UK: ICO's enforcement notice against EE
On 20 June 2019, the Information Commissioner's Office ('ICO') issued a monetary penalty notice to EE Limited ('EE'), including a fine of £100,000, for breaching direct marketing rules under the Privacy and Electronic Communications Regulations 2003 ('PECR'). Juma Weeks, Associate at Ropes & Gray LLP, provides insight and comment on the ICO's enforcement action and the reasoning behind it.
One of the UK’s largest mobile network operators, EE, has been fined £100,000 by the ICO for failing to appreciate the difference between a service update and a marketing communication. The ICO found that, in 2018, EE sent over 2.5 million direct marketing messages to its customers, without consent, in breach of the PECR. While the offending text messages did contain a service message, they crossed the threshold into marketing by referring to the My EE app which, as well as offering the customer the option of performing service-related tasks, also offered them the option to purchase new products.
Regulation 22 of the PECR provides that organisations can only send unsolicited direct marketing by electronic mail, including email and SMS text message, if the individual has previously agreed to it. This is the basic opt-in rule. However, a soft opt-in exception to the rule applies, allowing messages to be sent to existing customers. This applies where:
- the marketer has collected an individual's details in the course of a sale or the negotiations for the sale of a product or service;
- the marketing from then on relates only to similar products or services; and
- a simple way to opt-out is provided on collection of the contact details and in every subsequent message.
On 12 March 2018, EE sent a direct marketing text message to an individual as follows:
'My EE: Get Active! Not long now, X! You'll soon be able to switch up your routine by upgrading your Apple iPhone 6S. You can countdown the days to your upgrade with the My EE app. Just like the My EE website, it lets you view your bill, check your refresh data and usage. Stay active on the go and log in [...] today.'
Following receipt of the message an individual made a complaint to the ICO explaining that they had previously opted out of marketing messages from EE. According to EE, however, the message was a service message, not a marketing communication to which Regulation 22 of the PECR applied. The ICO thought otherwise.
The message was in fact sent in two batches. The second batch was sent to customers who did not interact with, use or download the My EE application following the initial message. A revised version of the initial message was sent in the second batch as follows:
'My EE: Get Active! Want to flex your data muscles this month, X? Use the My EE app to see how much data you have left, check when your refresh date is, manage your bill and much more. Get active on My EE and log in [...] today.'
In total, over 16.5 million messages were sent, and over 2.5 million of those messages were received by individuals who had previously opted out.
The ICO found that EE had contravened Regulation 22 of the PECR. The company did not have the necessary consent to send unsolicited direct marketing messages to 2.5 million subscribers. Insofar as it is not necessary for an organisation to have known that it was breaking the law for the contravention to be considered 'deliberate,' the ICO found that EE had deliberately contravened Regulation 22 of the PECR, since it was aware that the messages were being sent to individuals who, according to its records, had previously opted out.
The ICO said that its Guidance on electronic mail marketing1 is clear that if a message includes any significant promotional material aimed at customers to buy extra products or services or to renew contracts that are coming to an end that message is no longer a service message. In EE’s case the messages sent as part of the campaign were additionally designed to promote and encourage customers to access and use the My EE app. This in itself was promotional material. Whilst the app did offer a customer the option to perform service-related tasks such as checking their monthly bills, it also offered customers the option to purchase new products, add data to their account and 'countdown the days' until their upgrade. The ICO considered the fact that EE sent a second message to those who did not engage with the app, following receipt of the first message, further supported its finding that these were marketing messages.
Citing the underlying objective in imposing a monetary penalty notice, namely to promote compliance with the PECR, and on the basis that 'the sending of unsolicited marketing text messages is a matter of significant public concern,' the ICO considered that a monetary penalty was the appropriate sanction. Issuing a fine the ICO says 'will reinforce the need for businesses to ensure that they only send marketing text messages to those who specifically consent to receiving such messages.'
The threshold between service message and marketing communication is proving problematic for organisations and regulators alike. Operators need to look beyond the text of their messages to determine whether the direct marketing rules apply because of references or links to media that carry a secondary message that is promotional. EE and other communications operators, or organisations providing long term digital services, might like to think that the ICO would cut them some slack when they deliver service messages that link to apps that allow for the delivery of contracted upgrade and enhancements where other offers are present. However, the ICO appears to draw a bright line, regardless of the benefits of presenting choices to the consumer through a single dashboard or interface.
The distinction between service message and marketing was recently addressed by Ofcom in its Statement on end-of-contract notifications and annual best tariff information2 in the context of its proposals to require broadband, mobile, home phone and pay TV companies to notify their customers when their minimum contract period is coming to an end and to provide best tariff information. The proposals are also designed to align with the European Electronic Communications Code which updates and replaces the four Directives that make up the Regulatory Framework for Electronic Communications in the European Union. Concerns were raised over whether the best tariff proposal was consistent with the PECR and the General Data Protection Regulation (Regulation (EU) 2016/679), where individuals have opted out of direct marketing. After engaging with the ICO, Ofcom says that it is possible to provide such information in such circumstances without breaching e-privacy rules, provided for example that the information on tariffs is neutral in the sense that it does not promote one deal over another, and that according to the ICO it is not marketing content. Perhaps the line is not so bright after all.
Juma Weeks Associate
Ropes & Gray LLP, London
1. Available at: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
2. Published in May 2019, available at: https://www.ofcom.org.uk/__data/assets/pdf_file/0018/148140/statement-helping-consumers-get-better-deals.pdf