Don't message mEE

The ICO's recent £100,000 fine issued to telecoms provider, EE, acts as a reminder that companies need to be careful when sending communications to customers to ensure that they comply with the direct marketing rules under the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). 

EE sent 2.5 million 'service messages' to customers, without consent, to encourage them to access and use the ‘My EE’ app to manage their account. The messages also informed customers that they could 'countdown the days' until their upgrade with the app, and check their 'refresh date'. Customers who did not engage with the first message were sent a follow-up. The ICO found that the messages were direct marketing messages as they included a promotion of products and services, and were therefore in breach of the PECR electronic marketing rules.

Andy White, ICO Director of Investigations said: 'These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply.'

PECR

PECR regulates electronic marketing communications, and the obligations should be read in conjunction with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). The PECR rules are set to be reformed and the European Commission has published a proposal for an ePrivacy Regulation (Regulation) to overhaul the Directive and harmonise application across the EU as part of its Digital Single Market initiative. The initial intention was for the Regulation to come into effect at the same time as the GDPR on 25 May 2018, but this always looked ambitious and we are still waiting for a final draft. PECR will continue to apply until the long awaited Regulation is agreed and implemented.

Direct marketing – consents under PECR

Under PECR, direct marketing communications such as texts, push notifications or emails should only be sent to individuals who have consented to receiving them, and if they are given a simple way to opt-out of receiving the messages. Consents should comply with the GDPR standard i.e. be freely given, specific, informed and unambiguous. There is a limited exception of "soft opt-in" for previous customers, which requires that customers are notified of the marketing activities and scope of communications at the time their personal data is collected, and subject to the individuals being given the opportunity to "opt-out". If a company is relying on the PECR soft opt-in it will still need to give customers the opportunity to easily opt-out in each marketing communication.

The ICO is also clear in its direct marketing guidance that these rules also apply to "viral" marketing i.e. where a customer is asked to send messages on to other individuals. In practice, ensuring that consent has been obtained from these individuals presents a challenge, and the ICO has recommended that such marketing campaigns are not used. 

A fine line

Marketing and communications teams will often be keen to "wordsmith" communications so that they are more customer friendly. However, companies will need to be mindful that the ICO will look to the underlying intention of the message, and if it includes any promotional material for other products or services it is likely this will fall squarely in the direct marketing bucket and will need to comply with the consent requirements under PECR.

Companies should set clear internal guidelines to define the types of communications which are sent to customers, and communications which fall within direct marketing campaigns, to ensure that they are on the right side of a fine line.

PECR directing marketing checklist:

• keep a register of customers who have consented to receiving direct marketing, and customers to which marketing communications will be sent relying on "soft opt-in";
• assess the purpose of sending communications to customers and consider the PECR and GDPR requirements, if applicable;
• ensure that electronic marketing messages are only sent to existing customers if they have given their consent or not opted-out;
• if relying on soft opt-out, ensure that there is an easy way to opt-out of marketing when their details are first collected;
• ensure that customers are given the option to opt-out of marketing in every subsequent marketing message; and
• remember that customers have the right to opt-out of receiving marketing at any time, and that organisations have an obligation to stop sending marketing messages to individuals who have opted out.

Byte-sized news

• ICO states intention to issue multi-million pound fines for security breaches: The Information Commissioner's Office (ICO) has announced its intention to fine Marriott International, Inc (Marriott) more than £99 million for infringements relating to a cyber incident which the company notified to the ICO in 2018.
  
  The ICO has also separately announced its intention to fine British Airways £183 million for infringements of the GDPR relating to a cyber incident notified by the company to the ICO in September 2018. Personal data, including log-in and payment card details, of approximately 500,000 customers were compromised in the incident.
  
  Both Marriott and British Airways now have the opportunity to make representations to the ICO in relation to the findings of the respective investigations and the proposed sanctions.
• Cookies on regulatory agenda: The ICO has published new guidance on the use of cookies and similar technologies which clarifies the relationship between the consent and transparency standards under the GDPR and the Privacy and Electronic Communications Regulations 2003.
  
  The guidance from the ICO follows a series of developments across the EU including the Dutch data protection authority publishing new cookie guidance, and the French data protection authority publishing an action plan to focus on targeted online advertising in 2019.
• CMA launches online platforms and digital advertising market study: The Competition and Markets Authority (CMA) has launched a market study to assess the potential sources of harm to consumers in connection with both the supply of online platforms in the UK which obtain material revenue through digital advertising, and the supply of digital advertising generally in the UK. One of the focuses of the study is whether consumers are able and willing to control how data about them is used and collected by online platforms.
• ICO releases its updated views on the adtech industry: In June 2019, the ICO clarified its views on adtech; specifically around the use of personal data in real time bidding technologies. The ICO voiced its concerns around current practices relating to (a) transparency and consent; and (b) the data supply chain.
  
  In relation to transparency and consent, the ICO noted that there are challenges within the industry in identifying the appropriate lawful basis for placing and/or reading a cookie or other technology. It confirmed that adtech businesses must modify their existing consent mechanism to collect explicit consent when processing special category data. The ICO is due to undertake a further review of this industry in December 2019.

With thanks to Helena Brackenridge, Michelle Sally and Tom Brookes for their contributions.