Does the GDPR negate the soft opt-in?

According to the Information Commissioner’s guidance the soft opt-in is still valid, but I’m not convinced.

Since the GDPR came into force, I’ve noticed an increase in the number of tick-boxes being used by organisations to allow us customers to refuse unsolicited electronic marketing e-mails and texts when we register with them. For those of us that hate receiving unwanted marketing e-mails, this is definitely a good thing. I notice though, that in many cases, the tick-boxes have been opted in by default so that we have to perform an action to opt-out. Believe it or not, there are laws that govern when an organisation can use an opt-in or an opt-out.

So, why does there need to be a tick-box when we submit our information? If an organisation wants to target us with unsolicited electronic marketing e-mails and texts, they cannot do this without making us aware and giving us a genuine choice about whether or not we want to receive the marketing. Using a tick-box is a common method of giving us a genuine choice. Let me clarify.

If a data controller wants to process our personal data, then they must satisfy a condition for processing. For example, if they want to obtain our information, delete our information, disclose our information to a third party or to target us with direct marketing, then they must satisfy a condition for processing to comply with the GDPR. Satisfying a condition for processing is fundamental to fair data processing. For a commercial organisation, the likely conditions for processing are: consent, fulfilment of a contract or legitimate interests.

Now, if an organisation wants to target us with unsolicited electronic marketing mail (e-mails and texts), then besides satisfying a condition for processing, pursuant to the GDPR, they also have to comply with Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). That’s right; a data controller for our information has to satisfy two separate pieces of legislation if they want to target individuals with unsolicited marketing e-mails or texts.

Regulation 22 PECR does not apply to unsolicited electronic marketing e-mails and texts sent to a corporate e-mail address/phone number, but the GDPR does, and it’s likely that a corporate e-mail address alone will constitute personal data because it identifies the name of an individual and their place of employment. Thus, those desperate organisations that spend their days trawling LinkedIn and creating likely e-mail addresses for individuals that they happen across, will need to satisfy a condition for processing when they create that e-mail address and to process their information to target them with marketing.

Regulation 22 (R22) PECR has two elements to it:

  • R22(2) seeks an individual’s consent to satisfy both the PECR and the GDPR.
  • R22(3) relies on a “soft opt-in mechanism” to satisfy the PECR and the legitimate interests condition to satisfy GDPR.

Allow me to clarify.

With R22(2), because the data controller is relying on consent to satisfy the PECR, then they will likely have the consent necessary to satisfy a condition for processing – GDPR. However, any tick box used to obtain consent must now be opted out by default so that the individual has to perform an action to opt-in. This is because the GDPR stipulates that consent cannot be obtained by inaction. So, if you have to perform an action to opt-in to marketing e-mails and texts, then you’re giving your consent.

With R22(3), a data controller can rely on the PECR’s soft opt-in mechanism. In a nutshell, the soft opt-in rules state that if you purchase an organisation’s products or services or make enquiries about an organisation’s products or services, then the data controller can rely on the soft opt-in to opt you into receiving marketing e-mails and texts by default. However, the rules also state that we must be given the opportunity to object to the marketing – at the point the organisation obtains our information. If they use a tick-box to facilitate the objection, then it will be opted in by default so that you have to perform an action to opt-out.

As a rule, then, if we have to perform an action to start receiving unsolicited marketing e-mails and texts then it’s likely that the data controller is relying on consent to satisfy the PECR and consent to satisfy the GDPR. Whereas, if we have to perform an action to avoid receiving unsolicited marketing e-mails and texts, then it’s likely that the data controller is relying on the soft opt-in to satisfy the PECR and the legitimate interests condition to satisfy the GDPR. Bearing in mind that most organisations are desperate to bombard us with marketing e-mails, if there’s no opt-out mechanism when you fill out a form, or if the opt-out is a convoluted process, then this should be a cause for concern.

Why I believe that Regulation 22(3) is no longer valid under the GDPR?

As explained above, if an organisation wishes to rely on R22(3) – the soft opt-in, then they’ll be relying on the legitimate interests condition (LI condition) to satisfy a condition for processing. The fulfilment of a contract condition will not apply in this case because it’s incompatible with R22 – we must be given the opportunity not to receive the marketing e-mails and texts at the point our information is collected and a contract that we have to agree to would not provide this. And of course, if they want to rely on consent to satisfy a condition for processing, then they can rely on R22(2).

For reliance on the LI condition to be valid, the organisation will have to demonstrate that they needed to carry out the data processing. Article 6F GDPR defines the LI condition as:

‘The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’.

Well, the processing is not necessary it is, because an organisation can rely on R22(2) instead. Which brings me nicely on to Recital 39 GDPR, which states:

‘Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means’.

Back of the net!

The simple fact is, data controllers do not need to rely on R22(3) because the purpose of the processing can be reasonably fulfilled by obtaining consent and relying on R22(2). Indeed, R22(2) is actually better than R22(3) because R22(3) restricts the marketing to similar products or services whereas R22(2) does not.

