Big headlines greeted announcements that from 6th April 2010 data privacy law breaches would attract exponentially higher fines. But will this apply to breaches of related laws controlling email, text and tele-marketing? Phil Lee slices and dices the regulatory salami.
Topic: Email marketing
Who: The Information Commissioner's Office
When: 6 April 2010
Law stated as at: 25 March 2010
As has been well-reported, the ability for the Information Commissioner's Office ("ICO") to issue fines of up to £500,000 for serious data breaches caused deliberately or recklessly will come into force on 6 April 2010. Almost as well-reported has been the fact that ICO's ability to issue fines will apply only to breaches of the Data Protection Act 1998 ("DPA") – but not the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PEC Regs"). The consequence of this, many commentators have said, is that ICO will not be able to issues fines to spammers who conduct illegal e-marketing campaigns.
So what does this mean – a field day for spammers? Marketers up and down the country foregoing all those pesky opt-in and unwieldy soft opt-in e-mail consent requirements? Well, if you think this – as some commentators seem to – then you'd be wrong. The fact is that ICO will still be plenty able to fine e-mail marketers who do not respect the PEC Regs opt-in and soft opt-in rules. But how, if ICO's fining powers do not directly extend to breaches of the PEC Regs?
The answer is that it all hinges on the key principle of the DPA – that personal data must be processed fairly and lawfully. But, before delving into that, let's first have a quick recap of the PEC Regs' e-mail marketing rules.
Opt-in and soft opt-in rules for e-mail marketing
In order to send e-mail marketing to a consumer, the PEC Regs require that the marketer must have obtained prior consent (i.e. opt-in consent) from the consumer to the sending of that e-mail (Reg 22(2)).
The only exception to this rule is where the marketer relies on the consumer's "soft opt-in" consent. This applies where: (i) the marketer has obtained the contact details of the consumer in the course of selling a product or service; (ii) the e-mail relates to marketing of similar products or services; and (iii) the consumer was given the opportunity to opt out of receiving e-mail marketing (both at the time of initial data collection and with each subsequent e-mail) but has not chosen to do so.
Any e-mail marketing that does not fulfil either the opt-in or the soft opt-in requirement will be unlawful – examples would be spam marketing (where the marketer has made no effort to collect consent or offer an opt out) or e-mail marketing conducted purely on the basis of opt outs (assuming soft opt-in does not apply).
Fair and lawful processing
Returning to the DPA, this mandates a key principle that businesses must process personal data "fairly and lawfully" (Principle 1, Schedule 1). "Lawful" processing is defined by reference to fulfilling one of the conditions set out in Schedule 2 (and, in the case of sensitive personal data, one of the conditions set out in Schedule 3) – such as having obtained consent from the individual concerned..
However, the concept of "lawful" processing is actually much wider than this – ICO's legal guidance on the DPA states that: "Meeting a Schedule 2 and Schedule 3 condition will not, on its own, guarantee that processing is fair and lawful. The general requirement that data be processed fairly and lawfully must be satisfied in addition to meeting the conditions." Put another way this means that, in addition to meeting the Schedule 2 and 3 processing conditions, data processing must be lawful in all circumstances.
Marketers who send e-mail marketing without having collected the required opt-in or soft opt-in consent will be in breach of the PEC Regs – their actions will be unlawful. In turn, this means that any processing of personal data to send those e-mails will necessarily be unlawful, in breach of the "lawful" processing requirement of the DPA.
The consequence of this – ICO can still fine for non-compliant e-mail marketing if it wants to do so!
Why this matters:
Spam marketing has for too long been the scourge of the Internet, and one of the key areas in which personal data rights are widely abused. It would be wrong to send the message that ICO cannot take enforcement action against non-compliant e-mail marketers – to do so would incentivise spammers to carry on their illegal activities, and harm the effectiveness of legitimate e-marketing campaigns, with compliant e-marketing getting lost in an inbox full of spam.
It is therefore important that spammers should be aware that ICO now has real teeth and that spammers – who have little or no justification for their activities, illegally process huge amounts of personal data, and have little in the way of public sympathy – would make a very attractive enforcement target indeed.