Mobile network EE has been fined £100,000 by the Information Commissioner’s Office (ICO) after sending more than 2.5 million text messages to customers containing marketing content in 2018.
EE said that the purpose of the texts was to encourage its customers to use the firm’s app and to upgrade their handsets. EE had believed at the time the messages were sent that they were service messages rather than direct marketing. However, the ICO held that the text messages clearly contained marketing content.
Andy White, Director of Investigations at the ICO, said “these were marketing messages which promoted the company’s products and services”. He explained that “the direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products or services, it is no longer a service message and electronic marketing rules apply”.
The applicable electronic marketing rules are found in the Privacy and Electronic Communications Regulations (PECR) which state that companies must have GDPR standard consent in order to send marketing content to consumers by text, email or automated calling.
For consent to be valid under the GDPR it must be freely given, specific, informed and unambiguous. It must also be given be a clear statement or affirmative action, such as ticking a box to pro-actively indicate agreement. Pre-ticked boxes are no longer considered to provide valid consent under GDPR. The GDPR also states that consent statements can no longer be bundled within general terms and conditions.
The PECR rules do provide for an alternative route to consent in the form of the so-called “soft opt-in”. This permits marketing to consumers by email and text where the following conditions are all met:
- The marketing message relates to goods or services which are the same as, or similar to, goods and services that the consumer has previously bought from the company sending the marketing message.
- At the time the company sending the marketing originally collected the individual’s contact details, they notified the individual that their details might be used for marketing purposes in the future and gave them an opportunity to opt out of this.
- Every subsequent marketing communication sent to that individual has carried an opt-out option.
Whilst the soft opt-in has historically been seen as an easy default for companies that had not managed to acquire express consent from existing customers, this position is changing in light of ICO enforcement action. The ICO has been increasingly active in recent months in bringing enforcement action against companies claiming to rely on the soft opt-in even where the three conditions for soft opt-in had not been met.
The action against EE typifies a more active stance from the ICO in using its enforcement powers where companies are acting in breach of the rules. All businesses engaged in marketing, particularly where the marketing is directed at consumers, are urged to review their practices to ensure they are acting in accordance with the, admittedly complex, rules in this regard.
Having worked with numerous companies in recent years we believe that the two crucial elements to achieving compliance are:
- Understanding the rules – the rules are complex and vary depending upon whether you are dealing with a consumer or a business, whether you have a previous relationship with an individual and the method of communication used to send a marketing message. It is easy for even the most well-intentioned company to find itself tripping over on a technicality if the marketing team are not familiar with the rules.
- Planning ahead. Whether you are relying on consent, the soft opt-in or your own legitimate interests, each carries different requirements that must be fulfilled before you start to send out the marketing communications. Generally, you need to have marketing in mind at the point you actually collect an individual’s contact data to ensure that you can accommodate these.
If you have any queries regarding marketing or would like to find out more about our half-day in-house seminar on GDPR for Marketers please contact Mark Gipson.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at July 2019.