Email Marketing Gone Rotten: PECR and Sainsbury's Cat-Food Fuss

August 12, 2021

Supermarket chain Sainsbury's has come under fire this week, having recently failed to send product recall alert emails to customers who had opted out of receiving marketing emails. As a result, cat owners were at risk of giving their beloved moggies toxic food for up to a month.

This might have been a simple mistake, or it might have been a misunderstanding of the rules around direct marketing – so we thought it was time to give a quick summary of the rules just in case Sainsbury's aren’t the only ones confused (and we’re sure they aren’t!)

What on earth is PECR?

PECR (pronounced “pecker” – and yes, data protection nerds do manage to say it frequently with a straight face) is short for the Privacy and Electronic Communications (EC Directive) Regulations 2003.

You have probably heard of the GDPR (if you haven’t, where have you been?! Of course, we know there is now the GDPR and UK GDPR, but the latter is a bit of a mouthful so we’ll just stick with “GDPR” for the rest of this) but PECR has been around for longer and there is a fair amount of interaction between the two laws.

What is covered by PECR?

PECR (come on, stop your giggling) covers a lot of things, but the most important ones for most businesses are:

  • Direct marketing by electronic means: (e.g. phone calls, texts, emails… technically also faxes, although if you’re still marketing by fax, we probably have other things to talk about!), in particular “unsolicited” marketing – which doesn’t mean what you think it means.
  • Cookies: Not the edible kind, the ones that track activities and or people (or both!) using your website, app, etc. This also includes similar technologies like pixels and beacons.

We’ll leave cookies for another day as they bring up a whole host of questions, and focus on electronic direct marketing. Although, if another day is too long to wait, you can find out more about cookies here.

What is “direct marketing”?

The legal definition is “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

What that means in practice is that if you are sending information by email (or making a phone call) to a particular individual – i.e. a specific person rather than a generic email address or a business reception phone number – which includes advertising or marketing, it will be considered direct marketing.

It doesn’t cover sending marketing information to people via the post, although if you are sending it to identifiable individuals it will still be covered by the GDPR.

Most of the PECR rules apply to “unsolicited” marketing. However, this description is a bit misleading – all messages will be considered “unsolicited” unless the customer has asked you to provide them with that specific information (e.g. if they want information about a specific service and you send them your brochure about that service). That means that even if someone has opted in to receive marketing emails from you, it is still considered “unsolicited”.

Unsolicited direct marketing messages are fine (otherwise nobody would be allowed to send newsletters) as long as you comply with PECR.

Are all messages I send to customers considered direct marketing?

Thankfully for you, no – and this is where Sainsbury’s appear to have tripped up.

You can send routine customer service messages without needing to comply with PECR, because they do not count as marketing.

We would recommend having a mailing list for things your customers need to know about current contracts and past purchases (e.g. service interruptions, deliveries, changes to your T&Cs or prices, product safety) which is kept separate from your separate marketing mailing list. Make sure not to get them mixed up, or you will get in trouble as we’ve seen this week with the Sainsbury’s saga.

Beware – if you include any significant promotional material (e.g. aimed at convincing customers to buy more products/services or renew their existing contracts), it will be considered marketing material and will be subject to PECR.

Genuine market research also doesn’t count as direct marketing. However, it will be caught by PECR if  it includes promotional material about your business/products/services, or collects the details of respondents for future marketing campaigns.

What do we need to do about our direct marketing messages?

Most of the time when you want to send direct marketing to someone, you will need their consent (which is another way of saying you’ll ask for their permission before you send them marketing).

This means that someone must have agreed to receive marketing messages from you, using a clear, positive action, for example by ticking a box, or clicking “subscribe”. The person giving consent needs to be aware of who will be sending them marketing and what type of communication you will use – e.g. “Please tick this box if you would like Stephenson Law Limited to send you marketing information by email”.

You must give people a clear and simple option to opt out of receiving marketing messages at any time. E.g. each email you send should include a way to unsubscribe.

You will need to keep records of who has consented to receive your marketing messages (along with what they have consented to receive, plus when and how you received this consent from them). It is also a good idea to keep track of who has withdrawn their consent. E.g. a marketing suppression list which makes sure that the people on that list definitely don’t receive marketing. 

Is consent the only way to send direct marketing messages?

For most direct marketing, yes. The exception is where someone is an “existing customer”, in which case you can use “soft opt-in” in certain circumstances.

Again, the definitions here are a bit counterintuitive.

An “existing customer” could either be someone whose details you have obtained in the course of a sale, or in the course of negotiations for a sale (whether or not that sale was actually made), of a product or service to that person. This can include where someone has actively expressed an interest in buying your products or services (e.g. requesting a quote, or asking for more details). There are two conditions for marketing to existing customers using the “soft opt-in”:

  • You can only market your own products and services, which are similar to what the customer was interested in; and
  • You give the person a simple opportunity to refuse or opt out of the marketing, both when you collected their details and also in every message you send them after that.

This means that “soft opt-in” basically means “opt out” – confusing, right?

If you’re wondering how that works given the GDPR requirements for getting consent, if you are using “soft opt-in” it would be based on your legitimate interests in processing the existing customers’ personal data for marketing purposes, rather than consent. This distinction can cause problems for businesses where customers have a partial knowledge of the GDPR and believe that consent is the only lawful basis available, so you may want to think carefully before using “soft opt-in”.

“Soft opt-in” can only be relied on for commercial marketing, so if you are a charity, political party or not-for-profit organisation, you will not be able to use this option. Interestingly, the ICO recently changed their approach for public sector direct marketing – so this might be an indication that they’ll be reviewing direct marketing for other sectors too.

What about business-to-business marketing?

The rules on consent, “soft opt-in” and the right to opt out do not apply to electronic marketing messages sent to “corporate subscribers”. Instead, you only have to identify yourself and provide contact details.

“Corporate subscribers” don’t include sole traders and some partnerships. This means you can only make the distinction in your marketing if you know whether someone counts as a “corporate subscriber” or not.

If you are using an employee’s personal corporate email address for business-to-business marketing, they still have a right to object to marketing under the GDPR. Though, to be honest, you probably don’t want to send messages to anyone who has asked you to stop, as it would only annoy them and damage your reputation.

What happens if I don’t comply with PECR?

The UK Information Commissioner’s Office (usually referred to as the ICO – they are our data protection regulator) can use a combination of things to enforce PECR. This includes fines of up to £500,000 against the business and/or its directors, as well as criminal prosecution, non-criminal enforcement and audits.

It is also worth noting that if you are breaching PECR you are also quite likely to be breaching the GDPR, which attracts even bigger fines.

If you'd like to prevent a Sainsbury's level fallout, you can sign up to our newsletter where we provide on the pulse legal insights, including the down-low on the world of data protection.

We’re the experts in getting data on your good side. Find out more about our data protection offering here.

Receive our insights directly to your inbox by signing up to our newsletter

Recommended content