Many companies have some form of loyalty rewards scheme and want you to sign up in exchange for your personal data. This often results in you being pestered with marketing emails trying to get you to buy their products. However, even if you sign up for such a loyalty rewards scheme, you have the right to say no to such marketing emails and your choice must be respected.
One company (let’s call them X) operates such a loyalty rewards scheme. I’d signed up for X’s scheme to benefit from the discounts the scheme offered. However, I generally have little to no interest in being manipulated into buying products through marketing emails, particularly as such emails often contain tracking pixels allowing even more personal data about you to be collected, usually without your knowledge or consent. I, like many people, generally find such emails annoying, so I refused to consent to receiving such marketing emails from X when signing up.
When they can’t get your consent for marketing, some companies will simply proceed to send you direct marketing anyway by stealth through supposed ‘service emails’. As explained in my previous post, service emails are not actually defined in law but, in practice, are taken to mean emails that do not contain any information for the purposes of direct marketing (i.e. any advertising/marketing/promotional material). This is a key point, because the presence of any amount direct marketing content in an email means it is not a service email and the direct marketing rules apply.
Stealthy marketing or a genuine service message?
As you might have guessed, company X decided to send me such a self-branded ‘service email’. The email started off by reminding me that my loyalty rewards were due to expire imminently. Now, if that had been the sole content of the email and it had been worded in a neutral, non-promotional way, I would have considered it arguable that it should be classed as a service email, namely a simple administrative message. However, for such emails, there is a very fine line and great care must be taken to ensure it does not encourage the receiver to purchase products or indeed start spending their loyalty rewards: reminding customers about a company’s loyalty rewards scheme can very quickly turn into encouragement, promotion and thus, direct marketing.
For example, I would consider it arguable that an email simply saying “Your loyalty reward expires next week, for more information click here” is a service message and not direct marketing – it is an administrative message and is neutrally worded in such a way that it does not unduly encourage the customer to buy products or use their rewards – it is simply informing the customer of the expiry date. I would be unlikely to object to such emails.
Compare this to an email saying “We want to let you know that your amazing loyalty rewards expire next week! Your rewards give you amazing freebies! Don’t miss out, go to our website and make a purchase, redeem your rewards today!”, accompanied by flashy images of the company’s products. This is clearly direct marketing as per the statutory definition, as the email is advertising, marketing and promoting the company’s products and rewards scheme. Any argument to the contrary is simply implausible and will have little to no weight in court as the definition of direct marketing is clear and has been widely interpreted – the presence of a single kangaroo banner in an email was enough to satisfy the definition, according to the Upper Tribunal (the Court of Appeal later dismissed an appeal against the UT’s judgment).
The email I received from company X fell into the latter category: most of the content of the email was included for the purposes of marketing and advertising X’s products and encouraging me to make a purchase. I thus considered it to be subject to the direct marketing rules (Regulations 22 and 23 of PECR). It contained no way to unsubscribe or refuse further such emails, which in itself is problematic. It is good practice to allow users to object to all non-essential types of emails, even non-essential service messages – some users will have no interest in receiving a company’s non-essential administrative messages by email, for example. As is commonplace with such emails, it also wrongly stated that it was a ‘service email’.
Because I had not consented to receiving direct marketing emails from X, this also meant my email address had been unlawfully and unfairly processed under the UK GDPR (the effect of Regulation 22 of PECR is that consent is the only appropriate lawful basis for such processing unless the soft opt-in applies).
Marketing by stealth is annoying and often an indicator of wider non-compliance
When a company is happy to bend the direct marketing rules, it shouldn’t come as a surprise that other PECR/UK GDPR rules are also not properly observed – the most common being the rules on unnecessary cookies. When I logged into my account on X’s website to check my marketing consent settings, I found they had placed a plethora of unnecessary tracking cookies on my computer as well – it turned out the unnecessary cookies were all enabled by default, something which is unlawful under Regulation 6 of PECR and the UK GDPR consent rules (see my in-depth post on this topic here). Intrusive and unfriendly cookie ‘consent’ banners are particularly annoying and frustrating where they use dark design patterns to effectively force users into clicking the easy accept option, rather than go through the tedious process of refusing consent.
At this point, I forwarded the email to the ICO and sent X a letter of claim regarding the direct marketing email and the unnecessary cookies. Individuals are entitled to monetary compensation for non-material damage, e.g. annoyance/frustration, caused by breaches of PECR and the UK GDPR. Following my letter of claim, I was contacted by X’s solicitors. Although X denied all my claims, they opted to settle with me out of court. X now also seems to have made relevant improvements as a result of my complaint and that’s very important.
This demonstrates that it is always worth pursuing such complaints yourself with the company directly if you can through the civil claim route. The ICO can be very hit-or-miss depending on the case officer that investigates your complaint, plus they are unlikely to take proper enforcement action even if they think a breach of the law has taken place. Pursuing claims yourself forces companies to take notice and often results in positive change.
That said, the ICO seems to have been taking some positive action recently regarding similar issues, with a £90,000 penalty issued for stealthy loyalty rewards scheme ‘service message’ marketing emails. The ICO and some other European data protection authorities have also secured a ‘commitment’ from Google to add a proper ‘Refuse All’ button to their cookie ‘consent’ banners – but why hasn’t an enforcement notice been issued ordering Google to delete all unlawfully collected cookie data together with a penalty notice to deter future non-compliance and to eliminate the economic gains they have made? Hopefully, the ICO’s upcoming and much-needed review of their lacklustre Regulatory Action Policy will see such formal enforcement action become the norm rather than the exception.