Drafting of the draft Guidance on Direct Marketing, in respect of permission to send emails

The request was successful.

Madeline Bowles

Dear Information Commissioner's Office,

In the draft code of practice on Direct Marketing at https://ico.org.uk/media/about-the-ico/c..., the final sentence of the second paragraph of page 62 asserts that consent to send direct marketing emails is specific to a particular email address.

Para 22(2) of the PECR refers only to the "recipient of the electronic mail" and not the email address itself.

In an earlier FOI request to you I asked for detail of any legal opinion or advice you had received in respect of PECR in the last five years. You refused that request on the grounds that it would have taken too long to extract the information, if it exists.

You also, earlier, refused a more general request asking for the legal basis for the assertion made in the guidance. This was refused on the basis that the FOIA provides a facility for information to be disclosed, and my request was not a request for information.

This, then, is a much more specific request.

Please provide copies of any meeting notes, pre-publication drafts of the draft guidance (with "track change" style or similar comments where available) or correspondence which were produced by the officer or officers responsible for, or involved with, the production of the draft guidance specifically where those notes or pre-publication drafts or correspondence relate to the second paragraph on page 62 of the guidance which begins "You cannot assume that an individual..."

Yours faithfully,

Madeline Bowles

Information Access Inbox, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

ICO Casework, Information Commissioner's Office

19 May 2020

Our reference: IC-40394-M0S2 

Dear Madeline Bowles

Thank you for your email of 2 April 2020. This contained a request for
information and was passed to the ICO’s information access team.

Under statutory timeframes our response to your request was due by 5 May
2020. We are sorry that we have not been able to respond to your request
within these timeframes, this is due to the current situation regarding
the COVID-19 pandemic.  We apologise for this but during this pandemic
period, we have put arrangements in place to protect our staff and others
from the potential spread of Coronavirus (COVID -19).

We are continuing to work on your request and will respond as soon as
practically possible.

Next steps

If you wish to raise a complaint about the time we have taken to respond
to your information request, this can be sent to this office as the
statutory complaint handler. Please refer to our website at:
[1]https://ico.org.uk/make-a-complaint/

Please note that when considering complaints, we will take into account
any extraordinary circumstances which mean resources have been diverted. 

Our privacy notice explains what we do with the personal data you provide
to us and what your rights are, with a specific entry, for example, for an
information requester. Our retention policy can be found here.

Yours sincerely,

Alexis Karlsson-Jones  
Lead Information Access Officer
Information Commissioner’s Office 
0330 313 1886 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [2]ico.org.uk [3]twitter.com/iconews
Please consider the environment before printing this email

Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([4]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [5]www.ico.org.uk/privacy-notice
 

References

Visible links
1. https://ico.org.uk/make-a-complaint/
2. https://ico.org.uk/
3. https://twitter.com/iconews
4. https://www.ico.org.uk/
5. https://www.ico.org.uk/privacy-notice

Dear Information Commissioner's Office,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Information Commissioner's Office's handling of my FOI request 'Drafting of the draft Guidance on Direct Marketing, in respect of permission to send emails'.

I am aware that Covid has slowed things down but this is now nearly 5 months late.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/d...

Yours faithfully,

Madeline Bowles

icoaccessinformation, Information Commissioner's Office

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit:

[1]https://ico.org.uk/about-the-ico/our-inf...

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

For information about what we do with personal data see our [2]privacy
notice.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found
[3]here.

Twitter

Find us on Twitter [4]here.

 

References

Visible links
1. https://ico.org.uk/about-the-ico/our-inf...
2. https://ico.org.uk/global/privacy-notice/
3. https://ico.org.uk/about-the-ico/news-an...
4. http://www.twitter.com/ICOnews

ICO Casework, Information Commissioner's Office

2 Attachments

11 November 2020

Our reference: IC-40394-M0S2
Dear Madeline Bowles

Please find attached a copy of my response to your request for information
and a further attachment with the information in scope of your request.  

