Media and Technology

Personal data use in marketing: a changing landscape
23 January, 2017

The past few years have seen a crackdown from the Information Commissioners’ Office (ICO) on the use of personal data by organisations in relation to their marketing communications. Most recently, British Heart Foundation (BHF) and the RSPCA were investigated and fined for “wealth screening” their donors – piecing together donors’ information from other sources and trading donor data with other organisations. These fines are part of a wider movement in this area, putting greater demands on organisations which process individuals’ data, and this looks set to continue with the introduction of further regulation coming in next Spring in the form of the General Data Protection Regulation (GDPR).


Practices under scrutiny


In the most recent case, the ICO identified three practices by BHF and the RSPCA which breached data protection rules.


The first of these, “wealth screening”, involved the charities hiring wealth management companies to analyse their donors’ personal data, and data from other sources, to try to ascertain how much money they might be persuaded to give. The charities did not make the donors aware that they were doing this or obtain the donors’ consent to use their personal data in this way.


The second, “data and tele-matching”, involved the charities employing companies to use donors’ data to discover additional personal information about them. For example, they might use contact information provided by a donor such as a telephone number to discover further information such as their email or postal address, in order that they could contact them through further channels.


Finally, both the RSPCA and BHF took part in a scheme called Reciprocate, in which they shared their donors’ personal data with other charities in the scheme in order to identify possible future donors. This involved the disclosure by charities of millions of donors’ data. In the data collection process, both charities offered their donors the opportunity to opt out of their data being shared with “similar organisations”, which the ICO ruled was not sufficient to constitute valid consent, particularly as the scheme included such a broad range of charities that donor data was shared between considerably different organisations. Moreover, it was later discovered that the RSPCA had shared donors’ data even where they had asked to opt out of their data being shared.


All three of these practices are common in the charity sector and others, and both charities appeared to express surprise that their practices were illegal. That they were investigated and fined for practices they did not see as problematic demonstrates the importance of maintaining an awareness of new regulation in this area as well as the ICO’s guidance and views, especially when, as now, the laws are getting tougher all the time.


An increasingly demanding regulatory regime


The above case follows in the same direction of travel as a decision last year, in which the First-tier Tribunal ruled that Thomas Cook had not obtained valid consent to pass on its marketing recipients’ data to Optical Express. This meant that when Optical Express sent those recipients its own marketing texts, it breached the Privacy and Electronic Communications Regulations (PCRs). In order for consent to be valid, the Tribunal ruled, the recipient must freely give a specific and informed indication of their wishes. They must be made aware of who is going to process their data, what it will be processed for and anything else necessary to ensure it is processed fairly. Because Thomas Cook did not tell its recipients that their data would be processed by Optical Express or specify what products would be marketed to them, they did not obtain sufficient consent and breached Regulation 22(2) of the PCRs.


The Optical Express ruling followed the ICO’s new guidance for direct marketing, published in 2016, which strongly advises against the use of general opt-in consents to third party marketing communications. Under this guidance, a consumer ticking a box stating, for example, “Tick here to confirm that you are happy to receive marketing emails or texts from selected third parties” is unlikely to be considered valid consent. Further, even where consent is freely and properly given, it is likely to remain valid for only six months.


The ICO’s guidance makes it clear that where organisations receive an individual’s contact details from a third party (as Optical Express did from Thomas Cook and as the RSPCA and BHF did from the other organisations in the Reciprocate scheme), those recipient organisations must carry out rigorous checks before relying on the indirect consent (i.e. consent originally given to a third party).


The guidance goes on to state that indirect consent is highly unlikely to be valid for calls, texts or emails and that whilst the use of bought-in marketing lists is not banned, organisations must take steps to ensure the list was compiled fairly and accurately reflects peoples’ wishes. In most cases this will require each recipient organisation to be individually named as a recipient of the data or to fall within a precisely defined category of organisation with whom the data will be shared, for example by using the following wording “Tick here to confirm that you are happy for us to share your information with [name of charity] / [other animal welfare charities operating in the UK] and to receive marketing emails or texts from such charities”.


Tougher laws to come


The direction of the law, moving towards tougher rules for companies who process personal data and higher fines for those that fail to comply, is set to continue over the next few years. In particular, a new EU data protection framework has now been agreed and adopted in the form of the General Data Protection Regulation (GDPR), which will come into force on 25 May 2018. This law unifies European data protection regulations, creating a tougher regime overall and one that applies to all companies targeting consumers in the EU, including those based outside the EU.


