The question of what constitutes
a B2B communication is applicable when considering the GDPR, specifically in
relation to marketing. It had been thought that all marketing emails to an
organisation which were sent without prior consent would need to be sent to info@company.com or sales-team@company.com ie avoiding the
use of personal data. With this in mind, it was thought that the marketing
industry was going to hit some rather large hurdles when continuing their
business post GDPR-Day. Obvious questions were raised by some of our clients,
for example, what if the recipient of the emails sent to info@company.com does not escalate the
marketing email to the correct individual at the organisation, or does not
escalate it at all? What happens if the recipient at sales-team@company.com is not aware of
the corporate requirements for the specific service that is being promoted?
In December 2017 we asked the
Information Commissioner’s Office some of these questions, amongst others, and
their response was that the only way
to electronically market services or products to a company was to do so using
an email address that did not contain personal data unless consent had
previously been obtained from the recipient to send such emails. This left open
the question of whether, if the company had purchased or discussed the purchase
of the same or similar products before and was thus deemed to have given a ‘soft
opt-in’ consent, that would be deemed consent from its individual employees
too. We were then told that if we wish to send marketing to an individual
without obtaining consent we would need to send it in the post, in order to be
compliant with the Privacy and
Electronic Communications Regulations 2003. Of course, the thought of having to
market everything via the post is ridiculous, especially in the digital age we
all live and work in, not to mention the fact that GDPR does not differentiate
between different forms of communication, ie postal marketing is not exempt
from GDPR as it is from PECR.
This led to the question of how
consent could be obtained; how is it possible to ask for consent from an
individual when it has been decided by the ICO that a request for consent is
considered marketing (Honda and Flybe Cases)? The response we received from the
ICO information officer was that, in order to be compliant with PECR, and
prepare for GDPR, we would need to ask for consent from the individual by post
before GDPR-Day, provided that individual had not previously rejected a request
for consent. We should also make sure that such requested consents were GDPR
compliant; we could then rely on them once GDPR comes in to force on 25 May
2018. The ICO information officer’s advice was to obtain the necessary consents
prior to GDPR-Day but it did not solve the issue of how to obtain consent post
GDPR-Day.
This has now all changed; the ICO have thankfully done a
complete U-turn with regard to their view on what constitutes a B2B
communication and their approach to marketing, providing some much-needed
answers to questions we have raised in previous articles. Recent guidance
released on the ICO website, ‘The
rules around business to business marketing, the GDPR and PECR’, states that an email address containing personal
data, eg gemmabriance@warnergoodman.co.uk
(‘an identifiable business address’), falls under the definition of corporate
subscriber (see below) and therefore the approach to marketing is somewhat different
to the approach described above. The ICO state that, when considering both GDPR
and PECR the first thing to establish is whether or not the intended recipient
is an ‘individual subscriber’ or a ‘corporate subscriber’. The ICO definition
of a “‘corporate subscriber’ covers
subscribers that are a corporate body with separate legal status. This includes
companies, limited liability partnerships, Scottish
partnerships, and some government bodies and can cover an individual working for a corporate subscriber (emphasis added)”.
In accordance with PECR, there is no requirement for prior consent to send
marketing emails when the recipient is a corporate subscriber and this can now
be extended to GDPR for marketing purposes.
Unfortunately, and confusingly, the guidance provided goes on to discuss
consent and legitimate interest; why, when they have just stated that B2B
marketing can be carried out without any lawful basis, do they go on to discuss
marketing to individuals? We contacted the ICO and spoke with two different information
officers both of whom concur with the above, that B2B marketing using an
identifiable business address is allowed under both PECR and GDPR without
consent or the soft opt-in. They also agreed that the remainder of their
guidance was confusing and related to marketing to individuals and sole
traders. We do not agree that the rest of the guidance only applies to
individuals or sole traders; if we take the ICO view it appears to make B2B marketeers
largely exempt from GDPR which cannot be what was intended. It is our view that
whilst B2B marketing using an identifiable business address is allowed under
both PECR and GDPR without consent or the soft opt-in there is still the
requirement for a lawful basis to conduct such processing, triggering the
requirement to rely on legitimate interests and Recital 47 of GDPR.
Whilst we had them on the phone we did address again the question of
consent and the fact that a request for consent is considered marketing. Their
opinion on this has also changed; they believe that the request for consent cannot
be regarded as marketing; otherwise it would be impossible to comply with GDPR.
With the definition of corporate subscriber in mind we asked the ICO information
officer whether or not its application could be extended to the requirement to
send Article 13 and 14 Notices. This is discussed in detail in our article “Demystifying
Transparency – What do Article 13 and Article 14 GDPR really mean?” where
we highlight the common situations where it would be disproportionate to have
to provide Article 13 and 14 Notices. It is our view that the distinction between
corporates and their staff on the one hand and individuals on the other should
be applied when considering whether or not to send Article 13 or 14 Notices in
order to prevent a plethora of Notices being sent in all directions as a result
of day-to-day email correspondence. The ICO information officer said that the
ICO have not, and are unlikely to, change their view on this until the Article
29 Working Party publish their final guidance on transparency, this is expected
to be in April. It seems that, as we get closer to 25 May 2018, the ICO are
providing more clarity on matters and their approach is becoming far more
practical than literal, hopefully this will continue as more guidance is
released over the next few months.
Gemma Briance and Geoffrey Sturgess are both
solicitors in the commercial and tech team at Warner Goodman, Southampton: GemmaBriance@warnergoodman.co.uk
GeoffreySturgess@warnergoodman.co.uk