Yours sincerely,

Alexis Karlsson-Jones 
Senior Information Access Officer
Information Commissioner’s Office 
0330 313 1886

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire SK9 5AF
T. 0303 123 1113 [1]ico.org.uk [2]twitter.com/iconews
Please consider the environment before printing this email
Please be aware we are often asked for copies of the correspondence we
exchange with third parties. We are subject to all of the laws we deal
with, including the data protection laws and the Freedom of Information
Act 2000. You can read about these on our website ([3]www.ico.org.uk).
Please say whether you consider any of the information you send us is
confidential. You should also say why. We will withhold information where
there is a good reason to do so.
For information about what we do with personal data see our privacy notice
at [4]www.ico.org.uk/privacy-notice

References

Visible links
1. https://ico.org.uk/
2. https://twitter.com/iconews
3. https://www.ico.org.uk/
4. https://www.ico.org.uk/privacy-notice

Dear Ms Karlsson-Jones

Thank you for your reply. This answer, together with those to my earlier requests on this matter, appear to demonstrate that ICO has no particular legal advice or other basis for arguing that consent is specific to any given email address, as opposed to consent to email generally. So that if an organisation asked someone it corresponds with "are you happy to hear from us by email?" such a request, if met with an affirmative response, is not limited to the email address from which that response it was sent, or any other specific email address. I recognise that your own role is not to offer guidance on this matter.

I am happy to confirm that I no longer require a review of this case since I now have an answer.

Yours sincerely,

Madeline Bowles

icocasework, Information Commissioner's Office

To read this email in English click [1]here

I darllen yr ebost yn y Gymraeg, cliciwch [2]yma

Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence. During the Coronavirus
pandemic, please see our [3]website for updates on the service you can
expect from us during this time.  You can also call us on 0303 123 1113 or
contact us via live chat. 

 
If you have asked us for advice - we will respond within 14 days. While
you wait, you should regularly check our [4]website for relevant
guidance, as we are updating this all the time. You should also read our
[5]GDPR myth busting blogs. If you have raised a question that we have
answered on our website, we may respond by sending you a link to it.  But
we will do our best to provide you with the information you need.
 
If you have made a new complaint - we’re unlikely to look into it unless
you have raised it with the [6]responsible organisation (for a data
protection complaint) or the [7]responsible public authority (for a
freedom of information complaint) first. Please make sure you have sent
us a copy of their final response to you. We will assign your complaint to
a case officer as soon as we can, and they will contact you in due
course. 

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer. If you believe
we have either failed to take appropriate steps to respond to your data
protection complaint, or we do not provide you with information about the
progress or outcome of your complaint within the next three months, you
may be able to apply to the [8]First-tier Tribunal to require us to
respond to your complaint or to provide you with information about its
progress.
 
If you represent an organisation and you are reporting a personal data
breach under the GDPR or the Data Protection Act 2018 - we aim to contact
you within seven days to confirm receipt and to provide you with a case
reference number. If you want advice urgently, you should telephone our
helpline on 0303 123 1113. If we consider the incident is minor or you
have indicated that you do not consider it meets the threshold for
reporting, you may not receive a response from us, or we may respond by
sending you a link to the relevant part of our guidance. You can find out
more about [9]data breach reporting on our website.

Where a significant cyber incident occurs, you may also need to report
this to the National Cyber Security Centre (the NCSC). To help you decide,
you should read the NCSC’s guidance about their role and the type of
incidents that you should consider reporting.  

Incidents that might lead to a heightened risk of individuals being
affected by fraud, should be reported to Action Fraud – the UK’s national
fraud and cybercrime reporting centre. If your organisation is in
Scotland, then reports should be made to Police Scotland.

If you are a Communications Service Provider reporting a security breach
under the Privacy and Electronic Communications Regulations – you will
need to report the security breach via this [10]secure portal.

If you represent an organisation and are reporting a potential incident
under the NIS Directive - we will contact you as soon as we can. You can
find out more about the [11]NIS Regulations on our website.

If you represent an organisation and you are reporting a security breach
within the definition of the eIDAS regulation – we will contact you as
soon as we can. You can find out more about the [12]eIDAS regulation on
our website.

