A marketing agency disguised its identity and did not have a functional unsubscribe system in its marketing emails. Additionally, a popular restaurant chain pretended its marketing was a ‘service message’ and a university used dark patterns in its cookies ‘consent’ mechanism.

Controller 1 – marketing agency

This controller, a well-known UK marketing agency (let’s call them Y this time), obtained my details when I booked tickets for a theatrical performance. When making my booking, I ensured all the data sharing and marketing options were turned off. Despite this, I was contacted by Y shortly after my booking with a marketing email about the performance. I decided to use the link in the email to ensure my contact preferences were set to Off and thought that would be the end of the matter.

But it wasn’t. Shortly after the performance, I received further marketing emails from Y which advertised and promoted further performances within Y’s portfolio. When using the preferences link in these emails, they were already set to off, so there was no obvious direct action I could take to ensure the spam stopped. This constituted breaches of Regulation 22 of PECR (because Y did not have my consent, nor could it rely on the soft opt-in) and Regulation 23(b) of PECR (because there was no functioning, easy unsubscribe mechanism in the email).

On top of that, it wasn’t originally clear that the emails originated from Y. This is because they were all signed using the name of the performance and sent from a domain created for that specific performance. This is a separate breach of Regulation 23(a) of PECR and it meant I could not immediately establish which (legal) person was actually sending or instigating the sending of the emails. Following some investigation on the website, I was able to establish Y as the data controller and the likely instigator of the marketing emails. Additionally, I found Y was using tracking cookies to profile me for behavioural advertising purposes without my consent: another breach of Regulation 6 of PECR.

Under Article 21(2) of the UK GDPR, you have an absolute right to object against a controller’s use of your personal data for direct marketing purposes. This powerful right is very helpful when it comes to stopping spam emails, particularly if the unsubscribe functionality doesn’t work or simply isn’t present at all. As such, I sent Y a data protection complaint and an objection in the following terms:

I consider all this to be untransparent, unfair and unlawful, in breach of your obligations under Article 5(1)(a) of the UK GDPR and Regulations 6, 22 and 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Please note that I also hereby object to the use of my personal data for marketing purposes, pursuant to Article 21(2) of the UK GDPR. I would ask that you cease using my personal data for marketing purposes, such as sending me marketing emails.

extract from Email to controller y

I also put Y on notice that I would consider applying for a compliance order under S.167 of the Data Protection Act 2018 and make a claim for non-material damages, if necessary.

Controller Y ended up responding fairly quickly. They said they’d taken action to make changes to their systems to ensure something like this would not happen again. Y also opted to settle my civil claim. A good result, as I have received no further spam from them since.

My spam email complaint to the ICO did not result in a response, as is usually the case. This is why it is often much more effective to pursue these matters yourself. Because Y ended up making positive changes, I decided not to pursue a full data protection complaint with the ICO (the result of which would inevitably be no formal action taken in this scenario).

Controller 2 – restaurant chain

This controller (Z), a well-known UK-based international restaurant chain, has had my business for a long time, but I had made sure to opt out of marketing emails.

However, I then received a wholly unsolicited email from Z. The email started by promoting Z’s rewards and savings schemes, recommending I download their app to see all the rewards I could get. The email then explained that I could earn loyalty points every time I dined with Z or ordered a takeaway from them. The email then proceeded to advertise Z’s delivery service, explaining that points would be allocated to my account automatically. The email then explained that Z had recently updated their app to make it easier to understand the difference between rewards and offers, and to make it clearer to see what options I had to make great savings. The email concluded by telling me to remember that I would enjoy free rewards every time I used Z’s app.

Z had labelled its email as a ‘service message’ at the bottom. However, the tone of the email was clearly promotional and the vast majority of the content of the email was for direct marketing purposes. Only two phrases in the body of the email were arguably for non-marketing purposes.

Furthermore, there was no unsubscribe link in the email (presumably because it was mistakenly labelled as a service message). Upon checking my marketing preferences on Z’s website (they were off), I further noted they used numerous tracking cookies and technologies for behavioural advertising and profiling purposes without seeking valid consent. Z’s website simply said that I automatically consented to all the tracking by merely using their website. It’s clear that such purported consent does not meet the criteria in Article 4(11) UK GDPR.

