The UK Government has just announced plans to introduce laws from Spring 2017 to hold directors of organisations personally liable for breach of electronic direct marketing laws contained within the Privacy and Electronic Communications Regulations (PECR). The Information Commissioner’s Office (ICO) commented that the new law will stop directors “leaving by the back door as the regulator comes through the front door”.
At the moment, only organisations are subject to ICO fines, and some organisations have avoided paying fines by going into liquidation while subject to ICO enforcement action. It has been reported that since April 2015, the ICO has issued twenty-seven fines amounting to £2.7m but only six have been paid in full.
The UK Government intends to address this by amending PECR to allow the ICO to fine directors up to £500,000 for breach if their organisations are found to be in breach of PECR. If organisations have more than one director, then each director may be liable to pay an individual fine. The fines imposed on directors will be in addition to fines issued against the organisations.
The ICO will take an evidence-based approach when setting the level of fines and determining whether fines will apply to organisations, their directors or both.
What does PECR say?
An organisation cannot send unsolicited electronic direct marketing communications (i.e. e-mail, text, fax or automated calls) to an individual, unless that individual has agreed to receive them or there is a pre-existing customer relationship between the organisation and the individual. The organisation must also provide the individual with an opportunity to opt out of receiving future electronic communications and maintain suppression lists so that opted out individuals do not continue to receive communications.
Unsolicited direct marketing calls may be made to an individual, unless the individual has either notified the organisation that s/he does not wish to receive calls or the individual’s telephone number is listed on the TPS or Telephone Preference Service (although a TPS registered individual may agree to receive calls from specific organisations). The TPS is a statutory “do not call” register maintained by OFCOM. An organisation intending to make direct marketing calls can purchase a list of TPS numbers from OFCOM. When the TPS receives a complaint from an individual, it contacts the organisation and asks why the call was made.
The ICO may issue a fine of up to £500,000 against an organisation that does not comply with PECR. In deciding whether to issue a fine and the level of fine, the ICO looks at, amongst other things, the distress suffered by the individual recipient.
What should our organisation do now?
The new proposals represent a significant enhancement of the existing PECR provisions and the ICO’s penalty powers. The current £500,000 ICO fine cap is effectively removed and organisations and their directors may be exposed to fines of more than £1m combined. For larger organisations with many directors on the board, the potential exposure could run into several million pounds. The incentive to comply with PECR has never been greater.
Now is the time to review your organisation’s direct marketing and / or fundraising strategy to avoid exposing it and its directors to risk. This can be done by:
undertaking a PECR compliance audit;
using only reputable third party list suppliers, if acquiring contact lists from third parties;
undertaking checks to ensure individual recipients’ consents have been validly obtained to direct marketing and are specific to your organisation or organisations of the same description or operating within your sector, even if the list supplier provides assurances that consents have been obtained;
delivering PECR training to your staff to ensure awareness of legal requirements;
sending communications to only those individuals who are interested in hearing from your organisation, and if they opt out, respecting this by suppressing their details; and
cross-checking against the TPS before making direct marketing telephone calls.
These steps should be taken immediately. The law is only set to get stricter with the current review of the EU law on which PECR is based and the coming into force of the new EU General Data Protection Regulation in 2018.