If you have reported spam email – we are unlikely to need to contact you
again, unless we need more information to help with our investigations. We
publish details about the [13]action we've taken on nuisance messages on
our website.
 
If you have asked for information you think we might hold - we will
contact you if we need any more information to help us respond. Otherwise,
we will respond within our [14]public and statutory service levels.
 
If you have only copied your correspondence to us - we will not respond.
 
There is more information on our [15]service standards and what to expect
webpage. You can also call 0303 123 1113. We welcome calls in Welsh on
0330 414 6421. You can also contact us on [16]live chat.
 
For information about what we do with personal data please see our
[17]privacy notice.
 
Yours sincerely
 
The Information Commissioner’s Office
 
Our newsletter
You can [18]sign up to our monthly e-newsletter
 
 
Pwnc: Mae’ch neges ebost wedi dod i law

Diolch yn fawr ichi am gysylltu â Swyddfa’r Comisiynydd Gwybodaeth. Yn
ystod y pandemig Coronafeirws, gweler [19]ein gwefan am ddiweddariadau ar
y gwasanaeth sydd ar gael i’r cyhoedd ar hyn o bryd. Hefyd, mae’n bosib
ein ffonio ar 0303 123 1113, neu gysylltu â ni trwy sgwrs fyw.

Os ydych wedi gofyn am gyngor – byddwn yn ymateb o fewn 14 diwrnod. Tra
byddwch yn aros, dylech edrych yn rheolaidd ar ein [20]gwefan i chwilio am
ganllawiau perthnasol, gan eu bod yn cael eu diweddaru drwy’r amser. Hefyd
dylech ddarllen ein [21]blogiau ynghylch mythau’r GDPR. Os ydych wedi codi
cwestiwn sydd wedi’i ateb ar ein gwefan, mae’n bosibl y byddwn yn ymateb
drwy anfon dolen atoch i gysylltu â’r ateb.  Ond fe wnawn ein gorau glas i
roi’r wybodaeth angenrheidiol ichi

Os ydych wedi gwneud cwyn newydd – dydyn ni ddim yn debygol o edrych i
mewn iddo oni bai eich bod wedi’i godi’n gyntaf gyda’r [22]sefydliad
cyfrifol (cwyn am ddiogelu data) neu’r [23]awdurdod cyhoeddus cyfrifol
(cwyn am ryddid gwybodaeth). Gofalwch eich bod wedi anfon copi aton ni o’u
hymateb terfynol ichi. Byddwn yn rhoi’ch achos i swyddog achosion cyn
gynted ag y gallwn, a bydd y swyddog yn cysylltu â chi maes o law.

Os yw’ch gohebiaeth yn ymwneud ag achos sydd eisoes yn bod - byddwn yn ei
hychwanegu at eich achos ac fe gaiff ei hystyried ar ôl cael ei dyrannu i
swyddog achosion. Os ydych yn credu ein bod ni naill ai wedi methu cymryd
camau priodol i ymateb i'ch cwyn diogelu data, neu heb ddarparu gwybodaeth
ichi am gynnydd neu ganlyniad eich cwyn o fewn y tri mis nesaf, efallai y
byddwch yn gallu gwneud cais i'r [24]Tribiwnlys Haen Gyntaf i’w gwneud yn
ofynnol inni ymateb i'ch cwyn neu ddarparu gwybodaeth ichi am gynnydd eich
cwyn.

 
Os ydych yn cynrychioli sefydliad a’ch bod yn rhoi gwybod am drosedd data
personol o dan y GDPR neu Ddeddf Diogelu Data 2018 – rydym yn anelu at
gysylltu â chi o fewn saith niwrnod calendr i gadarnhau bod eich neges
wedi dod i law ac i roi rhif cyfeirnod achos ichi. Os oes arnoch eisiau
cyngor ar frys, dylech ffonio’n llinell gymorth ar 0303 123 1113. Os ydym
o’r farn bod y digwyddiad yn un mân neu os ydych chi wedi nodi nad ydych
o’r farn bod y digwyddiad yn cyrraedd y trothwy i roi gwybod amdano, mae’n
bosibl na chewch ymateb gennym, neu efallai y byddwn yn ymateb drwy anfon
dolen atoch i gysylltu â’r rhan berthnasol o'n canllawiau. Cewch ragor o
wybodaeth am [25]roi gwybod am droseddau data ar ein gwefan.

