First Tier Information Tribunal Considers Unsolicited Marketing Text Messages

Where an organisation or individual is in breach of data protection law, as the UK’s independent body set up to uphold information rights, the Information Commissioner’s Office (ICO) has authority to issue Enforcement Notices. The Enforcement Notice will identify the breach and stipulate actions that are required to be taken by the organisation in breach, within a specific time scale, in order to remedy the breach.

The ICO issued an Enforcement Notice to Optical Express in December 2014 requiring Optical Express to stop sending unsolicited marketing texts in breach of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’). PECR regulates how organisations can carry out direct marketing and Regulation 22 provides the framework within which unsolicited electronic communications may be sent to individual subscribers.

Under Regulation 22, unless the recipient of the communications has provided consent, unsolicited electronic communications (including emails, text messages, picture messages, video messages, voicemails, direct messages via social media or any similar message that is stored electronically) can only be sent to individual subscribers in the following circumstances:

• the sender has received the contact details of the recipient during the course of negotiations or the sale of a product to the recipient;
• the marketing relates to the sender's similar products and services only
• the recipient was given a simple way to opt out of receiving direct marketing at the time of providing their details and, where the recipient did not opt out, the recipient is provided with an opportunity to opt out of receiving direct marketing at each subsequent communication made by the sender.

Optical Express appealed the Enforcement Notice on the following grounds:

1. The contents of the Enforcement Notice were not sufficiently clear or detailed – the Enforcement Notice did not give sufficient detail in their reasons for issuing the Enforcement Notice, and also that the direction within the notice on how to rectify the breach was insufficiently clear.
2. The text messages were not unsolicited, and this had not been proven by the ICO –the recipients of the messages had opted in to receipt of such communications by expressing a willingness to receive such communications.. This would mean Regulation 22 was not engaged.
3. The matter of “consent” had been improperly interpreted – the ICO definition limits the activities which can be carried out. Consent to electronic marketing should not be limited to one company.

The First-tier Tribunal dismissed the appeal, rejecting all of Optical Express’ arguments.

It was held that although the Enforcement Notice contained in simple terms what the breach related to, it was sufficient reasoning for Optical Express to understand that it related to complaints regarding unsolicited text messages. It was also held that the statement of how to comply with Regulation 22 was sufficiently clear.

The messages were held to be unsolicited and in order for them to be solicited messages, consent would have to be given directly to the sender, Optical Express. On the basis that Optical Express were relying on recipients providing consent to Thomas Cook in a questionnaire, this was not sufficient consent to allow an unrelated organisation such as Optical Express to send them unsolicited marketing messages.

In the decision, a helpful discussion surrounds the meaning of consent in the context of Regulation 22 of PECR. Brian Kennedy QC employed a strict definition stating: “if the data subject doesn’t know what other projects might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others”. It was concluded that without providing details to a recipient of the types of products that would be marketed to them, recipients of the messages could not give true consent. The Tribunal held that the fact that the data sharing contract between Optical Express and Thomas Cook required “consented” data was irrelevant, as the consent provided did not refer to Optical Express or its products.

Comment

This case emphasises the challenges faced by organisations who would like to make use of direct marketing and reinforces the iCo-author'd by:mportance of cautious consideration of the strict requirements imposed under PECR.

In light of the decision issued by the First-tier Tribunal, best practice for organisations would be to ensure direct consent is obtained from the recipient before sending out direct marketing communications, otherwise organisations must carefully consider the exceptions under Regulation 22 of PECR (outlined above).

The ICO has recently published guidance on these matters in order to assist with compliance, so measures can be put in place to avoid Enforcement Notices.

What’s New

The European Commission has finalised negotiations between the United States and the European Union on a joint ‘Umbrella Agreement’ for data protection.

The agreement will facilitate the sharing of information between the EU and US for the purposes of investigating crimes and terrorism. It will require the United States to introduce legislation allowing EU member state citizens to seek redress in the US courts for breaches of privacy laws. The necessary legislation is currently before US congress and the joint agreement is dependent on its passage into law.

Co-author'd by: Kevin McDade