Guerin Media Limited a marketing and advertisement company was reported for sending unsolicited emails to people whom they had never had any previous dealings and did not obtain consent from the said persons. Additionally, Guerin did not provide “Opt-Out” mechanism in the said emails and ignored requests from people who requested to be removed from the marketing list. In one case, nine marketing emails were sent to an individual’s email address after he had sent an email request to Guerin to remove his email address from its mailing list. This case revolves around 2 key principles of data protection, that is, consent and right to withdraw the consent.
a) Consent
Consent means an express, direct, unequivocal and specific agreement to the processing of personal data. Section 30 of the Data Protection Act prohibits anyone/company from processing personal data without the consent of the data subject (that is, a natural person who is the subject of personal data). That means that you need to have provided your personal information (email address, mobile number etc) to a company and you need to have consented that the company contacts you or processes your information for a specific purpose. In the case of Guerin, investigations revealed that Guerin did not have any consent from anyone they sent the unsolicited emails to. In fact, Guerin had received complaints from many other people but failed to correct the breach.
b) Right to Withdraw Consent
Section 32 of the Data Protection Act provides that a person shall have the right to withdraw consent at any time. That means, the company sending messages should provide the mechanism of withdrawing the consent. In most cases the “Unsubscribe” button is provided at the bottom of the email. The company should also allow the data subjects to send them emails or messages withdrawing their consent. In the case of Guerin, the emails in question did not contain opt-out mechanism.
So what does this mean?
1. Data controllers and data processors should always obtain consent from data subjects.
2. All marketing communications should contain op-out mechanisms.
3. Data subjects can withdraw their consent at any time.
4. Data subjects have the right to sue data controllers and processors should they send them marketing messages without their consent.