Pan fo digwyddiad seibr arwyddocaol yn digwydd, mae’n bosibl y bydd angen
ichi roi gwybod amdano hefyd i’r Ganolfan Seiberddiogelwch Genedlaethol
(yr NCSC). I’ch helpu i benderfynu, dylech ddarllen canllawiau’r NCSC ar
eu rôl a’r math o ddigwyddiadau y dylech ystyried rhoi gwybod amdanyn nhw.

Dylai digwyddiadau a allai arwain at risg uwch y bydd twyll yn effeithio
ar unigolion gael eu cyfleu i Action Fraud – sef canolfan genedlaethol y
Deyrnas Unedig ar gyfer rhoi gwybod am dwyll a seiberdroseddau. Os yw eich
sefydliad yn yr Alban, yna i Heddlu’r Alban y dylech chi roi gwybod.

Os ydych yn Ddarparwr Gwasanaethau Cyfathrebu sy’n rhoi gwybod am dor
diogelwch o dan y Rheoliadau Preifatrwydd a Chyfathrebu Electronig – bydd
angen ichi roi gwybod am y tor diogelwch drwy’r [26]porth diogel hwn.

Os ydych yn cynrychioli sefydliad a’ch bod yn rhoi gwybod am ddigwyddiad
posibl o dan Gyfarwyddeb yr NIS – byddwn yn cysylltu â chi cyn gynted ag y
gallwn. Cewch ragor o wybodaeth am [27]Reoliadau’r NIS ar ein gwefan.

Os ydych yn cynrychioli sefydliad a’ch bod yn rhoi gwybod am dor diogelwch
o fewn y diffiniad yn Rheoliad eIDAS – byddwn yn cysylltu â chi cyn gynted
ag y gallwn. Cewch ragor o wybodaeth am [28]Reoliad eIDAS ar ein gwefan.

Os ydych wedi rhoi gwybod am ebost sbam – mae’n annhebygol y bydd angen
inni gysylltu â chi eto, oni bai bod arnon ni angen rhagor o wybodaeth i
helpu yn ein hymchwiliad. Rydym yn cyhoeddi gwybodaeth am [29]y camau
rydyn ni wedi’u cymryd ynghylch negeseuon niwsans ar ein gwefan.

Os ydych wedi gofyn am wybodaeth yr ydych yn credu ei bod gennyn ni –
byddwn yn cysylltu â chi os bydd arnom angen rhagor o wybodaeth i’n helpu
i ymateb. Fel arall, byddwn yn ymateb ichi o fewn ein [30]lefelau
gwasanaeth statudol a chyhoeddus. 

Os ydych wedi anfon copi o’ch gohebiaeth aton ni ond dim byd arall –
fyddwn ni ddim yn ymateb.

Mae rhagor o wybodaeth ar ein tudalen gwe [31]safonau gwasanaeth a beth
i’w ddisgwyl. Gallwch ffonio hefyd ar 0330 414 6421, neu yn Saesneg ar
0303 123 1113. Gallwch gysylltu â ni hefyd i gael [32]sgwrs fyw.

I gael gwybodaeth am yr hyn rydyn ni’n ei wneud â data personol, gweler
ein [33]hysbysiad preifatrwydd. 

Yn gywir

Swyddfa’r Comisiynydd Gwybodaeth

Ein cylchlythyr

Gallwch [34]gofrestru i gael ein e-gylchlythyr misol

 

 

