Keep Your PECR Up!

Earlier this year, a company in Norfolk was fined by the Information Commissioner (ICO) for serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (commonly referred to as PECR).

The fine was a result of the fact that the ICO found that the company had committed an infringement by sending unsolicited communications by email to subscribers for the purposes of direct marketing. The ICO took into account as an aggravating factor the fact that the company was promoting the sale of face masks whilst the country was in the midst of a pandemic and were therefore seeking to capitalise upon this but also a mitigating factor was that as soon as it began its investigation the company ceased its campaign.

Under both PCER and the Data Protection Act 2018, direct marketing is defined as “the communication (by whatever means) of advertising material which is directed to particular individuals”.

The infringement was brought to the ICO’s attention by a complainant in May 2020 who said that the company had sent spam messages to him advertising face masks for sale. He believed that they had obtained his details from a single eBay purchase for a different item. He did not consent to receiving emails for this purpose when he made his purchase and indeed could not have done so as it had been made through eBay.

He also claimed that the unsubscribe link given in the email did not work.

The company advised the ICO that they had obtained their database list from a number of sources, and had no evidence of specific consent. They believed that Mail Chimp dealt with the issue of consent.

Regulation 22 of PECR provides in relation to unsolicited communications by means of email to individual subscribers:

“Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”

The circumstances in paragraph (3) permit direct marketing where the company has obtained the email contact details in the course of a previous sale or negotiations for a product or service, the marketing is for similar products or services, and the recipient is given a simple means of opting out of receiving such emails. This is commonly known as a “soft opt in”.

In short, unless you have specific consent from the recipient, or have previously had dealings with them for similar products or services, you will be in breach of PECR if you send such marketing emails. The fine that can be imposed by the ICO is up to £500,000. In the company in question’s case it was limited to £10,000 which seemed to be due to the mitigating factor and also their financial circumstances.

Insofar as consent is concerned, it is vital that this is specifically given, is clear, and is not in any way conditional. There are other factors in relation to consent which you must take into account and you must be able to evidence the consent, and the process in place for monitoring it and ensuring that opt outs are actioned. Further, you should note that offences under PECR relate to any form of electronic communication, including telephone calls and texts.

If you have any queries about your compliance with PECR and data protection legislation, or dealing with any claim or investigation, please contact us. nicholasworsnop@chadlaw.co.uk, harveyblake@chadlaw.co.uk