Category: PECR

Consent, marketing and those pesky GDPR emails

canstockphoto17854803

In recent weeks many companies have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. We even received one from our regular printer!

Such emails, saying things like “Let’s not say goodbye” or “Don’t leave me this way”, are a misguided attempt at complying with the General Data Protection Regulation (GDPR), which becomes enforceable next Friday (25thMay). The irony is that by trying to comply with one law companies could be falling foul of another.

It’s a myth, which has been busted by the Information Commissioner, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are an additional five legal bases set out in Article 6:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR does not fundamentally change the position set out in the current Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA.

Consequently there is no need to send consent e-mails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with PECR (see later).

Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for the GDPR. But it is important to check that existing permissions meet the higher GDPR consent standard.

The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the A29WP29 Guidelines on consent and our blog post here.)

But another equally important law has to be carefully considered. Where organisations are processing personal data to send out direct marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) may also apply. PECR is 15 years old yet many organisations still fall foul of it. Failure to comply could lead to a fine of up to £500,000. When the E Privacy Regulation eventually replaces PECR, the fines will be in line with the GDPR i.e. up to 4% of gross annual turnover or EUR 20,000,000 which ever is higher.

PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, companies must get their consent (unless they rely on the so called “soft opt in”, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.

The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is in itself a marketing email.

In 2017 Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled “Are your details correct? ” advising them to amend any out of date information and update any marketing preferences.

Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems than they will solve.

The final word to Steve, the deputy Information Commissioner:

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

Monitoring Staff Use of Social Networks: The Human Rights Implications

canstockphoto9076695

According to a recent FOI request made by BBC Radio 5 live, last year there was a rise in the number of UK council staff suspended after being accused of breaking social media rules. Many employers, both in the public and the private sector, now monitor staff use of social media within the office environment. The possibilities are endless but care must be taken not to overstep the legal limits.

All employers have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights (ECHR).  This means that any surveillance or monitoring must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR))

A January 2016 judgment of the European Court of Human Rights show that a careful balancing exercise needs to be undertaken when applying the law (Barbulescu v Romania (application 61496/08). In this case, the employer had asked employees such as the applicant to set up Yahoo! messenger accounts for work purposes. Its policies clearly prohibited the use of such work accounts for personal matters. The employer suspected the applicant of misusing his account, so it monitored his messages for a period during July 2007 without his knowledge.

The employer accused the applicant of using his messenger account for personal purposes; he denied this until he was presented with a 45-page printout of his messages with various people, some of which were of an intimate nature. The employer had also accessed his private messenger account (though it did not make use of the contents).

The applicant was sacked for breach of company policy. When he challenged his dismissal before the courts, his employer relied on the print out of his messages as evidence. He argued that, in accessing and using those personal messages, the employer had breached his right to privacy under Article 8 ECHR.

The Court accepted the applicant’s privacy rights were engaged in this case. However the employer’s monitoring was limited in scope and proportionate. It is reasonable for an employer to verify that employees are completing their professional tasks during working hours. Key considerations were:

  • The emails at the centre of the debate had been sent via a Yahoo Messenger account that was created, at the employer’s request, for the specific purpose of responding to client enquiries.
  • The employee’s personal communications came to light only as a result of the employer accessing communications that were expected to contain only business related materials and had therefore been accessed legitimately.
  • The employer operated a clear internal policy prohibiting employees from using the internet for personal and non-business related reasons.
  • The case highlights the need for companies to have a clear internet and electronic communications policy and the importance of such a policy being communicated to employees.

When monitoring employees, the employer will inevitably be gathering personal data about employees and so consideration also has to be given to the provisions of the Data Protection Act 1998 (DPA). The Information Commissioner’s Office’s (ICO) Employment Practices Code, includes a section on surveillance of employees at work. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee, suspected of fraudulently claiming to be sick, had breached the DPA.

Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA. Of course the data protection angle will bite harder when the new EU Data Protection Regulation comes into force in 2018. Failure to comply could lead to a fine of up to 20 million Euros or 4% of global annual turnover.

