Rafi Azim-Khan (pictured far left) and Steven Farmer (left) data privacy specialists at Pillsbury Law, advise brands to ensure they have the necessary consents to lawfully send emails and texts.
On 11 May, Leave.eu, the pro-Brexit campaign group, was fined by the UK Information Commissioner’s Office (ICO) for sending spam texts as part of a direct marketing campaign. Better for the Country Ltd., which campaigned under the names ‘Leave.eu’ and ‘The Know’, was fined £50,000 after admitting to sending 501,135 texts, generating 140 complaints. Though Leave.eu argued that it had obtained sufficient consent to send the texts, the ICO ruled to the contrary.
Whilst many of the texts were sent to registered supporters of the group, a number were sent to individuals whose information had been obtained from a third-party data supplier. Although Leave.eu had argued that the third-party data obtained was ‘double opt-in consented for government and local government marketing’, the ICO ruled that the group had breached Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by transmitting unsolicited communications.
Consent, in the meaning of Regulation 22(2), requires that the recipient of the electronic mail has notified the sender that he/she consents to messages being sent. Indirect consent, or third party consent, can be valid, ‘but only if it is clear and specific enough’. The ICO considered that Leave.eu had neither.
This is not the first time, nor will it likely be the last, that the ICO has taken action over this type of campaign. In December 2015, it fined the Telegraph Media Group £30,000 for sending hundreds of thousands of emails, on the day of the general election, asking its readers to vote Conservative, even though many had only signed up to receive editorial content. More recently, in March 2016, David Lammy MP was fined £5,000 for placing 35,629 unsolicited recorded calls in an effort to persuade people to back his campaign to be named the Labour Party candidate for London Mayor.
Lessons to be learned
In the case of Leave.eu, though contravention was not deemed to have been deliberate, the Commissioner nonetheless felt that the group had been negligent and that they ought to have been more cognisant of the law.
The ICO may well adopt such a view in the event of future contraventions. Firms embarking on an eMarketing campaign ought, therefore, to ensure, in the words of the Commissioner, that consent is ‘sufficiently clear and specific’ when using a bought-in list. Of particular note is the fact that even though Leave.eu was given contractual assurances from the third-party supplier that the necessary consent to send the messages had been obtained, the Commissioner did not consider that the company had undertaken sufficient due diligence. This case highlights the fact that detailed due diligence and purging in respect of bought in lists is therefore key.
To aid those engaged in direct marketing, the ICO has advised that due diligence might include the following checks: