Privacy ruling a reminder to businesses over digital marketing practices

The Upper Tribunal said Leave.EU and Eldon Insurance Services were responsible for sending unsolicited communications for the purposes of direct marketing under the UK's Privacy and Electronic Communications Regulations (PECR) without a legal basis for doing so. It upheld earlier decisions of the Information Commissioner's Office (ICO) to impose respective fine of £45,000 and £60,000 on the companies, as well as the subsequent decision of a first-tier tribunal (FTT) to dismiss the original appeal against the ICO's regulatory action.

PECR generally prohibits organisations from sending or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by email unless the person receiving the email has given their prior consent for the messages to be sent or other limited exceptions apply.

Companies can engage in direct marketing via email without consumers' consent if they have obtained the contact details of the recipient of that email in the course of the sale or negotiations for the sale of a product or service to that recipient, where the marketing is for "similar products and services only" and providing the recipient has a "simple means" to refuse the use of their contact details for that marketing "at the time of each subsequent communication". This is often referred to as a 'soft opt-in'

The case before the Upper Tribunal concerned the contents of 21 newsletters each emailed to around 51,000 Leave.EU subscribers. The newsletters, for which the recipients had given consent to receive, each contained marketing promotions for an Eldon Insurance Services brand, for which no consent was given. The first of the 21 newsletters sent "was all about Eldon’s products", while the other 20 that followed contained promotional banners "which advertised Eldon’s insurance offers", according to the ruling. The Tribunal has to determine whether these mixed communications were consented to. 

Leave.EU and Eldon Insurance Services argued that sending the newsletters was lawful. They claimed that PECR were not intended "to cover content in a newsletter which a subscriber had signed up for but which happened to contain some marketing material" and instead were designed to address "indiscriminate, automated industrial-scale spamming". However, the Upper Tribunal's three judges said that was "an unduly narrow reading" of the EU law.

"The tenor of the legislation is that it is an intrusion on an individual’s privacy if they receive direct marketing to which they did not consent," the Upper Tribunal said.

The judges also rejected the argument raised by Leave.EU and Eldon Insurance Services that the fact newsletter subscribers had signed up to receive the emails meant the newsletters did not constitute 'unsolicited communications' under the regulations. They made clear that it was not the sending of the emails that was the issue, but rather the marketing information contained within that brought them within the scope of the regulations. The judges said that the primary purpose of an email does not need to be direct marketing for that communication to fall subject to the e-Privacy regime.

Another ground of appeal raised by Leave.EU and Eldon Insurance Services was that they had, in any event, obtained the necessary consent from the Leave.EU newsletter subscribers to send them direct marketing promotions within those publications. However, the Upper Tribunal said that the consent given was not "freely given, informed and specific" and therefore failed to meet the requirements of the PECR regime.

"There was no indication that subscribers were doing anything other than signing up for a Brexit newsletter," the Upper Tribunal said. "…Agreeing to the very loosely drafted privacy policy amounted to signing a blank cheque. In sum, Leave.EU’s approach frustrated the ability of its subscribers to consent to receive a political newsletter and nothing else. Accordingly, the FTT was entitled to find on the facts that subscribers did not 'consent', as that term is properly understood, to receiving direct marketing about Eldon’s insurance products."

The judges also dismissed claims raised by Leave.EU and Eldon Insurance Services that the FTT had erred in law in finding that the insurance company had "instigated" the transmission of the Leave.EU newsletters.

They rejected all other grounds of appeal raised by Leave.EU and Eldon Insurance Services with concerned the basis for the regulatory action taken against them.

PECR continues to apply post Brexit. The scope of PECR is not just limited to marketing emails – it also regulates the use of tracking technologies, which are a common feature of marketing campaigns. For example, some marketing emails can contain tracking pixels – these are embedded within the technology of the email and can enable the sender to track if an email was opened, by when and by whom. Similarly, many websites also use cookies; again a form of tracking technology to understand how customers interact with a website. However, when such tracking technologies are used, the users must be given "clear and comprehensive" information about how their information will be used and must give their consent.  

Laura Gillespie of Pinsent Masons, the law firm behind Out-Law, said: "With the pandemic continuing to affect many businesses, who are struggling to reach new markets or customers, digital marketing is more important than ever, whether that is through marketing emails or customer intelligence through the use of tracking technologies. However, this decision is a clear reminder that failing to have adequate consent or sufficient grounds for 'soft opt-in', when possible, could be very costly. This is particularly so with consumer groups increasingly working together to promote group claims where breaches of data protection legislation have been found."