So, why are so many organisations going with R22(3)? It’s probably because they’ve figured out that they have a slightly greater chance of sending out more marketing e-mails and texts because they’ll be able to send the communications to those that forget to opt-out. And that’s the only reason. It’s all about taking advantage of any opportunity to target individuals with marketing e-mails and texts. This is a disgrace! After all the effort the ICO has put in to make organisations aware of the GDPR, many well-known organisations have simply opted to rely on R22(3) regardless.

What the ICO had to say

I try to avoid the ICO as much as possible these days as the case officers are either incompetent, or they’ll happily lie and cheat to avoid admitting that they’re wrong. It’s actually easier to go to court because at the end of the day, I’m going to get someone who knows the law telling me that I’m either right or wrong. It would appear that my view on this matter is incompatible with the ICO’s because the ICO’s Legitimate Interests guidance states:

‘If e-privacy laws do not require consent, legitimate interests may well be appropriate. Based on the current legislation (PECR), and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (ie marketing proactively requested by the individual), or for unsolicited marketing in the following circumstances’.

The guidance goes on to approve the following example:

Emails/text messages to individuals – obtained using ‘soft opt-in’.

I think this guidance is incorrect because there’s a reasonable alternative to the soft opt-in. I contacted the ICO and outlined my case – that the GDPR has made R22(3) obsolete. Here’s what the case officer had to say in their initial response:

Where our guidance states that ‘Pre-ticked opt-in boxes are banned under the GDPR’ this does not relate to the soft opt-in exemption. The exemption only relates to marketing sent to existing customers who have not objected to marketing at the point of providing their personal details to an organisation.

Where the PECR requires consent, an organisation cannot then seek to rely on legitimate interest under the GDPR.

Where the PECR does not require consent, an organisation may rely on the legitimate interest basis for processing.

The process for adopting a new ePrivacy Regulation (ePR) is now underway. This will eventually replace the ePrivacy Directive and PECR (which implement existing ePrivacy rules, including on marketing and cookies, in the UK).

The EU Commission published a proposed draft ePrivacy Regulation in January 2017. In October 2017 the EU Parliament approved its amended text of the ePR. The EU Council (the member states) intends to adopt its suggested text before the 2018 summer recess. The three institutions will then negotiate in order to agree the final text. This process is known as trilogue and is likely to commence in September 2018. If agreement is reached, this will result in the adoption of the ePR.

Until the ePR is agreed, the content is subject to debate and amendment. We cannot give any detailed lines or guidance until the final text is agreed and adopted.

All the case officer has done here, is to explain Regulation 22 PECR. He did not answer my very specific question. Instead, to pad out his response, he’s gone on to explain stuff that has not yet come into force. This is not the first time that a case officer has quoted what might happen in the future to avoid answering my question. Case officers at the ICO will often use tactics like this to hide the fact that they don’t have a clue what they’re talking about.

I sought further clarification and here’s what he said. Remember, this is a case officer working for the Information Commissioner’s Office:

The only impact the GDPR has on the PECR is around the issue of consent – where PECR requires consent, the standard of consent is defined by the GDPR.

The soft opt-in is an exemption under PECR and does now require specific consent, therefore the GDPR has no impact on the soft opt-in exemption.

Where an organisation is able to satisfy that:

  • they have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person,
  • they are only marketing their own similar products or services; and
  • they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that

The organisation will not be in breach of the PECR and nor will they have to satisfy a condition for processing under the GDPR, i.e the legitimate interest basis for processing as suggested in your email.

The GDPR does not render the soft opt-in obsolete however, it is yet to be seen whether this exemption will continue following implementation of the impending ePrivacy Regulation. Until this is finalised, we are unable to provide any further comment on its provisions.

Did this case officer just tell me that organisations do not need to satisfy a condition for processing if they rely on R22(3)? WTF? How is it possible that someone can work for the ICO and deal with data protection questions on a daily basis, yet not even understand the fundamentals of fair data processing? I’ve submitted a complaint to the ICO.

Conclusion

I’m currently arguing this matter with a couple of well-known companies and as it stands, neither of them has explained how their reliance on R22(3) is compatible with Recital 39 GDPR. I’m about to start court proceedings against one of them. It’s a dirty job but someone’s gotta do it.

The frustrating thing is, that one of these companies quoted the ICO’s guidance to me to demonstrate that the ICO is also of the view that organisations can rely on R22(3). They argued that this will demonstrate in court that they have a right to rely on R22(3). But the ICO’s guidance – given above, also makes a reference to the a three-part test to determine legitimate interests. This test is recommended by the ICO as it helps organisations to determine reliance on legitimate interests. The test is as follows:

  • Purpose test: are you pursuing a legitimate interest?
  • Necessity test: is the processing necessary for that purpose?
  • Balancing test: do the individual’s interests override the legitimate interest?

So, this company wants to process my personal data to target me with unsolicited electronic marketing mail. Had this organisation actually bothered to act upon the guidance that they quoted to me, then they would have failed the three-part test because they do not NEED to rely on R22(3). The same data processing can be reasonably fulfilled by reliance on R22(2). Organisations should only be relying on the LI condition if there is no other alternative. And of course, the ICO’s guidance will not be considered by a judge in the small claims court – something that I learned when I took Halfords to court.