The General Data Protection Regulation (GDPR), which applies from next May, contains much stricter conditions which must be followed when obtaining consent for processing personal data.
With this on the horizon, organisations which rely on consent are (or should be) considering how to obtain or refresh consent from their customers/potential customers. Under the GDPR companies will not be able to rely on consent obtained for one purpose as consent for another purpose, for example consent obtained for the supply of goods cannot also be relied on for direct marketing.
The GDPR maintains the existing right for individuals to object to direct marketing. This right is absolute - once an individual has objected to direct marketing then no exemptions will allow an organisation to continue processing the individual's data for direct marketing.
The latest Information Commissioner's Office (ICO) fine reinforces this position. On 20 July 2017 the ICO announced that the price comparison website Moneysupermarket.com Ltd has been fined £80,000 by the ICO for sending 7.1 million emails over ten days to customers who had made it clear they didn’t want to be contacted in this way.
Moneysupermarket sent the following message to its customers:
"We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You've told us in the past you prefer not to receive these. If you'd like to reconsider, simply click the following link to start receiving our e-mails.”
The ICO has reaffirmed that it is illegal to ask people to consent to future marketing messages when they have already opted out.
This should be seen as a warning for all organisations who are looking to obtain or refresh consents for their direct marketing activities. Any individual who has opted out in the past should be automatically removed from your marketing database because, as this ICO fine demonstrates, 'no' really does mean no when it comes to direct marketing.