Act Now has a range of workshops relating to surveillance and monitoring both within and outside the workplace. Our products include a RIPA polices and procedures toolkit and e-learning modules.

Sell your friend’s email for £25!

refer a friend edited

It’s quite simple. You’ve just bought a product and the company who just sold it to you asks for a friend’s email so they can market to them. If they buy then you (and them) get a cheque for £25. What a great idea!

Unfortunately they seem to have chosen to breach some regulations. To market electronically by email requires prior consent or consideration of the soft opt in option as defined in Section 22 (3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

To market by email three conditions should apply.

a) You must have obtained the email address in the course of a sale or negotiations for a sale

b) You should only market similar products

c) You should offer an opt out with every message.

They clearly miss the first one as they have made no sale nor negotiated with your friend. The second one falls by the wayside for the same reason as your friend won’t have bought anything from them, so there is no “similar” test. Finally, we’ll credit them with offering an opt out (although based on their understanding of email marketing so far that’s being generous).

There is a safety valve. If your friend, after being sold down the river does not buy from the company, then their email will never be used by the company. In fact it will be destroyed securely within 30 days. And of course it will never be passed to any other organisation or sold to a list broker.

Unfortunately the company doesn’t offer any of the guarantees in the previous paragraph. They may well do so but they don’t bother with any concept of a fair processing notice. How do you feel about sending your friend’s email to this organisation? If they’re happy to pay £25 to buy an email address that makes a sale what price do they put on a prospect?

I’m not a hacker. I’ve started an online course to learn how to be one. There is no course literature or reading list. The exam which can be taken at any time has one task. “ Your grade is held in a secure area at Hacker’s University. Change it to Pass and email yourself a PDF of your certificate”.

But if I was a hacker I’m sure I could find a way to flood this business that’s trying to buy email addresses with a few long lists of emails. All those on JISCmail data protection list; All people with NHS.net; I have many lists that people have sent me by accident.

Paul Simpkins is a Director and trainer at Act Now Training Ltd.

No time to attend our PECR courses? Try our on demand PECR webinars. One hour of  learning for only £39 plus vat.

Please call re ICO conference.

Working around the UK us Act Now speakers sometimes get messages or emails from the office staff.  If we can we pick these up and follow them up at lunchtime, coffee breaks etc.

Last week I received once such message and it looked promising. (See title of post). The ICO want to talk to me about his conference…    is it the invitation I’ve been waiting for to address 500 colleagues on the Data Protection joke book from A to B?  Is it an opportunity to run a workshop or maybe they want us to advise them on something.

My flying fingers could scarcely contain a feverish frisson of excitement as I dialed the digits.

It wasn’t the ICO. It was a company who to be truthful did identify themselves but did it so quickly that I missed it (but I have their number). Some gentle introductory questions about why we attended blah blah blah then they got to the main course. Who do we speak to in your company about encryption solutions? Head of Procurement? IT director?

I asked the obvious question and was told that they obtained my name and corporate details from the documentation given out at the recent DPO conference in Manchester. And to the obvious follow up question – yes they were ringing delegates to offer them Encryption solutions.

I ended the call using a well know technique and started wondering.  I wasn’t happy but had they breached any laws or regulations? DPA? Was it personal data? If it’s not personal then all the principle 6 rights disappear. Was it marketing?  A section 11 issue? That again specifies personal data.

Aha. They used the telephone. Isn’t that covered by PECR? And PECR is about subscribers not individuals. If we were registered with corporate TPS they’d be committing an offence wouldn’t they? Wouldn’t they?

What about the ICO? Should they have issued a list of delegates to all delegates? Was it not personal data but became personal data once it was worked on by another data controller? What schedule 2 condition applies to data collected at a conference and manipulated by the user to be used for marketing and selling.

I remember in the days when I spoke at conferences and the organisers would invite me to speak and they also invite me to email their flyer to all my colleagues in the sector. In those days it was routine to list email addresses of delegates in the conference documentation. Things have changed but dodgy practice still exists.

Did anyone else get this call? Were any offences committed?

%d bloggers like this: