Back

Blogs

The Morris II Worm: An AI driven cyber threat

View All

Case Studies

Gemserv delivers research and strategic recommendation to Scottish government on hydrogen storage

View All

Upcoming Events

FairHeat Annual Conference 2024

View All

Webinars

Padlocks icons over the top of a person typing on a laptop keyboard | Infosecurity Europe 2023

Thoughts

COVID-19 communications and ePrivacy: Staying within the rules in challenging times

20th Apr, 2020

Background

Following the outbreak of COVID-19, businesses all over the world are suspending their operations and public relations plans, such as promotional events and conferences. With no option of face to face interactions left to organisations, they have undergone an accelerated adoption of digital means of communication over the past weeks to keep the channels of communication open with their customers.

For consumer-facing organisations, while it is desirable for them to stay in touch with their customers, they are also facing the risk of inadvertently infringing the communication and privacy rules on direct marketing when they communicate. This guidance aims to highlight some key issues that organisations must consider when they engage via electronic communications with their customers.

The regulatory regime

Within the European Union, the Privacy and Electronic Communications Directive (ePrivacy Directive) and the General Data Protection Regulations (GDPR) form the legal framework that regulates the ability of organisations to communicate with their customers through electronic means.

Specifically, the ePrivacy Directive regulates the protection of privacy of electronic communications (including emails and SMS), and sets out the rules that govern unsolicited direct marketing messages. As a Directive, the ePrivacy has been implemented through national Member State laws, which has resulted in different approaches to electronic marketing across Europe. In the UK, for example, the ePrivacy Directive is implemented by the Privacy and Electronic Communication Regulations (PECR).

The ePrivacy provisions explicitly prohibit businesses from sending “unsolicited communications for the purposes of direct marketing” to consumers unless they have consented. However, consent is not defined in the ePrivacy Directive, instead it is cross-referenced to the definition of consent set out in the data protection law. In other words, since the implementation of GDPR, when consent is required under ePrivacy Directive, it must meet the high standard prescribed in the GDPR. A higher standard of consent brought by the GDPR and particularly the requirement that consent must be obtained “by a statement or by a clear affirmative action” made common marketing practices such as pre-ticked boxes, silence or inactivity unlawful.

The GDPR has left no room for a weaker interpretation of consent and it has set minimum standards across EU Member States. For example, countries such as the UK, France and Ireland require an opt-in consent for business-to-consumer marketing communications, meaning that consent is only valid where an individual has taken an unambiguous positive action to consent (e.g. ticking a box, clicking an “agree” button).

Some other EU Member States have even stricter requirements for consent. This is the case for Germany which requires a double opt-in as a two-step confirmation procedure. An example of double opt-in consent is the case where individuals signing up to a mailing list by ticking a box on a website, also confirm their email address by clicking on a link in a confirmation email.

Since the burden of proof of valid consent lies with the sender of marketing communications (i.e. the business), the use of double opt-in, even though it is not directly required by the GDPR, is highly recommended to demonstrate compliance.

The soft opt-in rule

There is a limited exception for consent known as “soft opt-in” which is applicable to an organisation’s existing customers. This exception applies where:

  • An organisation has obtained the contact details of the recipient in the course of a sale (or negotiations for a sale) of a product or service to that individual;
  • The organisation is only marketing their own similar products or services; and
  • The organisation gives the individual the opportunity to refuse or opt out of the marketing, both when first collecting the details and in every subsequent message.

Whether the “soft opt-in” exception can be used would depend on the specific circumstances and on a case by case basis. Similarly, it is crucial to note that this exception cannot be equally applicable across EU Member States as there is no uniform approach.

In these uncertain times, businesses would most probably be correct to identify that it is not only reasonable but necessary to contact and inform customers, even those who have opted-out from marketing communication, of any business operations rearrangements such as store closures and cancellations.

This type of strictly informational communication would qualify as a transactional communication and it will fall outside direct marketing rules. However, while the differences between transactional and promotional emails may seem clear at the first glance, the lines become blurred when organisation couple their transactional emails with marketing and promotional content (such as a new product or service).

According to the UK Information Commissioner’s Office, promotional communications cover “any messages which include some marketing elements, even if that is not their main purpose”. Hence,organisations sending COVID-19 operational emails to their unsubscribed customers must avoid mixing any marketing content into these emails, otherwise, such communications will likely fall within the scope of direct marketing.

There are many nuances in the law that organisations may unintentionally be in breach of. Therefore, in a nutshell, it is crucial that organisations ensure they are adequately informed and remain compliant with the limitations of what is legally permissible.

Authors