I wrote to Z, objecting to the use of my email address for direct marketing purposes and alleging breaches of:

  • Article 5(1)(a) UK GDPR (fairness, lawfulness, transparency) in respect of the data processing for the marketing email and behavioural advertising;
  • Regulation 6 of PECR, for using tracking cookies for behavioural advertising without consent;
  • Regulation 22 of PECR, because Z did not have my consent for marketing emails and could not rely on the soft opt-in.
  • Regulation 23(b) of PECR, because no easy unsubscribe mechanism was present in the email.

Z admitted its cookie practices were substandard and committed to improving them – great. However, Z denied that its email constituted a marketing email, claiming that it merely informed users of important changes to its terms and conditions as Z was legally obliged to do.

I disagreed. The mere fact that an email is labelled as a service message or contains some non-marketing content is irrelevant. If the email contains any content for the purposes of direct marketing, Regulations 22 and 23 of PECR are engaged (Leave.eu and Eldon v Information Commissioner [2021] UKUT 26 (AAC)). In this case, although two phrases in the email were arguably non-marketing, all the other phrases in the email were clearly for marketing purposes. Furthermore, I referred Z to the ICO’s excellent monetary penalty notice against Amex (the MPN) and in particular:

  • Paras 50 and 51 of the MPN, which make clear that encouraging customers to download or use an app to access information regarding rewards and offers constitutes direct marketing;
  • Para 42 of the MPN, which lists ‘affirming the benefits of using the card’ as an example of direct marketing;
  • Para 70 of the MPN, which makes clear that, although Amex classed its emails as servicing emails, the ICO rejected this and held that PECR had been breached.

Applying the MPN and Leave.eu, I then particularised all the content in Z’s email that, in my view, was clearly for the purposes of direct marketing. Shortly afterwards, Z opted to settle my civil claim in its entirety and has not spammed me since. Z has now also made some changes to its cookies practices. Overall, an excellent result that stands to benefit Z’s vast customer base.

As per usual, the ICO did not respond to my spam email complaint regarding Z. As Z ended up making positive changes, I decided not to pursue a full data protection complaint with the ICO (which undoubtedly would result in no further formal action).

Controller 3 – University

And lastly, this controller (U) is a world-leading university. On its cookie banner, users could accept unnecessary cookies in 1 click through an accept all button. To reject, users had to make 3 clicks at a minimum: first, click the ‘edit your options’ link, then click ‘reject’ for all unnecessary categories, then click the ‘save’ button. This is a prime example of a ‘dark pattern’, where users are unduly influenced into making a ‘choice’ more favourable to the controller.

As such, in my view, any consent given by users was not freely given, because it was harder to accept than to reject. The extra clicks to reject constitute detriment to the user. The ICO has published an excellent joint report with the CMA explaining this here: https://www.drcf.org.uk/publications/papers/ico-cma-joint-paper-on-harmful-design-in-digital-practices

Materially, this joint report provides on page 15: “Regulation 6 of PECR is likely to be infringed where a cookie banner that incorporates these practices is being used to obtain consent for placing cookies. Users must be able to refuse non-essential cookies with the same ease as they can accept them, without having to take any additional steps. Where the user is presented with an option that allows them to skip more granular settings then the ICO expects, as a minimum, an equivalent option allowing them to refuse as well (e.g., a “Reject all” option as well as an “Accept all”). These must be presented with equal prominence; the user must understand what they mean and must not be nudged towards one over the other […] For example, if they can “accept” with a single click or tap then they must also be able to “refuse” with a single click or tap.”

I sent the university’s data protection officer an email, asking for changes to be made. The university promptly responded, explaining the action it would take to address my concerns. The university then made it equally easy to reject as to accept unnecessary cookies. As such, it was not necessary for me to take any further civil action, nor to complain to the ICO. Another excellent result.

ICO action at last?

Meanwhile, the ICO has now repeatedly stated it has written to the Top 100 UK websites that fail to comply with the cookies legislation (https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/03/ico-launches-consent-or-pay-call-for-views-and-updates-on-cookie-compliance-work/). Despite this, no formal enforcement notice or penalty notice has been published as of yet. Furthermore, the ICO has refused to disclose the list of websites it has written to, citing Section 31 of the FOI Act. A decision notice on whether this refusal is valid is now pending from, yes, the ICO (in its capacity as the FOI regulator).

Although admittedly some websites have recently made improvements, I still see a sizeable portion of popular UK websites flagrantly breaking the law in respect of cookies, so I would hope to see some formal enforcement action soon.