American Express has been fined £90,000 by UK data protection regulator, the ICO, for unlawfully sending more than 4 million unsolicited direct marketing emails, without having first obtained valid consent.
According to UK data privacy laws, you must not send direct marketing communications to individuals, unless:
• they have specifically consented to it; or
• the ‘soft opt-in’ exception applies.
So, what is valid consent?
Consent is only valid where it is:
1. Knowingly and freely given;
2. Is clear and specific;
3. Covers both your organisation and the type of communication you wish to use;
4. It involves a clear positive action (for example, ticking an unticked box);
5. The individual understands that they are giving their consent and what they are consenting to; and
6. The consent can be easily withdrawn at any time.
The clearest way to obtain consent is often to ask the customer to tick an opt-in box confirming they are happy to receive marketing communications (note that pre-ticked boxes do not constitute valid consent). A clear link to your privacy policy should be included at this point too. If a customer opts out, marketing communications must not be sent.
Does the soft opt-in apply?
To ensure a compliant ‘soft opt-in’:
1. You must have a pre-existing relationship with the individual targeted, for example where you received the individual’s contact details when they purchased a product or service from you previously, or showed a genuine interest in doing so;
2. Your marketing communication must only concern products and services that are genuinely similar to those previously purchased;
3. You must notify the individual in advance of your intention to send them marketing communications about similar products and services (e.g. in your privacy notice); and
4. You must ensure the individual can easily opt out of receiving the communications, both when you first collect their details, and in every communication you send thereafter.
Amex was investigated after complaints were made by customers who had opted out of receiving marketing communications and yet were still receiving promotional emails. Despite Amex claiming the emails were simply ‘service’ messages, explaining to their customers how to access credit card benefits, the ICO concluded that the communications constituted marketing, as the purpose was to ultimately benefit Amex financially – the emails encouraged downloads of the Amex app and persuaded customers to use their card for purchases. In the circumstances of this case, consent had not been freely given (as it was conditional on receiving Amex’s services), it could not be withdrawn and it was not informed because it was included with the terms and conditions.
Hefty fines have been issued by the ICO in other similar cases, including to the Conservative Party MPN, which was fined £10,000 after it sent marketing emails to individuals as part of Boris Johnson’s political campaign, where consent had not been validly obtained (it was not freely given, specific or informed and often not obtained at all). Furthermore, the Conservative Party was found not to have suitable policies and procedures in place to safeguard the personal data handled.
Home improvement company, Colour Coat Ltd, was also issued a fine of £130,000 for 900,000 nuisance calls made to individuals, some of whom were members of the Telephone Preference Service. Suitable information was not provided on the call and false company names were even used to try to mislead individuals.
While serving as a reminder to ensure marketing communications are only made in compliance with applicable laws, the above cases highlight that the ICO is cracking down on contraventions of data privacy laws, no matter the size or type of organisation. The distinction between service emails and direct marketing communications should also be carefully considered.
For advice and support with data protection alignment, please get in touch.
Madeleine Rhodes email: MRhodes@redfernlegal.com
