• The ICO found that over 2.5 million messages were unlawfully sent to customers who had opted out of direct marketing in early 2018, prior to the General Data Protection Regulation (“GDPR”) coming into effect.

    EE disputed the claim, arguing the messages were service related, putting them beyond the scope of unwanted direct marketing. However, the ICO found these were marketing messages covered under an opt-out and concluded EE had deliberately contravened regulations when sending them.

    Given the seriousness of the breach, the Commissioner concluded EE should be given a monetary penalty and fined the mobile network £100,000.

    While this fine is certainly not as high as it could have been it does demonstrate the importance of being legally compliant. It is important to note that, had the breach taken place a few months later, under the GDPR, the fine would have been likely to be substantially higher.

    The Law

    The applicable electronic marketing rules are found in the Privacy and Electronic Communications Regulations (“PECR”) which state that companies must have consent in order to send marketing content to consumers by text, email or automated calling.
    For consent to be valid under the GDPR (and the PECR) it must be freely given, specific, informed and unambiguous. It must also be given be a clear statement or affirmative action, for example, ticking a box, clicking an icon or sending an email – and the person must fully understand that they are giving consent.

    The PECR rules do provide a limited exception in respect of similar products or services (known as the “soft opt-in”).

    For the soft opt-in to apply individuals must be given an opportunity to opt out of direct marketing at the time their personal data is collected. If they do not opt out then they must be given, on each communication, an opportunity to opt out or unsubscribe.

    The soft opt-in exception may be useful to companies that have not managed to acquire express consent from existing customers but should be considered and used with caution and only where the above conditions are met.

    Ensuring that your business is GDPR compliant

    All businesses engaged in marketing, particularly where the marketing is directed at consumers, should keep their practices under review to ensure they are acting in accordance with the GDPR and PECR.

    If you would like advice on compliance with the above regulations, then please do not hesitate to contact a member of the team.

    This content is correct at time of publication

    Can we help?

    Take a look at our Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Key contact:

    Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. Please view our privacy statement for more information