12

Is this legal in the UK:

enter image description here

hollywood bowl's sign up page asks for confirmation like this

unless you tick the relevant box(es) below (or subsequently unsubscribe), you will receive exclusive discounts, offers and updates from us.
[] Email [] SMS [] Phone

The default state is that none of the boxes are checked which, according to the confusing wording of the paragraph, would mean that you are by-default opted-in to all promotional messages.

Are there any legal problems with this method of collecting permission for promotional spam?

2 Answers2

10

Not Allowed Under the GDPR

The suggested method does not seem to comply with the GDPR, and would not be lawful for a Data Controller that is subject to the GDPR.

Specific Provisions

Let's consider some specific provisions of the GDPR:

Article 4

Article 4 paragraph (11) states:

"consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

If the choice is "obscure" then it is not clear, and legal consent has not been given.

Article 7

Article 7 paragraph 3 reads:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

It does not appear in the situation described that the data subject has been clearly informed that consent is being given.

Recital 42

Recital 42 reads in relevant part:

In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. ... Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

The specified means do not seem to comply with R42

Recital 32

Recital 32 reads:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. ... If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

The format in the question seems to rely on inactivity as a way of giving consent, and is surely not clear.

izzyg
  • 181
  • 12
David Siegel
  • 115,406
  • 10
  • 215
  • 408
5

This is mostly compliant. While such a form fails to collect valid consent, consent is not necessary for some forms of direct marketing. Instead, an opt-out solution might be permissible. We can therefore ask

  1. whether an opt-out solution would be valid in this scenario; and
  2. whether this opt-out was implemented validly.

For this we have to look at the UK's Privacy and Electronic Communicatoins Regulations (PECR), which complement and particularize the UK GDPR and DPA 2018. PECR is largely an implementation of EU Directive 2002/58/EC, the ePrivacy directive.

Per section 22 of the PECR, direct marketing via email is forbidden unless the recipient consents or the following three factors are all fulfilled, known as a “soft opt-in”:

  • “the contact details of the recipient [were obtained] in the course of the sale or negotiations for the sale of a product or service to that recipient”
  • “the direct marketing is in respect to that [sender's] similar products and services only”
  • “the recipient has been given a simple means of refusing […] the use of his contact details for the purpose of such direct marketing, at the time that the details were initially collected, and […] at the time of each subsequent communication”

The presented form does allow for an opt-out, and arguably fulfills the three criteria

  • the account is used for booking a bowling alley, which is a sale of goods or services
  • the “discounts, offers and updates” will presumably relate only to the bowling alley's own similar services
  • an opt-out was provided at the time when the contact details were collected

However, I would argue that this opt-out fails to be a “simple means of refusing” as it involves dark patterns. While the text is unambiguous, the form is clearly designed to suggest that no communication will be made unless the respective boxes are checked.

The ICO's guidance on direct marketing (PDF, last updated 2018) has a fairly lax view of consent and opt-out, but I don't think this lax view holds up in the face of later court rulings. If we read the PECR's concept of “refusing” as an application of the GDPR right to object to direct marketing per Art 21(2) GDPR, then per Art 12(1) such communications shall be provided in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

In summary, the email marketing is in principle allowed, but it's unclear whether it was implemented in a valid manner.

Direct marketing via telephone has a different set of rules. Per section 19 of the PECR, use of automated calling systems is illegal without consent. But direct marketing with live calls is allowed under the conditions of section 21. For example, an opt-out must be respected, regardless of whether the recipient has indicated this directly to the caller or whether they have registered their number in the UK's Telephone Preference Service (https://www.tpsonline.org.uk/register).

So offering an opt-out for phone marketing in a registration form is not strictly necessary, but still a good idea.

The rules on direct marketing via SMS are unclear to me, but I'd be inclined to argue that they are electronic mail.

amon
  • 24,244
  • 3
  • 46
  • 77