In Xerpla Ltd v.
Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018), an
English General Regulatory Tribunal has overturned a fine, issued by the
Information Commissioner’s Office (ICO) against the direct marketing company, Xerpla
Ltd, after the ICO determined that Xerpla had failed to obtain the
necessary consents for electronic communications to its subscribers.
The ICO issued a penalty against Xerpla of £50,000 in
October 2017 for sending 1.26 million marketing emails to its subscribers,
which, according to the ICO, breached the Privacy and Electronic Communications
(EC Directive Regulations 2003) (PECR). Central to PECR is that any direct
marketing emails to subscribers must only be sent with the prior consent of the
email recipient.
The tribunal found that Xerpla’s subscribers had ‘consented
to, and knew they were consenting to, the direct marketing of third party
offers for all kind of products and services… That is why they subscribed…’ It
was therefore considered obvious what was being consented to, given the
services offered by Xerpla.
The ICO referred to a section of its direct
marketing guidance, which covers indirect consent and scenarios where
subscribers consent to receive marketing information from third party
companies. The guidance states that subscribers must have understood that their
details would be passed on to a third party and that that third party would
contact them for marketing purposes. The tribunal deemed this to be irrelevant,
as it was Xerpla that provided the direct marketing.
The tribunal also noted that only 14 complaints had been
made to the ICO, which accounts for less than 00.00012 per cent of the 1.26
million emails that Xerpla sent. The tribunal commented that this
indicated that the ‘majority of Xerpla subscribers were content to
receive direct marketing about a wide range of product and services – and that
is likely to have been precisely because that is what they had signed up for.’
Comment
This case pre-dates the General Data Protection Regulation
(GDPR), which, and as recognised by the tribunal, has introduced a stricter
definition of consent. Although Xerpla shows that the ICO may not
always apply the law correctly, or even follow its own guidance, it equally
serves as a timely reminder that consent for direct marketing must now be GDPR
compliant. It is unlikely that the ICO will be deterred by its loss in
the Xerpla appeal, given the more stringent GDPR regime that they
must now uphold. Businesses conducting direct marketing exercise should
therefore take note and ensure that consent is ‘freely given, specific,
informed and an unambiguous indication of the individual’s wishes’. The
individual must opt-in to any direct marketing, instead of opting out.
Cynthia O’Donoghue is the vice-chair of Reed Smith’s IP,
Tech & Data Group and an SCL Trustee.
Katalina Bateman is a senior associate in Reed Smith’s IP,
Tech & Data Group, advising in particular on technology and data protection
law and compliance.
This article first appeared as a blog post on Reed Smith’s Technology Law Dispatch.
