What are the consequences of not complying with the Privacy Regulations?

In November 2012 the Information Commissioner’s Office (the ICO) imposed a fine of £440,000 on the owners of Tetrus for breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the PEC Regulations).

Tetrus breached the PEC Regulations by sending millions of unsolicited text messages over three years, without the consent of the recipient and without identifying the sender. Tetrus then used the replies to generate leads which were sold for large sums of money to claims management companies.

Those circumstances were a particularly blatant breach of the PEC Regulations and the ICO cannot impose a fine unless it is satisfied that:

• the data controller has seriously contravened the DPA or the Privacy Regulations; and
• the contravention was likely to cause substantial damage or distress, and either: - the contravention was deliberate; or  the data controller knew or ought to have known that there was a risk that the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening,

but it’s nevertheless important to comply with the PEC Regulations.

If you breach the PEC Regulations, anyone who suffers damage could sue you. But it is rare for anyone to sue under the PEC Regulations and it might be difficult for any claimant to show that it had suffered more than minimal damage as a result of receiving your marketing emails.

In 2005, the small claims court found in favour of a Mr Roberts who sued Media Logistics (UK) Limited which had sent him unsolicited marketing emails. Media Logistics did not defend the claim and settled it by paying Mr Roberts £270 plus courts fees of £30.

It is also possible that the terms and conditions of your internet service provider prohibit you sending unsolicited marketing emails. That should be checked.

What do the PEC Regulations cover?

The PEC Regulations govern the sending of marketing and advertising by electronic means (e.g. by email, phone, fax and text message).

What you can do depends on:

• whether you are emailing either: i) an individual subscriber (see below on terminology); or ii) a corporate subscriber; and
•  if you are emailing an individual subscriber, whether s/he has asked or invited you to send him or her marketing emails or the intended recipient has given you consent to sending him or her marketing emails.

Unless the Soft Opt-In exemption applies (see below), you may not send unsolicited marketing emails to an individual subscriber unless the intended recipient has previously notified the sender that s/he consents to receiving direct marketing emails from you.

That prohibition does not apply when you are sending marketing emails to corporate subscribers.  The problem is that many marketing databases do not distinguish between corporate and individual subscribers in the way necessary to comply with the PEC Regulations.

Once given can consent be withdrawn?

Yes, even where a recipient has given his or her consent to receiving marketing emails, that consent can be withdrawn at any time.

Your marketing database should include a record of any opt-outs and withdrawals of consent (as well as records of consents or opt-ins).

Is it OK to send marketing emails to subscribers on a bought-in list?

Unless the Soft Opt-In exemption applies (see below), you must not send unsolicited marketing emails to individual subscribers unless the intended recipient has notified the sender that s/he consents to receiving those emails. Therefore it is difficult to see how you could legitimately use a list compiled by a third party unless the individual subscriber has expressly invited (solicited) you to send him or her marketing emails. When you buy in a list the likelihood is that any consents or opt-ins have been given to someone else and not to you.

It’s important to understand the terminology of the PEC Regulations

The subscriber is the person who pays the bill for the telecommunications service through which it receives the marketing email.

An individual subscriber is a private individual, a sole trader or an English partnership. (To make things even more complicated, a Scottish partnership is a corporate subscriber.)

A corporate subscriber is a company, limited liability partnership or other organisation such as a school, government department or agency, hospital or other public body.

An unsolicited email is one which the subscriber has not actively invited.

The ICO takes the view that directing marketing includes not only communications trying to sell goods or services but also, for instance, promoting values and beliefs.

What is the Soft Opt-In Exemption?

The Soft Opt-In Exemption allows you to send marketing emails to an individual subscriber where:

• you have obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient;
• the marketing material you are sending relates only to your similar products and services; and
• the recipient is given a simple means of refusing (free of charge except for the cost of transmission) the use of his or her contact details for marketing purposes when those details were first collected and, if they did not refuse the use of those details, at the time of each later communication.

It’s difficult to see how you could take advantage of the Soft Opt-In Exemption where you are using lists compiled by a third party because you can satisfy the Soft Opt-In conditions only if you collected the email contact details in the course of a sale or negotiations for a sale.

Are there any rules about the contents of marketing emails?

There certainly are.

You will be in breach of the PEC Regulations if you send any marketing email (whether or not solicited) and:

• your identity has been disguised or concealed; 
• you have not provided a valid address (an email address is fine) to which the recipient can send an opt-out request;
• your email contravenes regulation 7 or 8 of the Electronic Commerce (EC Directive) Regulations 2002 (the e-Commerce Regulations) (see below); or
• your email encourages the recipient to visit a website which contravenes the e-Commerce Regulations (see below).

What do I need to do to make sure that my emails comply with the e-Commerce Regulations?

You must:

• make sure your emails are clearly identifiable as a commercial communication – don’t write as though you are a long lost friend of the recipient;
• clearly identify the person on whose behalf the email is sent;
• clearly identify as such any promotional offer (including any discount, premium or gift) and ensure that any conditions are easily accessible and are presented clearly and unambiguously;
• clearly identify as such any promotional competition or game and ensure that any conditions are easily accessible and are presented clearly and unambiguously; and
• if your email is unsolicited, make sure it is clearly and unambiguously identifiable as an unsolicited commercial email as soon as it is received.

What do I need to do to make sure that my website complies with the e-Commerce Regulations?

You must ensure that the website makes available, in a form and manner which is easily directly and permanently accessible, information which includes:

• your name;
• your geographic address;
• details (including an email address) which make it possible to contact you rapidly and communicate with you in a direct and effective manner;
• if you are is included in a trade or similar register available to the public, details of your registration; and
• if you are registered for VAT, your VAT number.

(If you are a company other regulations oblige your website to give your company number, registered office and place of incorporation.)

Regulation 9 of the E-Commerce Regulations sets out the information to be given when contracts are concluded on line. These include:

• the technical steps to be taken to conclude the contract;
• whether you will keep a copy of the contract on file and whether it will be accessible to the customer;
• the technical means of correcting input errors; and
• the language of the contract.

And you must make the terms and conditions of the contract available in a form which allows the customer to store and reproduce them.

What about the Data Protection Act – do I have to comply with that as well?

The simple answer is yes. The REC Regulations supplement and complement the Data Protection Act (DPA); they are not a substitution for it.

Where you are sending any marketing email and you know the name of the individual who will receive that email, you are processing personal data and you must comply with the DPA.  That includes:

• respecting the individual recipient’s right to opt out of receiving direct marketing.  If someone asks to be removed from your marketing database, you must comply with that request. If you fail to do so, the individual may apply to the courts for an order against you under section 11 of the DPA. The DPA does not impose any time limit for complying with the request, but you should deal with the request promptly and the ICO recommends that requests are complied with within 28 days. The ICO also recommends that, as a matter of good practice, you should give individuals the chance to opt out of receiving marketing (by email or post) every time you contact them.
• when you collect personal data, telling the individual data subject: who you are; for what purposes/how you will use their personal data; and anything else necessary to make sure that you are using their personal data fairly, such as whether you intend to pass the personal data to anyone else.

This is often done by referring people to a privacy policy or similar document containing the information.