• Pages
01 Edition 7 | JUNE 2023
02 In The Style
03 Battle of the supermarket giants
04 Technology and retail
05 Transforming retail spaces
06 News flash - Sticky
07 Upcoming events
08 Archive
09 Edition 2 | OCTOBER 21
10 Influencer marketing risks
11 Importing goods from abroad
12 Cross border trade
13 News flash - Miss Kick
14 Edition 3 | JANUARY 2022
15 Discrimination claims in the retail sector
16 Comparative advertising
17 Commercial property - the year ahead
18 News flash - HERA
19 Edition 4 | APRIL 2022
20 The challenge for retailers of unvaccinated staff
21 Copycat central
22 NFTs in the retail sphere – how best to protect your intellectual property
23 News flash - Maven
24 Edition 5 | AUGUST 2022
25 User generated content-legal highlights
26 Shazam-v-Only-Fools-The-Dining-Experience
27 Online sales tax ruled out
28 News flash - Go Superfoods
29 Edition 6 | DECEMBER 2022
30 Pitfalls in email marketing
31 Options for struggling retail sector businesses
32 Impact of the Environment Act
33 Online sales tax-a valid proposal

A powerful tool, but where can brands go wrong when it comes to email marketing?

Email marketing campaigns can be a powerful marketing tool for brands, particularly when it comes to establishing and maintaining customer relationships. Campaigns can be easy to set up, flexible and relatively low cost. However, it’s important that brands make sure their campaigns are up to scratch and comply with electronic marketing legislation.

Sending emails for direct marketing purposes is covered by the Privacy and Electronic Communications Regulations 2003 (as amended) (the PECR). The PECR works alongside the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) to set out the framework for electronic marketing by businesses in the UK.

Helpfully, in October 2022, the Information Commissioner’s Office (the ICO) published updated guidance on direct marketing via email. This guidance builds on the draft Direct Marketing Code of Practice published in 2020, providing more clarity on the ICO’s recommendations for complying with the PECR.

The guidance uses the word “must” to indicate legal requirements, “should” to indicate what the ICO considers good practice, and “could” to highlight other options for brands to consider to help them in complying with PECR. As the ICO continues to take enforcement action in relation to direct marketing via email, this more user-friendly guidance should help brands to better understand their obligations.

So, what are the key takeaways from the ICO’s guidance, in relation to the use of emails for direct marketing? And how do they help brands stay on the correct side of the legislation and protect customer confidence?

What is direct marketing by email?

Direct marketing is defined under the DPA 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This is a broad definition covering all types of advertising, marketing or promotional material across any type of communication, including any type of email marketing.

However, “electronic mail” is excluded from this definition if it’s a “service message”. “Service messages” are routine customer service messages, which include information a customer requires about a current contract or a past service and do not count as direct marketing.

General branding, logos or straplines in such service messages would not, on their own, count as direct marketing. However, if promotional content is included within a service message, then the message counts as direct marketing (such as content with the aim of getting the customer to buy more products or services or to increase subscriptions or donations).

Email marketing falls under the definition of “electronic mail” as defined under PECR, and also includes any electronically stored messages such as text messages (SMS) and direct messaging on social media, amongst other things.

When can brands send direct marketing by email?

Brands can only send direct marketing by email if either the recipient has provided their consent or all of the requirements of the soft opt-in can be met.

Consent

PECR requires a GDPR level of consent, meaning it must be freely given, specific, informed and unambiguous. If brands wish to rely on consent to send email marketing, the request for consent must be prominent, concise, easy to understand and separate from matters such as general terms and conditions. It must also be granular, meaning it must specifically cover email marketing. If brands wish to send any other type of electronic mail marketing, such as SMS, this must be specifically referenced.

The ICO stresses that the UK GDPR specifically bans pre-ticked opt-in boxes and, whilst the UK GDPR does not specifically ban opt-out boxes, in the ICO’s view, they are essentially considered the same as pre-ticked boxes and are therefore unlikely to comply with the requirement to get consent (unless it is part of a soft opt-in process, as explained below). This is because they rely on the silence or inactivity of the individual. Best practice is for brands to rely on specific opt-in boxes or other active opt-in methods. Essentially, there must be a clear affirmative action required on the part of the individual.

Soft opt-in

Many brands find that using the soft opt-in to send email marketing to existing customers is a useful alternative to seeking consent. Brands must be able to meet the following criteria to rely on the soft opt-in:

  1. The brand has obtained contact from the individual directly. If a third party obtains the details, the soft opt-in will not apply. Brands should be aware that there is no such thing as a third party marketing list that is “soft opt-in compliant”.
  2. The details have been obtained in the course of a sale or negotiation of a sale of a product or service with the individual. A sale does not actually have to take place for the soft opt-in to be triggered but the individual must actively express interest in buying the brands products.
  3. The brand is marketing its own similar products and/or services to the individual. The key question for brands is whether the individual would reasonably expect direct marketing about the particular product or service. This will depend on the context.
  4. The brand provides the individual with an opportunity to refuse or opt-out when they collect the individual’s details and in every subsequent communication.

What do data protection rules mean for electronic marketing?

