Out-Law News 1 min. read
04 Sep 2015, 5:08 pm
Optical Express had a contract with data suppliers, including Thomas Cook, which required those suppliers to only provide it with 'consented data'. It claimed this demonstrated it had the consent necessary to engage in direct marketing activity.
The UK's Privacy and Electronic Communications Regulations (PECR) generally prohibit organisations from sending or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has given their prior consent for the messages to be sent or other limited exceptions apply.
Optical Express sent text messages to consumers relating to laser eye surgery but approximately 7,500 complaints were made about the activity.
The Information Commissioner's Office (ICO) issued an enforcement notice against Optical Express in which it claimed the company had breached PECR. However, Optical Express challenged the notice arguing, among other things, that the terms of its data supplier contracts showed it had "sufficient proof of consent".
However, the ICO said consumers who had received the Optical Express (OE) text messages had not given their consent to them.
"When consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE," Brian Kennedy QC said in his First-Tier Information Rights Tribunal ruling. "Neither was the marketing of specific types of product stipulated. In my opinion it should say something about the products to be marketed if they are different from the business of, for example, Thomas Cook."
"If the data subject doesn’t know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others? … By failing to obtain proper, fully informed and specific consent in accordance with [EU data protection law requirements which PECR provisions must be read in conjunction with], OE fall foul of [the EU's Privacy and Electronic Communications Directive from which PECR stems]," he said.
Brian Kennedy QC also dismissed claims from Optical Express that it is the responsibility of the ICO to provide evidence of non-compliance when issuing enforcement notices. He said it was up to Optical Express to demonstrate its compliance to rebuff the enforcement notice but that it had failed to do so.
"For the sake of clarity, the Tribunal finds that the onus or burden of proof that the texts were not unsolicited and/or made with consent is and was at all times with OE," he said.