Organisations must comply with strict rules if they want to send electronic direct marketing mail to people. Many organisations send out legitimate ‘service’ emails, but some choose to add advertising, marketing or promotional material to their supposed ‘service’ emails in an attempt to circumvent the direct marketing rules. Of course, it doesn’t quite work like that and mistakes can be costly

Many of you will be all too familiar with waking up to an inbox full of unread emails from organisations all fighting for your precious attention, time and hard-earned money. While some people enjoy receiving such direct marketing emails on a daily basis, many people find them annoying. Most of them, however, reluctantly accept these direct marketing emails as a part of their digital lives. But it doesn’t have to be that way; if you’re a victim of unlawful direct marketing and are annoyed by it, you could be entitled to claim compensation (and if everyone did, most unlawful direct marketing would probably be eradicated overnight).

The basic rules of direct marketing

Organisations must comply with strict rules if they want to send you emails containing direct marketing. Direct marketing is defined as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This is a broad definition and includes all promotional material, such as commercial and not-for-profit promotional material.

Some of the most important rules are contained in Regulation 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’). In summary, organisations must ordinarily have your consent (to the GDPR standard) if they wish to send you unsolicited direct marketing emails. The only exception to this is contained in Regulation 22(3), which is also known as the ‘soft opt-in’: where an individual has a pre-existing sales relationship with an organisation, the organisation may send them direct marketing emails on the condition that the individual is given clear opportunities to refuse such direct marketing emails. You must also always be given a simple means of refusing such direct marketing communications and every email must contain an address at which you can request that such direct marketing communications stop (and they must then usually immediately stop).

To process your personal data (typically your name and email address) to send direct marketing emails, organisations also need to comply with the relevant provisions of the GDPR. Ordinarily, the organisation can effectively only rely on the ‘consent’ lawful basis for such processing under the GDPR as specified in Article 6(1)(a), because Regulation 22 of PECR provides that organisations must have an individual’s consent to send them direct marketing emails. However, if the organisation is using the ‘soft opt-in’, the lawful basis for processing would usually be ‘legitimate interests’ under the GDPR as specified in Article 6(1)(f).

The ICO has published some useful guidance on direct marketing. They are in the process of creating a statutory direct marketing code of practice, a draft of which can be found here. Their currently released direct marketing guidance is also available, although it was drafted before the GDPR came into force and as such, I find their draft statutory code more useful (but bear in mind it is still a draft and may change or contain errors).

‘Service’ messages

‘Service’ messages are not defined in law, but the ICO’s draft statutory code of practice defines them as “a way of describing a communication sent to an individual for administrative or customer service purposes”. Genuine examples of such messages include ’email verification’ and ‘forgot password’ emails. However, many organisations have grabbed the term ‘service message’ and use it as a carte blanche opportunity to further promote themselves alongside sending their users supposedly ‘useful service messages’. However, the ICO is clear that ‘service messages’ cannot include any direct marketing: “If the service message has elements that are direct marketing then the marketing rules apply, even if that is not the main purpose of the message”.

Upper Tribunal appeal judgment

An email whose main purpose is not necessarily for direct marketing but contains some advertising or marketing material, is indeed covered by the basic direct marketing rules and this is supported by the legislation. This principle came under close scrutiny in an appeal heard by the Administrative Appeals Chamber of the Upper Tribunal, see Ground 2 in Leave.EU and Eldon v Information Commissioner: [2021] UKUT 26 (AAC).

The Tribunal held that, for the purposes of Regulation 22 of PECR, an email can contain different types of “communications” (which is synonymous to “information”). For example, an email can contain some information for the purposes of direct marketing. The communications themselves are delivered through email, meaning the email is simply the “vehicle by which the communication is delivered”. In this case, the Tribunal held that the inclusion of information for the purposes of direct marketing (in this case, banners containing kangaroo branding advertising an insurance company) in the email meant that Regulation 22 applied to the sending of the email. Leave.eu appealed the decision to the Court of Appeal and this was dismissed (although this was mainly because Leave.eu failed to show up to their hearing).

As per the legislation and the Tribunal’s reasoning, organisations need to ensure that any ‘service’ messages do not include any content that could reasonably be deemed to have been included for direct marketing purposes. This will, of course, somewhat depend on the context of the email, but in most cases it will be pretty clear whether or not a certain part constitutes direct marketing.

Why mistakes can be costly

Of course, the ICO can impose administrative monetary penalties of up to £500k for a breach of PECR and up to £17.5m (or 4% of global annual turnover) for a breach of the UK GDPR. But I believe organisations should be more worried about the prospect of civil (group) litigation.

Regulation 30 of PECR and Article 82 of the UK GDPR provide that people who have suffered damage by reason of a contravention are entitled to compensation from the organisation responsible. Damage in this context includes non-material damage of distress, frustration, annoyance etc. and victims of breaches of direct marketing rules are generally expected to be frustrated by those breaches. It is plainly obvious that receiving unwanted direct marketing communications by email can cause distress, annoyance and frustration to the individuals receiving them, particularly if they have tried to unsubscribe or never subscribed to them in the first place. Furthermore, using harsh spam filters carries with it the risk that legitimate emails may be blocked, so in practice, it is not always straightforward to automatically remove unwanted direct marketing emails from your priority inbox. Almost half of UK adults selected ‘spam emails’ as a concern while using the internet.

While the number of relevant civil cases brought and reported on seems to be relatively small, a Sheriff made an award of £750 as compensation for distress caused as a result of receiving a single unlawful direct marketing email. If you consider some organisations send millions of direct marketing emails per campaign, they had better make sure they have a proper lawful basis for every single one of them or risk facing an expensive day in court. And rightfully so – people should not have to put up with organisations spamming them with unwanted advertising material, even if stealthily included in a supposed ‘service message’.

In addition, of course, organisations will find that people are becoming increasingly aware of their data protection and privacy rights. If they flagrantly disregard these rights and their obligations, they are increasingly likely to find their customers will vote with their feet and leave them.

If you are the victim of unlawful direct marketing, you should always report this to the relevant supervisory authority. And if you’re confident in your case and distressed by the unlawful direct marketing, you can consider starting a claim against the rule-breaking organisation for compensation.