Going forward, all companies which control or process personal data in relation to offering goods or services in the EU will be subject to the GDPR, and may need to appoint a representative in the EU. The GDPR requires such companies to demonstrate their compliance through maintaining records, conducting impact assessments on their processing and actively integrating data protection measures with their business processes. Importantly, their obligations to provide information to data subjects will become more onerous; in particular, companies will be required to inform individuals of their ability to withdraw their consent and for how long they will store their data.


In view of the recent cases above and the tighter regulations to come, companies should review their current data protection policies and marketing practices as a matter of priority to ensure they are prepared for the coming changes, and in particular ensure they have individuals’ fully informed and freely given consent before they use personal data for marketing.


For further information about marketing or any issue relating to data protection, please contact Kathryn Rogers on or +44 (0)1892 506 147  or Elliot Fry on or +44 (0)1732 224 034.



Prices – new guidance on sales, promotions and price comparisons
12 January, 2017

On-line and bricks and mortar retailers need to ensure they comply with laws regulating how you can display your prices.  The Trading Standards Institute has released some new guidance for traders on pricing practices, giving some good examples of what retailers need to consider in relation to pricing.  The law on this hasn’t changed, but the guidance is useful for businesses who supply to consumers, and includes advice on using reference pricing, time limited offers, additional charges, RRP comparisons and “up to” and “from” offers amongst others, as well as some useful checklists and tips.  As Trading Standards enforces the relevant regulations within the UK, understanding their view on how the rules should be interpreted is helpful.


The guidance (available here) also emphasizes the importance of keeping evidence to justify your pricing practices – including text messages to show how prices are communicated, records of stock levels during price promotion periods, and details of your competitor’s prices if you are comparing these to your own.


For more information on pricing or any other aspect of consumer law, please contact  Kathryn Rogers on +44 (0)1892 506 147 or



Providing free WiFi to customers: what are the risks?
10 January, 2017

Providing free WiFi access is a popular and low-cost way to attract customers, and is becoming increasingly widespread (and indeed is often expected by customers) in cafés, hotels and other business outlets open to the public. While this is generally a good business strategy it can pose an element of risk, as the business providing internet access often has little or no control over what users do on its network. Users may, for instance, download or upload illegal or infringing content. Infringement of others’ intellectual property (IP) rights is particularly common online, and can happen without even the user himself being aware of it.


As this is a relatively recent phenomenon, it has not always been clear where the liability for such infringements lies. Aggrieved owners of IP in online content may be tempted to take action against businesses providing the internet access concerned, as they tend to be more easily identifiable and have deeper pockets than the individuals who actually committed the infringement. But can a business really be asked to compensate IP owners for infringements that it was not directly involved in, and often not even aware of?


Liability for IP infringements by retailers


Some light has been thrown on the issue by the recent case McFadden v Sony[1], which ruled that businesses which offer free internet access to the public are not liable for infringements of IP rights committed by their network’s users. McFadden, a German sound system and lighting retailer, offered a free and unsecure WiFi service to customers, but also to nearby residents and customers of other local businesses in a bid to attract more people to his shop. In 2010, someone made use of his network to illegally download a song, the rights to which were owned by Sony.


The Court held that while IP owners may issue an injunction against the business to force them to stop the infringement going forward, they would not usually be able to claim compensation for the infringement itself or require the business to terminate its internet connection, provided the business acts as a “mere conduit” of the infringing content.


The “mere conduit” defence


In this situation, a business providing WiFi acts as an intermediary between its customers and the websites they access. Provided the business complies with the E-Commerce Directive, it will not be liable for any material where it acts as a “mere conduit”. The E- Commerce Directive requires the following three conditions to be satisfied: (i) the provider of the service must not have initiated the illicit transmission; (ii) it must not have selected the recipient of the illicit transmission; and (iii) it must neither have selected nor modified the information contained in the illicit transmission. A business acts as a mere conduit when it provides nothing more than access to a communication network.


This defence meant that Sony could not claim compensation from McFadden for any infringement by its users. Further, the court clarified that network access providers are not obliged in general to monitor their internet network for any illegal activity that may take place, although they might be required, as a result of the injunction, to password-protect their internet service in order to identify any users who do commit such infringements.


Practical steps


This case is a step in the right direction for businesses providing WiFi access to customers, as it reassures them that they may continue to do so without risking liability for IP infringements by their users.


However, despite the acknowledgement by the court that monitoring is not required, providers of free WiFi should still take measures to make it difficult for their users to infringe others’ IP rights, and to make users who do so identifiable. For instance, they might place limits on the amount of data users can upload or download on the WiFi they provide, and require users to give details such as an email address and password before allowing access to the network.


