On 4 May 2020, the European Data Protection Board (EDPB) adopted an updated set of guidelines on consent (Guidelines) under the General Data Protection Regulation (GDPR). These updates were made to the original guidelines published by the Article 29 Working Party on 10 April 2018, which the EDPB endorsed at its first plenary meeting on 25 May 2018.

As a reminder, when a controller relies on consent as its lawful basis for processing personal data, or is required to obtain consent prior to the use of cookies, such consent must be freely given, specific, informed and an unambiguous indication of an individual’s wishes, in order to be valid. Although the original guidelines provided an in-depth analysis of each of these concepts, the EDPB felt that two specific areas required further clarification:

  • The validity of an individual’s consent to the use of cookies when access to a website’s service or functionality is conditioned on that individual giving such consent (i.e., the use of a ‘cookie wall’)
  • The validity of an individual’s consent to the use of cookies when such consent is given by the individual by scrolling through a website

Consequently, the Guidelines now include updates to the sections entitled “Conditionality” and “Unambiguous indication of wishes”, which clarify these areas.

Continue Reading EDPB updates consent guidance to clarify its position on consent to the use of cookies

The Information Commissioner’s Office (ICO) announced a £100,000 fine imposed on the telecoms company, EE Limited (EE), for breaching the Privacy and Electronic Communications Regulations 2003 (PECR). The timing of the breach meant that the General Data Protection Regulation 2016/679 (GDPR) was not applicable.

What happened?

EE sent customers a text message encouraging them to

The UK government has issued the Privacy and Electronic Communications Regulations (Amendment) 2018 (ePrivacy Regs), which comes into force on 17 December 2018.

The ePrivacy Regs amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010. The amendments are intended to ensure that the regime covering breaches is “effective, proportionate and dissuasive” in accordance with the criteria outlined in the PECR.

Background on PECR

The PECR covers several areas, including marketing by electronic means, the use of cookies and similar technologies, security of public electronic communication services, and the privacy of customers using such communication networks and services. The GDPR does not replace the PECR but sits alongside it. All applicable companies that send electronic marketing or use cookies (or similar technology) must now comply with the PECR and the GDPR.

Continue Reading Privacy and Electronic Regulations (Amendment) 2018

In Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018), an English General Regulatory Tribunal has overturned a fine, issued by the Information Commissioner’s Office (ICO) against the direct marketing company, Xerpla Ltd, after the ICO determined that Xerpla had failed to obtain the necessary consents for electronic communications to its subscribers.

The ICO fined Xerpla £50,000 in October 2017 for sending 1.26 million marketing emails to its subscribers, which, according to the ICO, breached the Privacy and Electronic Communications (EC Directive Regulations 2003) (PECR). Central to PECR is that any direct marketing emails to subscribers must only be sent with the prior consent of the email recipient.

The tribunal found that Xerpla’s subscribers had “consented to, and knew they were consenting to, the direct marketing of third party offers for all kind of products and services… That is why they subscribed…” It was therefore considered obvious what was being consented to, given the services offered by Xerpla.

Continue Reading First tribunal case overturning an ICO fine for sending marketing emails without opt-in consent

In a decision of 31 August 2015, the First-Tier Tribunal provided important clarification on the use of third-party mailing lists. Optical Express v Information Commissioner (EA/2014/0014) is significant for organisations that use or are considering using such lists.

The case was concerned with an appeal by Optical Express (‘OE’) against an Enforcement Notice issued by the Information Commissioner. The Notice required OE to stop sending unsolicited marketing text messages to individuals without their consent. OE had obtained recipient details under data supplier agreements with Thomas Cook, and Thomas Cook had obtained these details by asking individuals to complete a travel survey which had a tick-box option to indicate that they were happy to receive marketing communications from third parties. OE argued that this was valid consent, and therefore the text messages were not unsolicited.
Continue Reading Optical Express appeal highlights the need for caution over third-party marketing lists