Over the past 12 months, the ICO has developed a significant approach on the use of affiliate marketing and the applicability of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
In November 2016 the ICO undertook a review of the use of affiliate marketing in the gaming industry . When writing to affiliate marketers the ICO clearly described how it viewed the affiliates’ role:
“The ICO’s opinion is that where and affiliate sends an SMS on the half of or promoting the website of, a gaming company, then that affiliate is the sender of that communication and must comply with regulations 22 and 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.” 
Article 22 of the PECR states:
22 (1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
22 (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
I have emphasised the word instigate in 22(2) because it is the interpretation of this word that is important in this matter. In November 2016 in the press release announcing the Monetary Penalty Notices (MPNs) issued to Silver City Tech Ltd and Oracle Insurance Brokers Ltd the ICO stated:
“Affiliate firms are like postmen, delivering the message. It’s the people behind the message whose job it is to make sure it complies with the law. They must make rigorous checks to ensure the rules have been followed.” 
The ICO’s position appears to be that the affiliate is the transmitter (sender) of a communication but that that the beneficiary is the instigator of the transmission of a communication. Potentially leaving both the instigator and sender of an electronic marketing communication open to enforcement action.
This analysis is further backed up by the MPN  and Enforcement Notice  issued to Vanquis Bank Limited (VBL) in October 2017 where the ICO clearly states that the beneficiary of the affiliate marketing company’s activity is the instigator of the communication, and therefore has an obligation to comply with PECR Article 22.
Whilst VBL did not send the emails itself, it contracted with the third party affiliates to send the messages on its behalf. The aim of the messages was to promote VBL credit cards. The Commissioner is therefore satisfied that VBL was the instigator of the direct marketing email messages. 
As the instigator of the direct marketing e-mail messages, it was the responsibility of VBL to ensure that valid consent to send those messages had been acquired. 
My view is that the ICO is using the ambiguity in PECR to ensure that companies cannot just pass the blame for inappropriate marketing by determining a relationship as affiliate marketing where the relationship is more correctly described as a postman paid by results. The ICO’s position is that this type of affiliate relationship is essentially the same as a contract with a mailing house to deliver a company’s marketing message – a relationship where the company benefiting from the marketing would be wholly responsible for compliance with PECR and making sure it had consent from the recipients of the electronic marketing message. The fact that a third party’s reward is based on results rather than a fixed fee for sending messages is immaterial in the ICO’s view.
Although an affiliate marketer is a data controller in its own right – and in PECR terms the sender of the message – identifying the beneficiary of the activity as the instigator of the marketing message allows the ICO to use PECR (not the DPA) to target known brands with a reputation to protect, and companies with more positive balance sheets than affiliate marketers. I suspect this is a calculated move as the ICO has determined that targeting the beneficial initiators will be a more successful enforcement strategy.
The ICO’s test therefore will be the degree to which the affiliate appears to be a reward-based postman or an independent company that also promotes other companies’ products/services alongside their own. I suggest that this assessment would look at the arrangement the benefitting company has with the affiliate and to what degree it has control over the volume of email sent, the format, targeting and language used in the message.
It is possible that the ICO’s approach based on the interpretation of instigator in this way would be open to challenge at the Information Tribunal, however none of the parties that have been subject to this interpretation have yet appealed.
- https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/11/ico-cracks-down-on-use-of-personal-data-in-online-gambling-sector/ | 10 November 2016
- ICO letter to gaming companies, revealed in Disclosure IRQ0662096 https://ico.org.uk/media/about-the-ico/disclosure-log/2014334/irq0662096-attachment.pdf | 23 January 2017
- https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/11/firms-behind-millions-of-spam-texts-about-loans-hit-with-ico-fines/ | 29 November 2016
- https://ico.org.uk/media/action-weve-taken/mpns/2172482/vanquis-bank-ltd-mpn.pdf |
4 October 2017
- https://ico.org.uk/media/action-weve-taken/enforcement-notices/2172481/vanquis-bank-ltd-enforcement-notice.pdf |4 October 2017
- VBL MPN (n4) paragraph 44, and VBL EN (n5) paragraph 13
- VBL MPN (n4) paragraph 45, and VBL EN (n5) paragraph 14