How to avoid hefty fines when marketing to individuals
These steps include obtaining consent under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
The EU is currently in the process of replacing PECR with a new ePrivacy Regulation, which will impose stricter regulations to sit alongside the GDPR, but this is yet to be agreed. For the time being, PECR continues to apply.
In most cases, to comply with PECR, you will need an individual’s consent before you can send them an unsolicited marketing message by phone, email, text or fax (known as electronic direct marketing, or EDM). GDPR came into effect in May 2018 and it lifted the bar for the standard of consent to be obtained when carrying out electronic direct marketing.
The GDPR does not replace PECR, but it has amended the definition of “consent” to a more stringent standard requiring freely given, specific, informed and positive opt-in consent.
The Information Commissioner’s Office (ICO) has confirmed that the existing PECR will apply until the new ePrivacy Regulation is finalised, and it will apply the GDPR standard of consent where consent is required under PECR.
This guidance is reinforced by the ICO’s recent decision to fine Everything DM Ltd £60,000 for sending 1.42 million marketing emails to individuals without valid consent. The investigation revealed that the company relied upon consent obtained by third parties in which Everything DM Ltd was not specifically named. The company could not prove that it had obtained the valid consent of the recipients.
The ICO has the power to impose a civil monetary penalty on a data controller of up to £500,000 for breach of PECR, as well as the power to take other criminal and enforcement actions.
Follow the steps below to avoid falling foul of the GDPR or PECR:
- Use opt-in boxes to obtain consent.
- Specify the methods of communication that you intend to use.
- If you are asking for consent to pass details to third parties for marketing purposes, name those third parties.
- Record when and how consent was obtained, and exactly what that consent is for.