If the email address to which a brand is sending marketing identifies a unique user, or if the brand knows the individual’s name, then this is personal data and the brand must comply with data protection legislation as well as PECR. This means that the brand must make sure that their marketing is:

  • fair, meaning the brand does not do things with the personal data that the individual would find unexpected, misleading or detrimental.
  • transparent, meaning the brand is clear, open and honest about what they will do with individual’s personal data
  • lawful, meaning that the brand has a lawful basis when processing the personal data for sending email marketing. If the brand is relying on consent, then it’s likely that its lawful basis will also be consent. However, if the brand can meet the requirements of the soft opt-in, then it’s likely that the brand can rely on legitimate interests as its lawful basis.

Brands should also make sure that they comply with the individual’s data protection rights such as the right to object - ‘do not contact’ or suppression lists should be maintained to make sure email marketing is not sent to individuals who have exercised their right to object to such marketing.

Can brands use bought-in marketing lists to send email marketing?

Under PECR, brands may be able to take advantage of marketing lists prepared by third parties provided that individuals on the list have consented to receiving marketing. If the third party claims that the individuals on the list have consented to receive direct marketing, it is for the brand to check that any consent given is valid and actually covers the brand and the sending of email marketing by the brand.

A brand cannot rely on the soft opt-in for direct marketing to data subjects in bought-in marketing lists. The brand will need to be sure that data subjects in a bought-in marketing list have given the required type of consent to cover any proposed direct marketing, which will need to cover the sharing of personal data with the brand.

Are tracking pixels covered by electronic mail marketing rules?

Many brands use tracking pixels in their emails to record information about the individual’s time, location and device used to read the email. Whilst the electronic mail marketing rules in PECR only cover the email itself, the tracking pixels are covered by PECR’s separate rules on cookies and similar technologies. This means a brand must comply with both sets of rules when sending the marketing email. Our next update will provide brands with more specific guidance on complying with PECR’s rules on cookies and tracking pixels.

What are the consequences for brands if they do not comply with PECR when sending email marketing?

By publishing this updated guidance, the ICO has shown the issues surrounding direct marketing remain on its radar. If brands fail to comply with PECR, there are a range of enforcement actions the ICO may take, which include enforcement notices requiring the brand to stop sending direct marketing and fines of up to £500,000 which can be issued against the brand or its directors.

To illustrate the ICO’s recent approach to contraventions of PECR, in September 2022 the ICO fined Halfords Ltd £30,000 for sending almost 500,000 unsolicited direct marketing emails without the individuals’ consent.

Halfords had sent the emails on the basis of a contended legitimate interest as it considered them to be service messages informing customers of the ‘Fix Your Bike’ Government Voucher Scheme. The ICO disagreed, finding that the content of the emails constituted direct marketing and contravened electronic marketing legislation. Other consequences for brands beyond enforcement action could be negative publicity and a resulting lack of customer confidence.

What should brands do next?

The updated guidance from the ICO has added to current practice rather than providing a complete overhaul. For brands wanting to get the most value from their email marketing campaigns whilst complying with electronic privacy legislation, we would recommend:

  • reviewing requests for consent to make sure they are prominent, concise and easy to understand;
  • reviewing third party marketing lists to make sure that any consent being relied on has been validly provided for the brand’s purposes;
  • updating and maintaining any ‘do not contact’ or suppression lists so that email marketing is only going to individuals who have consented to receive it;
  • considering any additional rules under electronic privacy legislation which may apply to other elements of email marketing such as the rules on cookies and pixels; and
  • reviewing how the brand carries out email marketing in practice and where necessary updating policies and processes in line with electronic privacy legislation.

If you’d like to discuss any of these issues or have questions about the article, please contact Grace Astbury or Andrew West in the commercial services team.

Grace Astbury

Solicitor, Commercial Services

T: +44 (0) 161 393 9062 M: +44 (0) 7949 033514

grace.astbury @pannonecorporate.com

Grace is a solicitor in the commercial services team, advising and assisting a range of clients on all aspects of general commercial, non-contentious intellectual property and data protection work. She trained with a North West based law firm, handling a varied caseload of commercial, intellectual property and corporate matters.

Andrew West

Partner, Commercial Services

T: +44 (0) 161 393 9078 M: +44 (0) 7931 790894

andrew.west @pannonecorporate.com

After 10 years as a partner in a large international law firm, Andrew set up a niche commercial law form with a focus on commercial, P and technology law, from where he joined Pannone Corporate in 2022. Andrew specializes in technology, data and IT projects, and is recognized in Legal 500 for his expertise in non-contention intellectual property law and in Chambers & Partners for technology outsourcing cases.

As the retail sector faces the perfect storm, what are the options available to those businesses struggling in the current climate?

The retail sector has seen a number of high-profile casualties in 2022, but what part are company voluntary arrangements, restructuring plans and administrations playing to support brands in the current climate?

Read full article >

One year on, what impact has the Environment Act 2021 had?

One year on, the Environmental Act has already started to have a real impact on businesses and highlights the need for wholesalers and retailers to make sustainability a number one priority.

Read full article >

Never miss an update

Subscribe to receive the retail update >
Back to archive >

Our quarterly retail update is designed to bring you the latest news and legal developments relevant to the retail sector. If there are any areas you would like more information on or if you have any questions or feedback, please do not hesitate to let us know via our feedback form or get in touch with any member of our team.

Copyright in this publication is owned by Pannone Corporate LLP and all rights in such copyright are reserved. Pannone Corporate LLP is a limited liability partnership registered in England and Wales with number OC388393. Authorised and Regulated by the Solicitors Regulation Authority. A list of members is available for inspection at the registered office, 378-380 Deansgate, Manchester M3 4LY. We use the terms “partner” to refer to a member of the LLP.