On October 18, 2022, the UK Information Commissioner's Office (ICO) updated its "direct email marketing guidelines" and provided updated questions on what constitutes information marketing policies, related rules and responsibilities, and additional guidance on compliance issues. . "Do email marketing rules apply to tracking pixels?" (Short answer: technically not, but subject to different rules under the same UK law).
Below are general comments from the ICO guidelines and a brief overview of the ICO enforcement case announced on October 6 regarding alleged GDPR violations and direct marketing in which a company used the purchase history without consent to infer health conditions. for target customers with health related products.
While an organization's email marketing practices should be judged by country for European residents, the ICO guide is helpful in understanding some of the considerations as there are significant differences between EU member states and the UK. to be included in the practice of email marketing in 2023 and beyond.
Overview of UK email marketing regulations
The Electronic Communications and Privacy Directive 2002 (EC) (“Electronic Privacy Directive”) sets out minimum requirements for Member State laws relating to direct marketing, including email marketing. All EU Member States have implemented the Electronic Privacy Directive into national law, including the UK, through the Electronic Privacy and Communications Regulations (PECR) 2003. After Brexit, PECR will continue to apply in the UK, although EU courts no longer have jurisdiction to determine whether PECR correctly applies the Privacy Directive, and EU court decisions interpreting the Privacy Directive are not binding on the UK. Dishes
In the UK, ' email ' is defined more broadly than it appears at first glance to include e- mail and text messaging (SMS), picture or video messaging, voicemail , in-app messaging and messaging. Live from social media . While "direct marketing" is the transmission of promotional or marketing material to specific individuals, which may be by email, such email is excluded if sent for administrative or customer service purposes ( for example, to inform customers of the privacy policy). or updates to the Terms or report a transaction (or a problem with a customer account) if the promotional content is not confused with the message of the Service.
However, it should be noted that "email" does not include online advertisements, placement of advertisements on websites, even placement of advertisements that appear in news feeds, or even promotional messages. targeted, since the definition of PECR mail is that it is stored in the public electronic communications network or at the addressee, depending on its classification, until the addressee receives the terminal. In fact, GDPR-level consent is required to access and/or store information on an end-user device using a cookie, pixel, or mobile software development kit (SDK). ) under various PECR regulations. Local Shared Object or other technologies applicable to browsers, smartphones, tablets, smart TVs or other devices. Such PECR/ePrivacy consent often serves as legal GDPR consent for the processing of data for interest-based advertising purposes.
The PECR rules generally apply to anyone who sends unsolicited direct marketing messages to recipients in the UK . easy to understand and distinguish from things like terms and conditions) or (2) the sender has fulfilled all the conditions of the " soft option " for the given recipient.
What is Email Marketing Consent?
PECR adopts the UK GDPR consent standard. This means that if you want a "free, specific, informed and unequivocal expression of interest in the data" to express your consent to email marketing (i.e. no pre-checked boxes or suggestion of silence or inaction), the sender must indicate, which consent expressly gives includes marketing emails, can be revoked at any time without prejudice and fragmented. ICO recommends that you record the authorization date and time with a timestamp for future reference .
Should consent be specific to the communication channel?
Yes, ICO agrees that any consent to receive a particular type of email sent by a sender must be explicitly stated. Therefore, for example, ICOs require organizations to provide separate consent for emails or SMS, and an empty checkbox stating "Please tick here if you wish to receive advertisements about our services" would be inaccurate. enough informed consent to write to someone later. The ICO also stated: "If you are considering sending direct marketing by SMS, remember that allowing a person's phone number to make direct or robocalls does not apply. automatically to direct SMS marketing."
Further, since consent to email marketing must be provided voluntarily, it is unlikely that an organization could make consent to such marketing a condition of purchasing a product. This means old payment messages such as B. "By submitting an order, you agree to receive our marketing emails. Click HERE to submit your order" will most likely not comply with applicable regulations.
Can consent be transferred?
The ICO explains that in its view, consent is not transferable and instead involves receiving marketing information by email to a specific number or address provided by the person to the sender. For example, a person's consent to receive direct marketing to their particular email address does not extend to other addresses, which may also use another email address known to the sender.
