Editor’s note: It seems the view that in the EU most direct marketing can be accomplished on a Legitimate Interest lawful basis may not be as cut and dried as some thought.
On 24 June 2019, the ICO fined telecoms company EE Limited £100,000 for sending over 2.5 million direct marketing messages to its customers without consent. This was triggered by an individual complaint filed after the recipient received the message from EE.
Due to the nature of the communication – EE used SMS for this marketing messages – PECR was the base of this decision. Even though it could have been a breach of the GDPR principles as these messages were sent by EE in March 2018, the GDPR principles or fine levels have not been applied to the case.
We know that the telecoms company defended the case as “this constituted a service message and was therefore outside of the remit of the rules regarding direct marketing”. However, it was not enough to convince the Commissioner’s office. They made it clear that sending text messages to an organisation’s customers falls under direct marketing and PECR rules which clearly require sufficient consent to be acquired prior to the communication.
Our view on this case is that the ICO’s direct marketing guidance is clear on what constitutes a marketing message.
In this case, the messages appear to have been – at least in part – designed to promote a new service from EE and to encourage customers to try it. According to the ICO’s guidance, this is clearly marketing.
The messages were also sent to people who had previously opted out of receiving these types of communications. As such, it’s unsurprising that the ICO’s investigation found a breach of PECR in this instance, which resulted in a fine for their actions.
The risks of disrespecting customer privacy go far beyond regulator issued fines.
The long-term effects on customer trust, share price, and public perception damage a brand even more.
Accountability and transparency are two of the core principles of GDPR, as well as our own DMA Code. It’s now crucial for the business to focus its efforts on these two pillars and rebuild trust.
On the other hand, we think that this case has opened up several interesting questions that merit further discussion:
- Can messages sent to existing customers regarding services or products they’ve already purchased include details regarding improvements made to these products or services? If so, would this still be treated as a marketing message?
- Can new and improved applications or technologies which are bringing different – and, perhaps, easier – ways of using the already purchased service or the product be communicated with a service message?
- Would refraining from communicating these benefits and improvements result in a disadvantage for existing customers? Should these messages about clear additional benefits, such as X amount of cashback, only be sent to existing customers who provided their clear consent to receive marketing?
Our challenge is to consider direct marketing alongside new technologies and data-driven marketing applications.
In order to turn this challenge into an advantage, the DMA is committed to continuing our work with our members and related bodies.