This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.
Summary and Implications
The law in relation to data protection and other information rights is enforced by the Information Commissioner's Office (ICO), which has various enforcement powers. In December 2014, it issued an Enforcement Notice against Optical Express (Westfield) Limited in connection with unsolicited marketing communications.
Optical Express appealed to the First-tier tribunal (which hears appeals of decision made by various regulatory bodies). The Tribunal recently upheld the Enforcement Notice and its decision reinforces the need for any organisation that undertakes direct marketing to comply with legal requirements.
Failure to comply with applicable rules can lead not only to the issue of Enforcement Notices by the Information Commissioner's Office (ICO) but also to the issue of Monetary Penalty Notices of up to £500,000. In addition, breaches of the law can lead to reputational damage and loss of business.
The law
The Data Protection Act 1998 (DPA) sets out various rules in relation to processing personal data, which is data that relates to an individual who can be identified from it. In particular, it is necessary to comply with the eight data protection principles, the first of which is that data must be processed fairly and lawfully.
Processing of personal data will not be fair unless the data subject (i.e. the person to whom the information relates) is provided with certain information, including the name of the organisation processing the data, how it will be used and with whom it will be shared. This requirement is often fulfilled by the provision of a privacy policy or fair processing notice.
The Privacy and Electronic Communications Regulations 2003 (the Privacy Regulations) impose certain obligations and restrictions in respect of the carrying out of direct marketing by electronic means (i.e. email and text). Marketing by these means can only be carried out if the recipient has consented or the marketer can rely on the "soft opt-in".
The soft opt-in applies if the recipient is an existing customer of the marketer or has been in negotiations with the marketer and if the marketing relates to goods or services which are similar to the subject of the previous sale or negotiations. In addition, the individual must have been given the right to refuse marketing communications when the data was initially collected and each subsequent text or email must provide a right to opt-out of future marketing communications.
The Optical Express Decision
During 2013 and 2014, 7506 people complained to the ICO about unwanted text messages from Optical Express in relation to its laser eye surgery services.
It transpired that Optical Express was using contact details provided to them by Thomas Cook, which had collected the information as part of a travel survey. The survey had provided a tick-box for participants to indicate that they consented to receiving marketing information from third parties.
The ICO issued an Enforcement Notice requiring Optical Express to stop sending unsolicited texts. It found that the individuals in question had not consented to receive messages from Optical Express. Optical Express could not rely on the consents obtained by Thomas Cook since the survey did not specify that personal data would be passed to Optical Express or a provider of similar services. In addition, it found that there was no evidence that fair processing information had been provided.
Optical Express wished to continue to send texts to potential customers and appealed the decision of the ICO to the First-tier Tribunal. The Tribunal upheld the ICO's decision.
The Tribunal found that the consent given to Thomas Cook did not satisfy the requirements of the Privacy Regulations since it did not constitute informed consent. The contents of the survey were not specific as to who would be provided with the individual's contact details or what type of products or services the individual could be contacted about. Individuals could therefore not be said to have been fairly informed.
The significance of the decision
The Optical Express decision demonstrates how difficult it can be for businesses to make lawful use of mailing lists purchased or licensed from another organisation.
On a strict interpretation of the Privacy Regulations, consent to receive marketing communications by electronic means should be given to the sender of the communication, rather than a third party. The ICO does recognise in its guidance that indirect consent (i.e. consent given to a third party) might be valid in some circumstances but only if it is clear and specific. A broadly worded consent obtained by a third party is unlikely to be sufficient.
In addition, organisations that do obtain consent for marketing communications via a third party should ensure that they provide fair processing information as soon as possible.
It should also be borne in mind that recent changes to the Privacy Regulations have made it easier for the ICO to impose monetary penalties on anyone who breaches the rules in relation to unsolicited marketing communications. Previously it was necessary for the ICO to demonstrate that substantial damage or distress had resulted from the flouting of the rules but this is no longer the case. It is therefore likely that we will see the ICO issuing more Monetary Penalty Notices in future.
