Consent and Direct Marketing: What is informed consent in the UK? The decision of the First-tier Tribunal in Xerpla Ltd v The Information Commissioner

28th August 2018

Background

The UK has laws which prohibit spam – currently the Privacy and Electronic Communications (EC Directive Regulations 2003) (PECR). PECR runs in parallel with data protection law. Critical to PECR is that unless “soft opt-in” applies (where there is an existing customer relationship and subject to certain conditions the direct marketing is for similar products and services), any direct marketing e-mails to “individual subscribers” (typically consumers not businesses) require the prior consent of the recipient. If the PECR are not complied with the UK’s Information Commissioner (ICO) has the power to issue a monetary penalty notice on the infringer of up to £500,000. ICO have not been shy in doing this and in October 2017 they issued such a penalty against the online marketing business Xerpla – the penalty was £50,000. Xerpla was a small company and so the amount was very significant for them. However Xerpla appealed and were successful – the decision of the appeal Tribunal of 14 August 2018 has just been published.

The case

ICO alleged that Xerpla had transmitted over 1.25 million unsolicited e-mails contrary to PECR between 6 April 2015 and 20 January 2017 and ICO had received 14 complaints in 2016. These e-mails promoted the products and services of third parties (including pet food and products, wine, and financial services) and were sent to individuals who had subscribed to two websites operated by Xerpla. Crucial to the ICO’s enforcement action was whether the subscribers had consented to receiving the e-mails. In determining how consent was to be determined ICO followed the then applicable data protection law – Directive 95/46/EC (as implemented by the Data Protection Act 1998). The Directive states that:  ‘the data subject’s consent’ shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. ICO’s argument was that the “consent” given by Xerpla’s subscribers was not sufficiently informed and so not valid consent – at issue was how Xerpla obtained consent.  Consent was obtained by language that stated: “by submitting your details, you consent to receive our email newsletters and offers from and on behalf of our offer partners and from other similar…providers…..as well as to our processing of your information as outlined within our Privacy & Cookie Policy and Terms and Conditions.  By submitting your details you confirm you have read, understood and consent to these in full.” The Privacy Policy described in more detail how the information collected would be used. However ICO considered that the language used was not specific and clear enough (so subscribers were not properly informed as to what they were consenting to) with the suggestion also that the language was hidden away in a privacy policy or small print.

Xerpla disagreed on the basis it was obvious from the context what subscribers were subscribing to – the very nature of the service Xerpla was offering was a discount/deals website where subscribers would be sent third party offers. On appeal the First Tier Tribunal issued a robust decision in Xerpla’s favour and found that Xerpla had complied with ICO’s Direct Marketing Guidance and data protection  law – subscribers clearly knew what they were consenting to. Also the low rate of complaints here was relevant as it indicated that the vast majority of subscribers were content to receive direct marketing from Xerpla – the complaint rate was very low by industry standards.

Implications of the case

First, the case highlights that ICO do not always apply the law correctly nor do they necessarily follow their own guidance. Also one might question ICO’s enforcement priorities here – we all dislike spam – but Xerpla were not a classic spammer, using bought-in lists with little regard to data protection law – they were clearly offering a service their subscribers valued and crucially had consented to, at least under the law as of 2017. Also 14 complaints was a very low number of complaints given how many e-mails were sent.

However the case is now only of historic relevance when it comes to consent under PECR and the UK’s anti-spam law. Since 2017 the General Data Protection Regulation (GDPR) is now in place, as of 25 May 2018, and the Tribunal itself recognised this – “[t]he GDPR Changes the definition of “consent” but the change is not relevant for present purposes since the events in question precede the coming into effect of the new regime.”. The GDPR defines consent more stringently than in the previous law:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Article 7 of the GDPR also sets out further ‘conditions’ for consent, with specific provisions on:

  • Keeping records to demonstrate consent;
  • Prominence and clarity of consent requests;
  • The right to withdraw consent easily and at any time; and
  • Freely given consent if a contract is conditional on consent;
  • See ICO guidance on “What is valid consent”.

Recital 32 of the GDPR also states: “Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

So Xerpla is a timely reminder of the need to ensure that consent for direct marketing e-mails satisfies the GDPR standard – ICO may have lost Xerpla on appeal but we can be certain that they will continue to investigate complaints of spam e-mails and next time the alleged infringer will not have the benefit of the more generous consent regime under the Data Protection Act 1998.