A recent decision by the Information Commissioner’s Office (ICO) against Muscle Foods Limited serves as a timely reminder of the importance of careful compliance with the rules under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) if your business plans to send direct marketing communications electronically (e.g. by text or email).
What are the rules under PECR?
Amongst other things, PECR prohibits businesses from sending unsolicited direct marketing to individuals by electronic mail unless the intended recipient has previously notified the sender that he or she consents to the communications being sent. The standard of consent is the exacting standard which applies under the GDPR.
However, Regulation 22(3) of PECR includes an exception to the general prohibition, commonly referred to as ‘soft-opt in’. This permits a business to send electronic direct marketing to an individual where:
- The business obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient;
- The direct marketing is only in respect of the business’s similar products and services; and
- The recipient has been given a simple means of refusing the use of his or her contact details for the purposes of such direct marketing at the time the details were initially collected and (where he or she did not initially refuse the use of the details), at the time of each subsequent communication.
Many businesses rely on soft-opt in to send electronic direct marketing as an easy alternative to obtaining GDPR compliant consent from individuals. However, as Muscle Foods found out, the Regulation 22(3) exception can only be relied upon if all three of the above conditions have been met. In the case of Muscle Foods, it had failed to give its customers the ability to opt out of its direct marketing communications. This meant that it had sent a total of 142,006,053 communications in contravention of the PECR rules.
What are the risks of non-compliance?
If the PECR rules are breached, the ICO can take enforcement action to require the business concerned to remedy its non-compliance and can also issue fines of up to £500,000.
In relation to Muscle Foods, the ICO issued an enforcement notice requiring the company to cease the transmission of unsolicited communications for the purposes of direct marketing, unless the requirements of Regulation 22(3) of PECR are satisfied. It also fined Muscle Foods £50,000.
Changes to the law are afoot
PECR is based on an EU directive (the e-Privacy Directive 2002). However, the EU is currently in the process of replacing the 2002 Directive with new e-Privacy rules. One of the changes currently under discussion is whether the Regulation 22(3) exception should be changed so that it only applies to contact details obtained in the course of a sale (i.e. rather than the sale or negotiation) of goods and services. The new e-Privacy rules would also introduce GDPR level fines.
Now that the UK has left the EU, it is not yet known whether the UK will introduce an updated version of PECR to mirror the new EU e-privacy rules as and when they come into force. However, even if it does not, the extra-territorial scope of the EU rules means that they will apply to many UK businesses.
How to contact us
If you’d like more information about how you can ensure that your business’s electronic direct marketing is compliant with PECR, please get in touch with a member of our Information Law Team.