Businesses need to ensure all relevant agreements give them proper protection on this issue. Appropriate terms on liability and compensation should be sought in premises leases, service supplier contracts and WiFi terms of use.  This, in combination with the above measures, should help protect businesses from liability in the event of IP infringements by their users.


For more information about e-commerce, internet law or any aspect of intellectual property law, please contact Elliot Fry on +44 (0)1732 224 034 or


[1] McFadden v Sony Music Entertainment Germany GmbH, Case C-484/14, 15 September 2016 (Bailii)

Thinking of linking? Check first – the legality of hyperlinking.
5 January, 2017

The result of recent cases[1] mean that before posting a hyperlink, businesses may need to check if the site to which they are linking contains content which is freely available.  If in connection with your business you are linking to a site which hosts pictures or other content which has been reproduced without consent from the original owner, you could face an injunction requiring you to withdraw the link, and have to pay the owner’s legal costs in bringing the injunctive action (which may be quite considerable).


Hyperlinking is an integral part of how the internet works, but there is a conflict between maintaining the openness of the web on the one hand, and protecting the interests of copyright owners on the other. The European courts in particular have been grappling with getting the balance right.


One of the key legal questions has been whether hyperlinking constitutes a “communication to the public”. EU law[2] provides that authors (copyright owners) should have the exclusive right to control the communication of their works to the public.  The “second hand” nature of linking means that the content has often already been communicated to the public, or a section of the public at least, but a hyperlink may communicate it to a new section of the public, and potentially much more widely.


Linking to “Free” Content


The first big case on hyperlinking heard before the European Court was Svensson[3].  The Court in Svensson held that hyperlinking to content that is already freely and lawfully available online (“everyday hyperlinking”) would not usually be a communication to the public, so could be freely done.  The subsequent case of Bestwater[4] case held this was also the case for framing and embedded video.  However, in the TVCatch Up case[5] the court subsequently found that re-streaming TV programmes over the internet, when those programmes had previously been freely aired on terrestrial TV, was a breach of copyright on the basis that the difference in the method of distribution (terrestrial TV  as opposed to internet) meant the streaming constituted a communication to a new public.


The question still remains as to what the position would be where, for example, the link provides free access to content on a site which usually charges a fee for access to it or usually restricts access to the content to non-commercial use only.


Linking to restricted content


The latest case, GS Media v Sanoma, considered the situation where the hyperlink was to content which had been put there illegally (without the consent of the rights holder).


GS Media published a report on its Dutch news/gossip website which linked through a file sharing site to photos of a Dutch TV personality that had been taken for Playboy by Sanoma, before Sanoma had published the photographs itself. Although the pictures were freely available on the file sharing website, they were on that site without the consent of the copyright holder, Sanoma.  The photos had already been removed from 2 previous file sharing websites, but GS Media had re-linked to the new sites on which they appeared. 


The European Court (the CJEU) decided in favour of the rights holder, Sanoma, and made GS Media take down the link. The conclusion of the court was that linking to the photos was a communication to the public in breach of copyright because GS Media had posted the link in pursuit of financial gain.  This “pursuit of financial gain” created a rebuttable presumption (meaning they would be allowed to produce evidence to prove otherwise) that GS Media had undertaken the necessary checks to ensure that the content had not been illegally published on the website and therefore in publishing had acted in full knowledge that the rights holder may not have consented to the publication of the works.  Unhelpfully, “financial gain” was not defined in the decision but is likely to include indirectly making a business more attractive, not just directly generating money for example through advertising.


Carrying out “necessary checks” may be difficult for publishers, when one considers the number of articles that are published each day on the internet, and the links each article may contain, it would be impossible to expect publishers to check all of the content to which they are linking.  Also, the court did not set out exactly what the “necessary checks” would entail.


Publishers need to be aware of the potential risks of hyperlinking, and consider the way they link, particularly to content owned by those willing to put up a fight. The safest option, if possible, may be to try to get consent from the rights-holder or collecting society.


For further information on hyperlinking or any aspect of copyright, media or internet law, please contact Harry Partridge on or +44 (0)1732 224 092.


[1] Such as GS Media BV v Sanoma Media Netherlands BV (C-160/15) EU:C:2016:644

[2] Article 3(1) Copyright Directive (2001/29/EC) and Section 16, Copyright, Designs and Patents Act 1988

[3] Svensson and others v Retriever Sverige AB (Case C-466/12) [2014] Bus LR 259

[4]  BestWater International [2014] EUECJ C-348/13_CO

[5] ITV v TVCatchup [2013] (Case C-607/11) [2013] Bus LR 1020

1 2 3 16