What is a "soft choice"?
Unlike the consent-based approach to email marketing in the UK, the legitimate interest approach known as “soft opt-in” is also a possible solution. Although the PECR does not mention "soft entry", Regulation 22(3) states that an organization may send marketing emails to existing or potential customers subject to five conditions:
The organization required contact information directly from the recipient of the marketing material;
did so in the course of selling or negotiating a product or service (including a recipient actively expressing interest, requesting a quote, or requesting more detailed pricing information);
you sell your own similar products and services (i.e. the Program does not cover sending marketing communications from other organisations);
The collection of information allowed you to opt out or opt out (e.g. consent : tick the box); D
allows you to opt out or opt out of receiving all future communications.
What information should be provided in email marketing?
In the UK, emails must not obscure the identity of the sender and must contain a valid contact address so individuals and businesses can receive or unsubscribe from future emails. This applies whether the message is solicited (specially requested by the recipient) or unsolicited (sent without an explicit request from the recipient, even if the recipient has given broader consent to the sender's direct marketing). The use of an unsubscribe link in commercial communications is known to organizations that comply with US anti-spam law or Canadian anti-spam laws.
Can purchased lists be used for email marketing?
A list created or acquired by a third party may be used for direct e-mail distribution. However, this requires that those included in the list or database agree to receive such marketing from the referrer. And of course, the sender is responsible for compliance with the PECR, which means that if the primary consent does not identify the sender or extend to the marketing channel, sending to people on the purchased list may violate the PECR. The ICO recommends asking the following questions when an organization purchases an ad from a third party and claims that the people listed in the ad have consented to direct marketing:
What did you tell people?
What did they agree on?
Was it mentioned in the permit application?
When and how did you give your permission?
Did you have the chance to accept it?
Is there a declaration of consent?
Please note that third-party marketing lists cannot be "opt-in", as this exception requires the sender to self-collect contact information, along with other prerequisites.
What is the relationship between PECR and data protection regulations?
PECR complies with the UK data protection regime, which currently includes the UK GDPR and the Data Protection Act 2018. This means that if an email sender uses an email address that identifies a unique user, you must comply with data protection law. that data processing must be fair, lawful and transparent. To be fair, don't do anything with personal data that people find unexpected, misleading, or harmful; refers to the legal basis for lawful processing, such as B. Consent or legitimate interests; Transparency reporting is about providing people with clear, open, and honest information about how their personal information is being used. PECR also applies separately from the UK GDPR (it imposes a fine of €20m (around £17m) or 4% of annual global sales, meaning an ICO can issue a notice. This compels organizations to send direct marketing in violation of the law and can issue the organization or its directors with a fine of up to £500,000.
***
Latest ICO app in UK
Last month, the UK regulator announced a £1,350,000 fine against a catalog retailer, highlighting the seriousness of the ICO's direct marketing and privacy powers for using the personal data of 145,000 customers to predict and alert potential diseases. with health-related products without your consent.
The ICO noted that when purchasing a product from a company's health club catalog, such as a can opener or B. tray, companies in this case made customer health assumptions for marketing inquiries. A customer has arthritis and calls to sell him glucosamine joint patches. Eighty of the company's 122 products in said catalog were "trigger products" where the buyer was profiled at the time of purchase to target health-related products.
The ICO noted that people were unaware that between August 2019 and August 2020, the company was collecting and using their personal data for this purpose because the company was acting "invisibly" in violation of Section 5.1 (a ) of the GDPR. (also without data protection impact assessment). This led to the company placing more than 1.3 million unwanted calls to people whose landline and mobile numbers were registered with Telephone Preference Service Ltd (TPS), the UK equivalent of the US Do Not Register. Call. This PECR breach resulted in a fine of £130,000 in addition to the data protection fine.
Although not directly related to email marketing, this case confirms some of the points above and demonstrates the interest and focus of ICOs and others on transparent and interoperable direct marketing practices.
© 2022 Greenberg Garden LLP. All rights reserved. Review of National Legislation, Volume XII, Number 308