A recent penalty issued by the Information Commissioner (ICO) on 3 September 2018 serves as a reminder of just how specific consent must be, when used to justify marketing by e-mail.

Under the Privacy and Electronic Communications Regulations 2003, direct marketing may be sent by e-mail to individuals (that is, to a non-business e-mail address) only if a) the individual has consented, or b) the marketing is being sent to someone whose details have been obtained in the course of a sale, the marketing is for the same business's similar products and services, and the individual is given a simple means of refusing use of their details for marketing purposes.

When relying on consent, the high standard under GDPR applies: consent must be freely given, specific and informed, and involve a positive indication signifying agreement.

In the case in question, EDML had sent marketing e-mails on behalf of its clients, but were unable to show that the recipients had ever given adequate consent to receive marketing e-mails, as the individuals concerned had not been sufficiently informed. In particular, the penalty notice issued by the ICO states that:

"Consent will not be valid if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description. Further, consent will not be valid where an individual is presented with a long, seemingly exhaustive list of general categories of organisations."

It is often the case that marketing list providers are still collected generic consents for marketing by "selected third parties" or similar wordings. Where businesses are buying in e-mail lists for the purposes of direct marketing, they need to carry out appropriate due diligence to ensure that the consents gathered from the individuals on those lists are both sufficiently informed and specific, and also that appropriate evidence of those consents is available. Individuals should have consented to receive e-mail marketing, if not from the specific business in question, then at least from a clear category or a small number of categories which encompasses that business.

It may also be sensible to seek contractual protections from the suppliers of such lists, providing indemnities or other recourse in the event that consent has not been properly obtained and the user of the list suffers a loss as a result.

EDML were fined £60,000 for unsolicited e-mails to approximately 1.4 million individuals. However, this penalty was issued under the previous legislation as the breaches took place between May 2016 and May 2017. It remains to be seen whether this type of breach attracts a higher fine under GDPR, where a much higher level of fine is available to the ICO.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.