EE fined £100,000 for sending marketing texts without consent

Data Protection Update

EE fined £100,000 for sending marketing texts without consent

The Information Commissioner's Office (“ICO”) has levied a £100,000 fine on mobile network EE for sending direct marketing messages to existing customers without consent.
The ICO found that over 2.5 million messages were unlawfully sent to customers who had opted out of direct marketing in early 2018, prior to the General Data Protection Regulation (“GDPR”) coming into effect.

EE disputed the claim, arguing the messages were service related, putting them beyond the scope of unwanted direct marketing. However, the ICO found these were marketing messages covered under an opt-out and concluded EE had deliberately contravened regulations when sending them.

Given the seriousness of the breach, the Commissioner concluded EE should be given a monetary penalty and fined the mobile network £100,000. 

While this fine is certainly not as high as it could have been it does demonstrate the importance of being legally compliant. It is important to note that, had the breach taken place a few months later, under the GDPR, the fine would have been likely to be substantially higher.

The Law

The applicable electronic marketing rules are found in the Privacy and Electronic Communications Regulations (“PECR”) which state that companies must have consent in order to send marketing content to consumers by text, email or automated calling.
For consent to be valid under the GDPR (and the PECR) it must be freely given, specific, informed and unambiguous. It must also be given be a clear statement or affirmative action for example ticking a box, clicking an icon or sending an email – and the person must fully understand that they are giving consent.

The PECR rules do provide a limited exception in respect of similar products or services (known as the “soft opt-in”).

For the soft opt-in to apply individuals must be given an opportunity to opt out of direct marketing at the time their personal data is collected. If they do not opt out then they must be given, on each communication, an opportunity to opt out or unsubscribe.

The soft opt-in exception may be useful to companies that have not managed to acquire express consent from existing customers but should be considered and used with caution and only where the above conditions are met. 

Ensuring that your business is GDPR compliant

All businesses engaged in marketing, particularly where the marketing is directed at consumers, should keep their practices under review to ensure they are acting in accordance with the GDPR and PECR.

If you would like advice on compliance with the above regulations, then please do not hesitate to contact a member of the team.