Have you sent an email to your customers recently about a change to your terms and conditions, or just to provide them with an invoice/receipt?

Did you mention at the end about your e-newsletter and provide a link to sign up?

If so, and you did not screen against your marketing opt-outs, you may have breached PECR!

It was always accepted – the ICO include an example in their Direct Marketing Guidance – that a small message about marketing communications and how to sign up in an otherwise service message was fine as long as this was incidental to the main purpose of the message.

The email was seen as the “communication” for the purposes of Article 13 of the EU Privacy Directive and Regulation 22 of PECR.

PECR – the Privacy & Electronic Communications Regulation 2003, which is the UK implementation of the Directive – governs the sending of emails and text messages and prevents the sending of “unsolicited communications for the purposes of direct marketing” unless the sender has permission.

However, in an appeal against 2 Monetary Penalty Notices (MPN) imposed by the ICO, this understanding has been turned on its head.

The email, and by extension any other channel used, is not the “communication” but merely the means to deliver the communication – the content/information being conveyed.

The case before the Upper Tribunal,( Leave.EU Group Limited (Leave) and Eldon Insurance Services Limited (Eldon) vs ICO) concerned newsletters sent by a political party, Leave, to its subscribers.  

The first newsletter was purely promoting a sponsorship deal Leave had made with another company in their group, Eldon, in order to fund their activities, which contained discounts and banner advertising for Eldon’s products.

The other 20 newsletters were standard Leave content –  economic and political news, but at the end of each, there was a footer/banner advertising Eldon’s insurance offers.

An appeal to the First-tier Tribunal (FTT) was dismissed following a hearing in December 2019.

They then appealed to the Upper Tribunal (UT) arguing the newsletters were not unsolicited communications for the purpose of direct marketing.

The UT focused on 2 elements – the purpose of the communication and valid consent.


Leave/Eldon argued that the newsletters were not unsolicited communications for the purpose of direct marketing as the recipients had provided their consent and the newsletters were for the purposes of political campaigning.

The UT accepted that the subscribers had provided consent to receive the newsletters, but what they had not provided valid consent for, was the promotional content from Eldon.

They focussed on the word “communication”, saying the newsletters themselves were not the communication – the communication was the information they contain. So political news was fine but not the promotion of the products/services of a third party.

The email or text message just delivers the communication – the communication was the banner and other marketing content within the newsletter – there was no primary purpose test, so whether the banners were small and quite minor in relation to the newsletter itself was irrelevant. What was important was whether any content was direct marketing or not.

Having established that it was the direct marketing material within the newsletter that was the issue, it was time to look at whether the consent given by Leave subscribers comprised freely given, informed and specific consent to the inclusion of those promotional offers from Eldon.

The UT accepted that the Leave subscribers had consented to receiving the newsletters with economic and political content.

But had they agreed to was Eldon’s marketing – did they know what they were signing up for?

As you know, you need to explain to your subscribers/customers what personal data you are collecting and what you are going to do with it.

Unfortunately, the privacy information provided was confusing  – the privacy notice stated the controller was “Better for our Country Limited”, another company in the group – but the privacy policy on the website showed Leave as the controller.

Even if you accept what the privacy policy on the site said, the consent wording – “to receive information that Leave.EU felt might interest them” –  was so broad that it could not meet the test for consent to be freely given, specific and informed.

Another complication was the Eldon promotion was from a third party, so Leave would have needed to collect separate 3rd party consent as well as permission for any their own brand marketing.

So no valid consent.

There was an interesting discussion about previous decisions on consent –  Planet 49,  Orange Romania, and Zerpla. I will not go through these, but this is worth a read if you are interested (paragraphs 48-55).

A third area for discussion by the UT was whether Eldon had instigated the transmission of the newsletters. This has been a new area of interest for the ICO, appearing in the draft Direct Marketing Code of Practice which came out for consultation in January 2020.

As well as not sending unsolicited communications, Regulation 22(2) of PECR also bans the instigation of such comms.

The meaning of “instigate” was discussed in the case of Microsoft Corporation v McDonald (trading as Bizards). There needs to be more than mere urging or inducement, there needs to be some positive encouragement.

There were numerous emails between Leave and Eldon about the newsletters, including many suggestions from the Group’s majority shareholder and sole subscriber of Leave Mr Arron Banks. on the promotional offers and sign offs

The UT concluded that Mr Banks did more than just support the promotional offers, but positively encouraged them, and therefore as the sole owner of Eldon was the instigator of these communications.

Final words

This decision means you need to be careful how you carry out your direct marketing.  This does not just affect email, but any channel you use personal data for, as it is the direct marketing that is the communication, whether that is in an email or a piece of direct mail.

Your customers need to know what they are agreeing to – what information do you want to include?

If you want to feature 3rd party marketing, you need separate permission for these – you can use legitimate interests for telephone and direct mail, but you need consent for email and sms and you need to name the  3rd parties. The privacy notice has to be clear – who is collecting the data and what will it be used for.

Your privacy policy needs to clearly explain how you will use and look after your customer’s personal data. It should be clear who you are, what data you are collecting and what you want to use it for.

It is important to get this right – to avoid any fine from the ICO and the reputational damage, so get in touch for some common sense legal help.