As we adjust to our new reality in lockdown, more than ever before businesses are relying on online sales and marketing to continue to prosper or survive. There are some fundamental e-privacy law (i.e. GDPR and related domestic UK electronic communications legislation) risks when conducting online commerce and electronic marketing:
– Transparency: having a GDPR-compliant customer privacy notice.
– Cookies: complying with the consent and transparency requirements specific to using cookies.
– E-mail marketing: complying with the requirement for GDPR-standard consent.
– Online advertising: reliance on online profiling or targeted advertising techniques which increasingly come under the scrutiny of data privacy regulators.
– Contracts: making sure that your terms and conditions of sale work properly in the online environment.
Before the pandemic took hold, we knew the following:
– The majority of fines handed down by the ICO (the UK data privacy regulator) to date relate to non-compliant electronic marketing;
– Organisations’ use of online profiling and targeted advertising techniques is a significant target on the ICO’s enforcement radar.
In response to the pandemic, the ICO has clarified that its position is “business as usual” (which is not surprising, given that most investigations carried out by the ICO are documentary only), but that it will adopt a flexible and pragmatic approach as appropriate in the circumstances. After several conversations with ICO caseworker contacts, we understand that, in practice, this means:
– If you had good e-privacy compliance measures in place but breach e-privacy law for a reason specifically arising from the pandemic, you are unlikely to be fined.
– If you breach e-privacy law because the pandemic exposes pre-existing bad compliance practice, then you are more likely to be fined (and less likely to gain the benefit of ICO leniency in the current circumstances, even if the consequences are made more severe by the pandemic).
Please note that fines are not the only risk in the circumstances. Even if your breach of e-privacy law is not particularly severe, the ICO can take other enforcement action such as ordering you to stop carrying out the relevant online sales or electronic marketing activities until you have remedied the breach in question. Resulting delay may help your competitors steal a march in a rapidly evolving market with limited opportunities.
We understand that your priorities might be stretched right now and that we need to help each other out, where possible. We are therefore pleased to offer two e-privacy compliance packages designed to help clients in the wake of the pandemic:
PACKAGE 1 : WEBSITE COMPLIANCE
We will draft or review and amend your:
– online customer privacy notice;
– cookie notice and consent collection statement and mechanism;
– e-mail marketing consent collection statement and mechanism; and
– review your terms and conditions and contract processes and make recommendations to improve them if necessary.
We will also provide a covering advice which will enable you to explain the actions taken in response to typical questions asked by the ICO.
PACKAGE 2: TARGETED ONLINE ADVERTISING
We will provide:
– advice which explains the legal position under which you are lawfully entitled to carry out online advertising; and
– a bespoke legitimate interests assessment (which the ICO considers a bare minimum requirement to lawfully carry out online targeted advertising).
Should you be investigated by the ICO after a breach of e-privacy law, these documents will enable you to show that you have considered applicable e-privacy obligations and risks in requisite detail and taken mitigating action in response (in the level of detail which the ICO would expect to see).
To talk through how we can help get in touch with Priya Thapar on +44 (0)20 3691 2063 or email firstname.lastname@example.org