Consent and Direct Marketing: What is informed consent in the UK? The decision of the First-tier Tribunal in Xerpla Ltd v The Information Commissioner
The UK has laws which prohibit spam – currently the Privacy and Electronic Communications (EC Directive Regulations 2003) (PECR). PECR runs in parallel with data protection law. Critical to PECR is that unless "soft opt-in" applies (where there is an existing customer relationship and subject to certain conditions the direct marketing is for similar products and services), any direct marketing e-mails to "individual subscribers" (typically consumers not businesses) require the prior consent of the recipient. If the PECR are not complied with the UK's Information Commissioner (ICO) has the power to issue a monetary penalty notice on the infringer of up to £500,000. ICO have not been shy in doing this and in October 2017 they issued such a penalty against the online marketing business Xerpla – the penalty was £50,000. Xerpla was a small company and so the amount was very significant for them. However Xerpla appealed and were successful – the decision of the appeal Tribunal of 14 August 2018 has just been published.
Xerpla disagreed on the basis it was obvious from the context what subscribers were subscribing to – the very nature of the service Xerpla was offering was a discount/deals website where subscribers would be sent third party offers. On appeal the First Tier Tribunal issued a robust decision in Xerpla's favour and found that Xerpla had complied with ICO's Direct Marketing Guidance and data protection law – subscribers clearly knew what they were consenting to. Also the low rate of complaints here was relevant as it indicated that the vast majority of subscribers were content to receive direct marketing from Xerpla – the complaint rate was very low by industry standards.
Implications of the case
First, the case highlights that ICO do not always apply the law correctly nor do they necessarily follow their own guidance. Also one might question ICO's enforcement priorities here – we all dislike spam – but Xerpla were not a classic spammer, using bought-in lists with little regard to data protection law – they were clearly offering a service their subscribers valued and crucially had consented to, at least under the law as of 2017. Also 14 complaints was a very low number of complaints given how many e-mails were sent.
However the case is now only of historic relevance when it comes to consent under PECR and the UK's anti-spam law. Since 2017 the General Data Protection Regulation (GDPR) is now in place, as of 25 May 2018, and the Tribunal itself recognised this – "[t]he GDPR Changes the definition of "consent" but the change is not relevant for present purposes since the events in question precede the coming into effect of the new regime.". The GDPR defines consent more stringently than in the previous law:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Article 7 of the GDPR also sets out further ‘conditions’ for consent, with specific provisions on:
- keeping records to demonstrate consent;
- prominence and clarity of consent requests;
- the right to withdraw consent easily and at any time; and
- freely given consent if a contract is conditional on consent;
- see ICO guidance on "What is valid consent".
Recital 32 of the GDPR also states: “Consent should be given by a clear affirmative act… such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
So Xerpla is a timely reminder of the need to ensure that consent for direct marketing e-mails satisfies the GDPR standard – ICO may have lost Xerpla on appeal but we can be certain that they will continue to investigate complaints of spam e-mails and next time the alleged infringer will not have the benefit of the more generous consent regime under the Data Protection Act 1998.