Recently I started getting spam from Amazon involving ‘local deals’. These were unwanted so I subsequently reported them to spamcop. Now I’ve started getting more spam for travel offers too. Given how unhappy I was at being spammed by an organisation as big as Amazon I started looking into what my rights were.

It seems that consent is required prior to sending. There is an exception however: the current rules for marketing allow for the possibility of a ‘soft opt in’. This basically means that consent need not be given if the following conditions have been met:

• where they’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
• where the messages are only marketing similar products or services; and
• where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

The page on the ICO that goes into detail can be found here.

The first and third conditions have been met. I have bought items from Amazon before and there is an unsubscribe link. The second condition on the other hand has not been met. I have not looked for nor bought local offers or travel deals. However when I complained about this to the ICO they made it clear that they were not going to do anything about this (the full reply can be found below).

It would seem that the only thing you need to do when breaking the law is make sure your head office is outside the UK. You can have offices in the UK, huge warehouses in the UK, thousands of employees in the UK, services aimed purely at UK customers (not to mention take BILLIONS each year from those same customers in sales) but still not be subject to UK law for activities involving UK customers.

And why should any UK citizen dealing with services provided in the UK have to know how things work in other EU member states, especially when they might not even be understood let alone have any complaint successfully dealt with? How many languages exist in the EU and how many should we have to know just to make sure our rights are respected? How many regulatory systems do we have to learn?

This really is a ridiculous situation to be in.

This was the response they gave me (kudos for the ICO for at least replying so quickly)

Dear Sir

Thank you for your email of 20 July.

In your email you explain that you have been receiving marketing emails from Amazon. As these marketing emails contain offers that relate to totally different goods and services from the items you bought, you believe that Amazon have not complied with the soft opt in from the Privacy and Electronic Communications Regulations. You would like to know what we can do in this situation.

As far as data protection law in concerned Amazon is based in Luxembourg. They do have a London office but they are only processing personal data on the instruction of the Luxembourg offices and as such can only work to their instruction. This means that we can’t investigate the concerns you have explained in your email.

These concerns can be looked at by the Luxembourg Authority whose contact details are:

Commission nationale pour la protection des données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
e-mail: info@cnpd.lu

I appreciate that this isn’t the response that you were hoping for but I hope the information is helpful. If you would like to discuss this further please call me directly on [removed] or you can call our Helpline on 0303 123 1113.

As others have noted elsewhere it’s interesting how the ICO seem to want to switch from PECR to the DPA.