Given the increasing use of GenAI to assist businesses with answering legal queries, we wanted to see if ChatGPT can explain the rules around obtaining retrospective consent for electronic direct marketing in the UK.

Electronic direct marketing (i.e. email and SMS) to individual consumers is a vital element of many businesses, particularly in the retail sector. Despite its importance, it remains an area of law where businesses of all sizes continue to make critical mistakes, especially around obtaining retrospective consent (i.e. obtaining consent from an individual after their contact details have already been collected). The issue of obtaining valid consent from individuals has been increasingly on the radar of the Information Commissioner’s Office (ICO), which makes this a growing risk area for businesses.

ChatGPT’s Answer:

“In the UK, obtaining retrospective consent for electronic direct marketing must be handled carefully to comply with regulations like the GDPR and the UK Data Protection Act 2018.

To obtain retrospective consent:

1. Review Data Collection: Confirm whether the original data collection covered direct marketing. If not, stop marketing until consent is obtained.
2. Request Consent: Notify individuals that you’ve been contacting them without explicit consent and ask for their permission. Be transparent about how their data has been used and will be used in the future.
3. Emphasise Benefits: Clearly explain the benefits of staying connected, such as exclusive offers or useful updates, and reassure them that consent is voluntary and can be withdrawn at any time.
4. Simplify Consent: Provide an easy method for individuals to give or withdraw consent, like a one-click option in an email.
5. Document Compliance: Keep detailed records of how and when consent was obtained to demonstrate compliance with UK regulations.
6. Respect Opt-Outs: Honor any opt-out requests immediately and ensure that those who don’t respond are not contacted again without proper consent.

This approach ensures compliance with UK laws while maintaining customer trust.”

How did ChatGPT do?

Below is a breakdown of ‘the Good, the Bad and the Ugly’ of ChatGPT’s response.

The Good

(i) The Privacy and Electronic Communications Regulations 2003 (“PECRs”) require consent from the individual subscriber for electronic direct marketing. As there is no definition of consent given in the PECRs, the UK GDPR’s definition of consent applies which states that consent must be unambiguous, informed, specific and freely given. Although ChatGPT did not cover the entire test for valid consent (see the ‘Bad’ below for what it missed), we can see that it has identified the need for consent to be informed, specific and freely given in Steps 2, 3 and 4 of its answer.

(ii) The UK GDPR adds further conditions on businesses once they have obtained valid consent, which includes, keeping records to demonstrate / manage consent (consent does not last forever and must be renewed at appropriate regular intervals) and the right to withdraw consent (and for it to be respected) as easily as it was given and at any time (e.g. one click unsubscribe option on each marketing message). ChatGPT was able to correctly identify these requirements in Steps 4, 5 and 6 of its answer.

The Bad

(i) As set out above, for consent to be valid under the UK GDPR it needs to be unambiguous, which means there should be clear affirmative action from the individual subscriber consenting to receiving the electronic direct marketing (e.g. ‘opt-in’ box). ChatGPT failed in its answer to explain that the consent must involve a positive act and not rely on implied consent or ‘opt-out’ consent (e.g. pre-ticked boxes).

The Ugly

(i) ChatGPT’s suggestion at Step 2 of its answer to send an individual a request for consent to future electronic direct marketing (even if you set out the benefits of consenting), is in itself electronic direct marketing. In 2017, the ICO issued fines totalling £83,000 for emails sent to customers to obtain consent to future marketing messages. The ICO found that two household names violated the PECRs, and it was concluded that businesses cannot send an email to an individual seeking consent for future marketing messages, as that very email is considered an electronic direct marketing communication, necessitating prior consent. The Head of Enforcement of the ICO at the time said, “sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law.”

Why it matters

The use of GenAI, such as ChatGPT, is becoming more integrated into the day-to-day operations of many businesses (for example, Shoosmiths is trialling Microsoft 365 Copilot). There are clearly a number of invaluable uses of this technology to streamline work patterns. However, relying on GenAI for your legal and regulatory advice is not recommended and could result in serious mistakes that could land your business in hot water.