The Fundraising Regulator has reported 59 charities to the ICO for failure to comply with the Fundraising Preference Service (the FPS) and named them on its website.
In an effort to strongly encourage charities to comply with the FPS, the Fundraising Regulator has taken the steps of reporting 59 charities that have failed to comply with the FPS to the Information Commissioner’s Office (the ICO), the UK’s regulator of information rights, and also publicly naming those charities on its website.
Each of the charities named had previously received multiple notifications from the Fundraising Regulator, including a letter to their Chief Executives.
What is the Fundraising Preference Service?
The FPS was introduced in 2017 to allow individuals to control the types of direct marketing they receive from charities in light of concerns about direct marketing practices within the charity sector and the impact these were having on vulnerable individuals.
Gerald Oppenheim, Chief Executive of the Fundraising Regulator, has said: “The FPS is an important tool in helping to rebuild trust between members of the public, particularly those who are vulnerable, and the charity sector. Charities that fail to respect requests made by the public to stop unwanted communication risk damaging the good work done by the rest of the sector.”
The FPS allows individuals to notify charities that they do not wish to receive marketing from them, either in a particular form (e.g. no phone calls or emails) or at all. Since its introduction, 8,300 individuals have submitted over 25,000 requests to opt out of receiving marketing from charities.
If an individual registers with the FPS and indicates that they do not wish to receive marketing communications from a selected charity or charities, the FPS will send a notification to the selected charity or charities to let them know that a request has been received and that they will need to log into the FPS system to collect it. We note that the request will not be sent to a charity directly, and the charity has 21 days from the date of the FPS notification to retrieve the request and to action it. (Note: the time limit was reduced on 1 March 2019 from 28 days to 21 days).
The 59 charities that have been reported to the ICO had each received multiple notifications from the FPS between 6 July 2017 and 12 December 2018. However, as they failed to log into the FPS to collect their requests, they did not take any steps to action them. In addition, each of those charities received requests from the Fundraising Regulator to explain why they have failed to comply with the FPS, and final warning letters were sent to the Chief Executive of each of those charities. The Fundraising Regulator then decided to refer those charities to the ICO in March 2019 and to publicly name them in an effort to make them take notice and comply with their obligations.
What steps can the ICO take?
Failing to comply with requests under FPS can amount to a breach of the General Data Protection Regulation (GDPR) and/or the Privacy and Electronic Communication Regulations (PECR). The ICO has a host of enforcement powers it can deploy. In the most serious cases, the ICO can impose fines of up to €20m (or 4% of global group turnover if that is higher) for a breach of GDPR and of £500,000 for a breach of PECR. Note that, under PECR, the ICO may hold individual directors and officers liable for the full value of the fine.
Stephen Eckersley, Director of Investigations at the ICO has said: “Charities that ignore the Fundraising Preference Service run the real risk of causing distress and offence to people who just don’t want to receive their marketing communications.”
“The ICO has written to these charities to remind them they must act lawfully and responsibly in protecting people’s personal data, and in how they communicate with them. Our advice for charities is clear: they must not contact people registered on the FPS and, where we see this happening, we will investigate and take enforcement action where necessary.”
The rules under GDPR and PECR
Under PECR, if an organisation is sending direct marketing to individuals by electronic means (e.g. email or text), the organisation must have consent to do so and allow individuals to withdraw consent at any time. A request by an individual via the FPS to opt out of receiving marketing is a clear withdrawal of consent, and an organisation continuing to send marketing materials to that individual after a request has been made is, therefore, a breach of PECR and GDPR.
PECR does not require that an organisation have consent for non-electronic forms of communication (e.g. post and telephone). Instead, you may rely on legitimate interests if you have carried out a legitimate interest assessment balancing your legitimate interest in sending marketing material to individuals against the impact on the rights and freedoms of those individuals. However, even where you are relying on legitimate interests, you must respect the fact that individuals are entitled to object to their personal data being used for direct marketing purposes by giving them an easy way to opt out of receiving such communications. The Code of Fundraising Practice also contains explicit requirements regarding the right to opt out.
If an individual has registered with the FPS (or with the Telephone Preference Service (TPS) or Mail Preference Service (MPS)), this counts as a general opt out and you must cease to send such communications immediately.
The ICO has written to each of the charities reported to remind them of their obligations. However, the updated list from the Fundraising Regulator shows that, as at 1 April 2019, 42 charities have still not logged into the FPS leaving a total of 93 requests outstanding. Those charities should act on the communications they have received from the Fundraising Regulator and the ICO swiftly to avoid enforcement action by the ICO.
The Fundraising Regulator has said it will continue to update the list of those charities that fail to comply with the FPS on a monthly basis.
If you would like to speak about your organisation’s marketing practices or if you have a data protection query, please do not hesitate to get in touch with Kitty Rosser or a member of Birketts’ Data Protection Team.
This article is from the April 2019 issue of Essential Trustee, our newsletter for charity trustees and senior management. To download the latest issue, please visit the newsletter section of our website. Law covered as at April 2019.
To keep up-to-date with the latest news, legal updates and seminar information, please register and select the areas that are of interest to you.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at March 2019.