The ICO has fined EE £100,000 under the Data Protection Act 1998 (“DPA“) for sending text messages to customers without their consent, in breach of the Privacy and Electronic Communications Regulations 2003 (“PECR“).
In February and March 2018 EE sent direct marketing text message to customers informing them that they would soon be eligible for a handset upgrade, and that they could “countdown” to their upgrade date using the “My EE” app. The text message also promoted other features of the My EE app.
In March 2018, EE sent a second batch of messages to customers who had not downloaded or interacted with the My EE app following the first message.
More than 8 million messages were sent in each batch, of which a total of more than 2.5 million were sent to individuals who had previously opted out of receiving marketing messages via text.
EE said it believed that the messages were service messages, rather than marketing messages.
The ICO’s finding
The ICO found that in sending the text messages to the 2.5 million individuals who had opted out of receiving marketing messages via text, EE had breached Regulation 22 of PECR.
Regulation 22 prohibits the transmission of unsolicited electronic communications for the purposes of direct marketing unless the recipient has either previously notified the sender of their consent, or has not opted-out of marketing communications in the course of their previous dealings with the sender (“soft opt-in”).
ICO guidance provides that if a message that contains service information also includes promotional material, it is no longer a service message but a marketing message, and as such will be subject to relevant electronic marketing legislation.
The ICO found that the text messages containing promotional material about the My EE app therefore amounted to direct marketing messages, and as they had been sent to individuals who had opted out of receiving such messages, EE was in breach of Regulation 22.
Upon receipt of a complaint from an EE customer who had received one of the texts despite having opted out of marketing messages, the ICO warned EE that it could face a fine under section 55 of the DPA (as the incident predated the coming into force of the General Data Protection Regulation) for breach of Regulation 22 of PECR, of up to £500,000 (the maximum fine allowable under the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 which apply to the DPA 1998).
In the event, the ICO levied a £100,000 fine, on the basis that this was a serious and deliberate breach by EE. The Commissioner’s “underlying objective in imposing a monetary penalty notice is to promote compliance with PECR”, and to “reinforce the need for businesses to ensure that they only send marketing text messages to those who specifically consent to receiving such messages”.