The Age of Consent

Pillsbury Rafi Azim-KhanPillsbury Steven FarmerRafi Azim-Khan (pictured far left) and Steven Farmer (left) data privacy specialists at Pillsbury Law, advise brands to ensure they have the necessary consents to lawfully send emails and texts.

On 11 May, Leave.eu, the pro-Brexit campaign group, was fined by the UK Information Commissioner’s Office (ICO) for sending spam texts as part of a direct marketing campaign. Better for the Country Ltd., which campaigned under the names ‘Leave.eu’ and ‘The Know’, was fined £50,000 after admitting to sending 501,135 texts, generating 140 complaints. Though Leave.eu argued that it had obtained sufficient consent to send the texts, the ICO ruled to the contrary.

Background
Whilst many of the texts were sent to registered supporters of the group, a number were sent to individuals whose information had been obtained from a third-party data supplier. Although Leave.eu had argued that the third-party data obtained was ‘double opt-in consented for government and local government marketing’, the ICO ruled that the group had breached Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by transmitting unsolicited communications.

Consent, in the meaning of Regulation 22(2), requires that the recipient of the electronic mail has notified the sender that he/she consents to messages being sent. Indirect consent, or third party consent, can be valid, ‘but only if it is clear and specific enough’. The ICO considered that Leave.eu had neither.

This is not the first time, nor will it likely be the last, that the ICO has taken action over this type of campaign. In December 2015, it fined the Telegraph Media Group £30,000 for sending hundreds of thousands of emails, on the day of the general election, asking its readers to vote Conservative, even though many had only signed up to receive editorial content. More recently, in March 2016, David Lammy MP was fined £5,000 for placing 35,629 unsolicited recorded calls in an effort to persuade people to back his campaign to be named the Labour Party candidate for London Mayor.

Lessons to be learned
In the case of Leave.eu, though contravention was not deemed to have been deliberate, the Commissioner nonetheless felt that the group had been negligent and that they ought to have been more cognisant of the law.

The ICO may well adopt such a view in the event of future contraventions. Firms embarking on an eMarketing campaign ought, therefore, to ensure, in the words of the Commissioner, that consent is ‘sufficiently clear and specific’ when using a bought-in list. Of particular note is the fact that even though Leave.eu was given contractual assurances from the third-party supplier that the necessary consent to send the messages had been obtained, the Commissioner did not consider that the company had undertaken sufficient due diligence. This case highlights the fact that detailed due diligence and purging in respect of bought in lists is therefore key.

To aid those engaged in direct marketing, the ICO has advised that due diligence might include the following checks:

  • How and when was consent obtained?
  • Who obtained it and in what context?
  • What method was used – was it opt-in or opt-out?
  • Was the information provided clear and intelligible? How was it provided – behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-inbox?
  • Did it specifically mention texts, emails or automated calls?
  • Did it list organisations by name, by description, or was the consent for disclosure to any third party?
  • Is the seller of the list a member of a professional body or accredited in some way?

A reputable list broker should be able to demonstrate that the marketing list for sale is reliable by explaining how it was compiled and providing full details of what individuals consented to, when and how, the Commissioner says. If the seller cannot provide this information, a buyer should not use the list.

Comment
Ultimately, the Leave.eu case was intended, the Commissioner has said, to promote compliance with PECR. Stephen Eckersley, ICO head of enforcement, elected to impose the £50,000 fine to act as ‘a general encouragement towards compliance with the law’. This case is a reminder that it is essential for businesses to ensure they have gained the necessary consent and have carried out sufficient checks to create a due diligence shield before embarking on an eMarketing campaign. In Mr Eckersley’s words, this case ‘reinforces the need for businesses to ensure that they are only texting those who consent to receive marketing’.

Rafi Azim-Khan and Steven Farmer are data privacy specialists at Pillsbury Law