Gemma Briance and Geoffrey Sturgess reflect on a change in guidance that affects business-to-business marketing
The question of what constitutes a B2B communication is applicable when considering the GDPR, specifically in relation to marketing. It had been thought that all marketing emails to an organisation which were sent without prior consent would need to be sent to firstname.lastname@example.org or email@example.com ie avoiding the use of personal data. With this in mind, it was thought that the marketing industry was going to hit some rather large hurdles when continuing their business post GDPR-Day. Obvious questions were raised by some of our clients, for example, what if the recipient of the emails sent to firstname.lastname@example.org does not escalate the marketing email to the correct individual at the organisation, or does not escalate it at all? What happens if the recipient at email@example.com is not aware of the corporate requirements for the specific service that is being promoted?
In December 2017 we asked the Information Commissioner’s Office some of these questions, amongst others, and their response was that the only way to electronically market services or products to a company was to do so using an email address that did not contain personal data unless consent had previously been obtained from the recipient to send such emails. This left open the question of whether, if the company had purchased or discussed the purchase of the same or similar products before and was thus deemed to have given a ‘soft opt-in’ consent, that would be deemed consent from its individual employees too. We were then told that if we wish to send marketing to an individual without obtaining consent we would need to send it in the post, in order to be compliant with the Privacy and Electronic Communications Regulations 2003. Of course, the thought of having to market everything via the post is ridiculous, especially in the digital age we all live and work in, not to mention the fact that GDPR does not differentiate between different forms of communication, ie postal marketing is not exempt from GDPR as it is from PECR.
This led to the question of how consent could be obtained; how is it possible to ask for consent from an individual when it has been decided by the ICO that a request for consent is considered marketing (Honda and Flybe Cases)? The response we received from the ICO information officer was that, in order to be compliant with PECR, and prepare for GDPR, we would need to ask for consent from the individual by post before GDPR-Day, provided that individual had not previously rejected a request for consent. We should also make sure that such requested consents were GDPR compliant; we could then rely on them once GDPR comes in to force on 25 May 2018. The ICO information officer’s advice was to obtain the necessary consents prior to GDPR-Day but it did not solve the issue of how to obtain consent post GDPR-Day.
This has now all changed; the ICO have thankfully done a complete U-turn with regard to their view on what constitutes a B2B communication and their approach to marketing, providing some much-needed answers to questions we have raised in previous articles. Recent guidance released on the ICO website, ‘The rules around business to business marketing, the GDPR and PECR states that an email address containing personal data, eg firstname.lastname@example.org (‘an identifiable business address’), falls under the definition of corporate subscriber (see below) and therefore the approach to marketing is somewhat different to the approach described above. The ICO state that, when considering both GDPR and PECR the first thing to establish is whether or not the intended recipient is an ‘individual subscriber’ or a ‘corporate subscriber’. The ICO definition of a “‘corporate subscriber’ covers subscribers that are a corporate body with separate legal status. This includes companies, limited liability partnerships, Scottish partnerships, and some government bodies and can cover an individual working for a corporate subscriber (emphasis added)”. In accordance with PECR, there is no requirement for prior consent to send marketing emails when the recipient is a corporate subscriber and this can now be extended to GDPR for marketing purposes.
Unfortunately, and confusingly, the guidance provided goes on to discuss consent and legitimate interest; why, when they have just stated that B2B marketing can be carried out without any lawful basis, do they go on to discuss marketing to individuals? We contacted the ICO and spoke with two different information officers both of whom concur with the above, that B2B marketing using an identifiable business address is allowed under both PECR and GDPR without consent or the soft opt-in. They also agreed that the remainder of their guidance was confusing and related to marketing to individuals and sole traders. We do not agree that the rest of the guidance only applies to individuals or sole traders; if we take the ICO view it appears to make B2B marketeers largely exempt from GDPR which cannot be what was intended. It is our view that whilst B2B marketing using an identifiable business address is allowed under both PECR and GDPR without consent or the soft opt-in there is still the requirement for a lawful basis to conduct such processing, triggering the requirement to rely on legitimate interests and Recital 47 of GDPR.
Whilst we had them on the phone we did address again the question of consent and the fact that a request for consent is considered marketing. Their opinion on this has also changed; they believe that the request for consent cannot be regarded as marketing; otherwise it would be impossible to comply with GDPR.
With the definition of corporate subscriber in mind we asked the ICO information officer whether or not its application could be extended to the requirement to send Article 13 and 14 Notices. This is discussed in detail in our article “Demystifying Transparency – What do Article 13 and Article 14 GDPR really mean?” where we highlight the common situations where it would be disproportionate to have to provide Article 13 and 14 Notices. It is our view that the distinction between corporates and their staff on the one hand and individuals on the other should be applied when considering whether or not to send Article 13 or 14 Notices in order to prevent a plethora of Notices being sent in all directions as a result of day-to-day email correspondence. The ICO information officer said that the ICO have not, and are unlikely to, change their view on this until the Article 29 Working Party publish their final guidance on transparency, this is expected to be in April. It seems that, as we get closer to 25 May 2018, the ICO are providing more clarity on matters and their approach is becoming far more practical than literal, hopefully this will continue as more guidance is released over the next few months.