References

Visible links
1. file:///tmp/foiextract20201111-10705-15wfnqr#English
2. file:///tmp/foiextract20201111-10705-15wfnqr#Gymraeg
3. https://ico.org.uk/global/data-protectio...
4. https://eur03.safelinks.protection.outlo...
5. https://eur03.safelinks.protection.outlo...
6. https://eur03.safelinks.protection.outlo...
7. https://eur03.safelinks.protection.outlo...
8. https://eur03.safelinks.protection.outlo...
9. https://eur03.safelinks.protection.outlo...
10. https://eur03.safelinks.protection.outlo...
11. https://eur03.safelinks.protection.outlo...
12. https://eur03.safelinks.protection.outlo...
13. https://eur03.safelinks.protection.outlo...
14. https://eur03.safelinks.protection.outlo...
15. https://eur03.safelinks.protection.outlo...
16. https://eur03.safelinks.protection.outlo...
17. https://eur03.safelinks.protection.outlo...
18. https://eur03.safelinks.protection.outlo...
19. https://ico.org.uk/global/data-protectio...
20. https://eur03.safelinks.protection.outlo...
21. https://eur03.safelinks.protection.outlo...
22. https://eur03.safelinks.protection.outlo...
23. https://eur03.safelinks.protection.outlo...
24. https://eur03.safelinks.protection.outlo...
25. https://eur03.safelinks.protection.outlo...
26. https://eur03.safelinks.protection.outlo...
27. https://eur03.safelinks.protection.outlo...
28. https://eur03.safelinks.protection.outlo...
29. https://eur03.safelinks.protection.outlo...
30. https://eur03.safelinks.protection.outlo...
31. http://ico.org.uk/about_us/how_we_work/s...
32. https://eur03.safelinks.protection.outlo...
33. https://eur03.safelinks.protection.outlo...
34. https://eur03.safelinks.protection.outlo...

Jonathan Baines left an annotation ()

@Madeline Bowles

'...if an organisation asked someone it corresponds with "are you happy to hear from us by email?" such a request, if met with an affirmative response, is not limited to the email address from which that response it was sent, or any other specific email address.'

If I'd agreed to "are you happy to hear from us by email", I would naturally assume, if I answered yes, that this referred to the specific email address we're corresponding about. If you then spammed me at an alternative email address I would complain, and if I sued you, I would win.

As ICO explains, consent under reg 22 PECR must be, among other things, specific and unambiguous. What you propose is neither.

Madeline Bowles left an annotation ()

@jonathan_baines_2

What real life circumstances did you have in mind where that would be true? How is "would you like to hear from us by email?" not both specific (as to communication method) and unambiguous (as to its outcome)? As a parallel, if you had your Ford car serviced at a particular garage, just because you get a different Ford doesn't mean you don't want to have your car serviced at the same garage. (The Ford is the continuity - i.e. it's still email. If you changed to a VW then you might change garage - e.g. from email to SMS.)

Otherwise, if you were right, if someone who has consented to receive marketing email changes their email address and lets the data controller know their new email address, but does not also say that they are also renewing their consent, a separate consent would have to be sought. But it could not be sought by email because that would be a breach of PECR.

I don't think most people, when they voluntarily provide a new email address to an organisation they regularly hear from, also think "oh, and because of PECR and the ICO's marketing guidance, I need explicitly to renew my consent." Do they?

Or am I misunderstanding your annotation?

Jonathan Baines left an annotation ()

@Madeline - the real world situation where I, like countless others, have different email accounts for different things. I have gmail addresses for various purposes, a protonmail account for my personal-professional purposes, and a work email. They are not the same, and if I give someone my consent to send me emails to one, they should not (and cannot, as a matter of law) infer that that consent extends to all accounts.

To adopt your analogy, I would not get a Ford GT40 serviced at the same place as a Ford Mondeo.

Madeline Bowles left an annotation ()

@jonathan_baines_2
You said "if I give someone my consent to send me emails to one [email address], they should not (and cannot as a matter of law) infer that that consent extends to all accounts". I completely agree with your conclusion. If you gave consent for an organisation to send email to one of them, then that organisation should only send email to that, specific, one.
But that was not the question I was asking.
I was asking about the legal basis for asserting that PECR 22(2) _requires_ that permission is always specific to a particular email address, even if the consent question had sought permission to "communicate with you by email" without mentioning a specific email address, or even necessarily being in the context of the person having already provided one particular email address (for example some kind of registration on a form.)
The wording of Clause 22 of PECR is in contrast to the wording of Clause 21 in respect of telephone marketing where it is clear that consent refers to "the number allocated to the subscriber" and "the called line." Clause 22 on electronic mail says "by means of electronic mail". There is no mention of a specific email address.

