cannot be sent unless the recipient has previously notified the sender that he consents for the time being to such communications being sent by or at the instigation of the sender.
“Soft opt-in” allows UME to be sent if, when providing their email address, the person buying or negotiating to buy is given a simple means of refusing the use of his details for that purpose and does not take this opportunity to opt out.
The UME in question must only be sent by the legal person the individual was buying from or negotiating with and can only promote its own “similar” products or services.
In Guidance on Direct Marketing recently published by ICO, the data regulator has stated:
“The customer does not have to have bought anything to trigger the soft opt-in. It is enough if “negotiations for a sale” took place. This means that the customer should have actively expressed an interest in buying an organisation’s products or services-for example, by requesting a quote, or asking for more details of what it offers. There must be some sort of express communication.
The communication must be about buying products or services. It is not enough simply to send any query.”
Elsewhere in the Direct Marketing Guidance, ICO discusses pre-ticked opt-in boxes in a section dealing with opt in and out boxes. It says:
“A pre-ticked box will not automatically be enough to demonstrate consent as it will be harder to show that the presence of the tick represents a positive, informed choice.”
ICO goes on to say, however:
“In some circumstances failure to untick an opt-out box might be part of a wider mechanism of indicating consent. For example if the user must take a positive action to submit a form (eg click a button) and the organisation provides a clear and prominent message…the fact that a suitably prominent opt-out box has not been ticked might help establish that clicking the button was a positive indication of consent.”