Who: Optical Express (Westfield) Limited (“Optical Express”); Thomas Cook and other list suppliers; the Information Commissioner’s Office (“ICO”) and the First Tier Tribunal.
When: 31 August 2015
Where: UK
Law stated as at: 14 September 2015
What happened:
For the very first time, the First-tier Tribunal has considered the validity of so-called third party or indirect consents to receive marketing texts and emails and has published a reasoned decision on the point.
The case arose from a text campaign by Optical Express (“OE”). This involved OE sending millions of messages promoting its laser eye surgery service. OE used contact details described by OE’s suppliers as “consented data.” This was sourced from a number of suppliers, including Thomas Cook.
In November 2012, the ICO identified that a high volume of complaints was being received in respect of the campaign and a lengthy and extensive investigation began.
The campaign led to the ICO receiving no less than 7,506 complaints. Some came from individuals via the ICO’s online spam reporting tool but the vast majority came via Groupe Speciale Mobile Association’s 7726 spam reporting service.
The ICO established that the data used by OE had come from 6 data suppliers who had in turn obtained it from 120 sources.
The ICO engaged with OE in November 2012 and OE responded with details of 49 subscribers who OE said had consented to receiving such communications.
Information notices served
Following service of Information Notices on four telecoms providers in order to identify a selection of these 49 subscribers, ICO obtained witness statements from three of these. All said they had at some point completed a Thomas Cook travel survey form, often during a return flight from a holiday.
These included a tick box option to indicate that the person completing it was happy to receive marketing communications from third parties. No third party was named and no indication was given of the type of product that might be marketed.
None of the three witnesses recalled consenting to receive unsolicited marketing from OE. Neither was any direct evidence forthcoming from OE which indicated that the three witnesses had ticked the third party consent box or that any other complainants had consented.
The ICO took the view that no valid consent had been obtained for the OE campaign and that Regulation 22 (2) of the Privacy and Electronic Communications (EC Directive) Regulations (“PCRs”) had been breached.
Article 22 (2) of the PCRs provides as follows:
“…a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail [or text] unless the recipient…has previously notified the sender that he consents for the time being to such communications being sent, by or at the instigation of the sender.”
Following protracted but inconclusive discussions with OE and the service of a preliminary Enforcement Notice in October 2014, the ICO served a final Enforcement Notice on OE in December 2014 requiring it to stop sending unsolicited marketing text messages without recipients’ consent.
OE appeals Enforcement Notice
OE appealed to the First-tier Tribunal (“FTT”). Arguments were heard in July 2015 and the FTT handed down its decision on 31 August 2015.
OE’s defence arguments included:
- the data supplied to them had been described as “consented data” and this was sufficient proof of consent;
- individuals often forgot that they had opted into receiving marketing communications when filling in a form, so it was likely this had been the case with the three witnesses;
- none of the complainants had opted out of receiving further such communications when they received the marketing text from OE;
- evidence of lack of consent from just three individuals was de minimis and as the onus was on the ICO to show absence of consent, the case was not proven; and
- there were various flaws in the Enforcement Notice which rendered it unenforceable.
The FTT rejected all these arguments and refused OE’s appeal.
In particular, the FTT was not persuaded that any of the complainants had in fact ticked the box to consent to marketing communications, but even if they had, this would not have been valid consent.
Rules for consent in the Data Protection Directive applied
The FTT noted that by operation of Article 2 (f) of the Privacy and Electronic Communications Directive 2002/58/EC the test for “consent” as required by Regulation 22 (2) of PCRs for unsolicited direct marketing communications by email or text corresponded with the definition of “consent” in Article 2 (h) of the Data Protection Directive 95/46/EC (“DPD”).
This meant that there must be a freely given, specific and informed indication of the recipient’s wishes. Furthermore, by operation of Article 7 of the DPD such consent had to be “unambiguous.”
For that indication to be “informed”, by operation of Article 10 of the DPD, the data subject must be told (a) who is going to process the data (b) what it will be processed for and (c) anything else to ensure fairness of processing.
In this case the opt-in consent form did not inform the data subject that their data would be processed by OE, nor was the marketing of any specific type of product stipulated.
The FTT also held that the burden of proof that the texts were made with consent was at all times on OE and this had not been discharged
Therefore proper, fully informed and specific consent had not been obtained and OE had fallen foul of Regulation 22 (2) of the PCRs.
Why this matters:
The decision underlines and confirms the position taken by the ICO in its new guidance for Direct Marketing published on 10 September 203. On “third party” or “indirect” consent” for email and text marketing, the guidance represented something of a departure from previous guidance.
Unfortunately for OE, this was some time after the OE campaign and ICO’s investigation had started.
In the new guidance, for the first time and much to the surprise and disappointment of the direct marketing industry, the ICO came out clearly against general, opt-in consent to third party electronic communications using tick box wording such as
“Tick here to confirm that you are happy to receive marketing emails or texts from selected third parties.”
The ICO said
“It is extremely unlikely that a customer would intend to consent to unlimited future marketing calls or texts from anyone, anywhere.”
For indirect/third party consent to have any chance of validity, the ICO said, the third party organisation must be specifically named, or the consent must describe a specific category of organisation.
Under subsequent pressure from the Direct Marketing Association, the ICO indicated that it would not regard its stance in this regard as having retrospective effect, but it would expect all data capture undertaken after the publication of the guidance to take its position on third party/indirect consent into account. Separately the guidance also indicated that as a rule of thumb, third party consent would not be expected to have a shelf life of much longer than six months.
OE was unlucky that the ICO’s published change of approach post-dated its campaign, but of course its other difficulty was its inability to produce any direct evidence of consent in any event.
The decision serves as a reminder that marketers basing electronic campaigns on third party consent must treat third party marketing lists with extreme care, make rigorous checks into their provenance before relying on them and ensure that, if challenged, they can provide direct evidence of consent having been given by any complainant.