Jonathan Baines left an annotation ()

PECR doesn't state this, as you know, but (to the extent that personal data is involved) fairness and consent under GDPR need to be considered.

Madeline Bowles left an annotation ()

So do you argue that the following scenario requires a new and separate consent?
* A person makes a gift to a charity and at the same time gives consent for further contact to the email address they provided when they made the gift
* The charity sends newsletters, requests for further gifts etc
* The person (who may or may not have given again) responds to one newsletter saying "please would you update my email address to <new email address>"
* In that response they don't say, or not say, that they are giving consent to have the correspondence sent to the new email address. They just ask for the email address to be updated.

I believe your argument says that the charity now needs separately to seek consent to send email this new email address, which of course they can't do by email since if no consent exists it would breach PECR.

Or do you think that, by updating their address in response to the lawful use of their old email address for marketing purposes, this passes the test of "an affirmative action which indicates consent."

This _is_ nuanced, but real life data management is nuanced and contextual. Unlike the ICO draft Direct Marketing guidance on this issue.

Tim Turner left an annotation ()

In the very specific circumstances described by Madeleine Bowles (I actively update my address by contacting the charity), the PECR angle is probably irrelevant. If I have actively given my new address to the organisation in the context of "updating" it, I'm then very unlikely to complain about receiving further correspondence.

But in the context of an email address bouncing back or a long period passing by without any further engagement, the charity would not be entitled to obtain the individual's alternative email address from any other source (even a publicly accessible source) on the basis that they have consent to send marketing by "email". If the source of the data is not the subject, I don't believe that consent is valid.

Madeline Bowles left an annotation ()

Very happy to agree with @Tim_Turner, both on the matter of obtaining an email address from a third party, and also in the specific circumstances of the data subject providing a new email address.

This is why the ICO draft guidance is troublesome; it says that marketing to the new email address in the circumstances I've described would not be lawful. And that PECR outlaws the use of a new email address in all circumstances because it "just does", rather than because obtaining an email address from a third party is very unlikely to carry any consent with it.

Order Status,

Your Orders  |  Your Account  | Amazon.com
[1]ÄMÄZÖN Order Confirmation

Order #1401-ODR-8425
Hello David,

Thank you for your order. We’ll send a confirmation when your order ships.
Your estimated delivery date is indicated below. If you would like to view
the status of your order or make any changes to it, please contact Order
Help-Desk.
Arriving:
Saturday, January 23 Your order will be sent to:
David 
Your shipping speed: 4 Grandview Dr, 
FREE Delivery on eligible orders Normal, Illinois 61761

[2]View or manage order
Order Help-Desk: +1 (866) 530 2155

Order summary
Order #1401-ODR-8425
Placed on Wednesday, January 14, 2021
Item Subtotal: $ 987.98
Shipping & Handling: $ 8.00
Promotion Applied: -$ 0.00
Order Total: $ 995.98
If you use a mobile device, you can receive notifications about the
delivery of your package and track it from our app.
To ensure your safety, the Delivery Agent will drop the package at your
doorstep, ring the doorbell and then move back 2 meters while waiting for
you to collect your package.
We hope to see you again soon.

AMAZON
Bargain recommendations
[3]Pixel Home Cotton [4]Generic - GEN_DED_1
Apron 100% Cotton Check Multipurpose Cycle [5]Amul 99% Cacao
Kitchen Apron with Front Motorcycle Bike Chain Chocolate 125g Pack of
Center Pocket Best Design Cleaner Brush (Assorted 2
Apron (Red Checked) Colour) 99% Cacao Chocolate
Pixel Home Cotton Generic - GEN_DED_1 125g Pack of 2
Apron 100% Cotton Multipurpose Cycle... $ 4.99 
Check... $ 1.19
$ 4.49
This email was sent from a notification-only address that cannot accept
incoming email. Please do not reply to this message.

[6]--

References

Visible links
2. https://www.amazon.com/