In light of the new judgment, it may be time to review how you’re collecting consent to send electronic direct marketing

What happened?

Back in 2019, the Information Commissioner’s Office (ICO) fined the pro-Brexit campaign group Leave.EU and Eldon Insurance Services. Leave.EU was founded by Arron Banks (the well-known Brexit campaigner) who also owns Eldon Insurance Services. The ICO’s report had said that over a million emails were sent to Leave.EU subscribers containing marketing material relating to Eldon Insurance Services (the ‘Go Skippy’ brand), without the consent of those subscribers. Note that the subscribers did consent to receiving newsletters from Leave.EU electronically (by email). In addition, Eldon Insurance Services customers were unlawfully sent political marketing messages. The ICO fines came shortly after its investigation into the use of data analytics during political campaigns.

Leave.EU and Eldon Insurance Services took the decision to the First-Tier Tribunal, where their case was dismissed in 2020. They appealed their case to the Upper Tribunal and, in February this year, the Upper Tribunal dismissed their appeal.

What are the rules again?

Under the Privacy and Electronic Communication Regulations 2003 (PECR), an organisation may only send electronic direct marketing to individuals where it has obtained their consent. There is an exception to this rule (known as the ‘soft opt-in’), which is outside the scope of the case. The ICO may fine organisations who breach this rule.

Why is this case significant?

There are a limited number of judicial cases which relate to PECR, so it is helpful to receive opinions from Tribunal judges on the interpretation of the law. As both Tribunals reached the same conclusion, the law is unlikely to be interpreted differently in the UK (while PECR remains in force). Their interpretations do not differ from the conventional understanding of direct marketing law. The appellants had attempted to argue that PECR was aimed at “indiscriminate, automated industrial-scale spamming”. However, the Upper Tribunal dismissed this argument as “unduly narrow”, stating that indiscriminate spamming was a symptom of the wider problem. The judge noted that:

“the tenor of the legislation is that it is an intrusion on an individual’s privacy if they receive direct marketing to which they did not consent”

This is the main take-away from the case – the Leave.EU subscribers had consented to receiving newsletters, but the consent was limited to exactly that – newsletters about Leave.EU. It did not mean that those subscribers could be sent any marketing communications by the organisation that they had provided their consent to.

Practical steps to consider

This decision does not represent a change in the law. However, organisations should review the consent wording used to collect consents to send electronic direct marketing and ensure that the individuals who subscribe to those communications are receiving what they have been told they would receive. It is also a good idea to keep an eye out for and react appropriately to the ICO’s new Code on direct marketing, which is likely to be published later this year. As a more long-term point, note that PECR is a 2003 law (albeit it has been amended over the years) and a long anticipated new EU e-privacy regulation is likely to be passed into EU law in due course. We anticipate that, notwithstanding Brexit, the new EU law will probably be followed in some manner in the UK, which may lead to a different interpretation of mixed marketing communications.