KISS: The enduring lesson from ICO’s penalty for direct marketing

Last month, the Information Commissioner (ICO), the regulator for data protection in the UK, issued a monetary penalty notice to a leading British telecommunications company (the company), which provides telephone, television and internet services in the United Kingdom, proposing a penalty of ￡50,000 for contravention of consent requirements as per regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).?For the uninitiated, the ground rules for electronic marketing in the UK is governed by the provisions of PECR read with the GDPR.

So, what lead to this action by the ICO??Let us consider the facts and chain of events that triggered this action by the ICO:

a)??????On 10th August, 2020, the ICO received a complaint (the “Complaint”) from someone complaining about a direct marketing email they had received from the company on 4th ?August 2020.

b)?????The email (to the extent relevant for this discussion) contained the following (marketing preference reminder):

1. ?We want to let you know that we won’t be raising your price this year.?This means the price you pay for your current package right now will stay the same in 2020
2. We’d like to stay in touch about all the great ……. ?stuff we have on offer for you. You have currently said no to receiving marketing messages from us, which means that we are not able to keep you up to date with our latest TV, broadband, phone and mobile news, competitions, product and bundle offers via online, email, post, SMS, phone
3. You can change your preferences by simply registering or signing in to …….. Click ‘My Profile’, then ‘My Preferences’.

(Note: company reference replaced with ‘………’ as this detail is not relevant for our discussion here).

c)??????The complainant said that this email was “basically a service message dressed up as an attempt to get me to opt back in to marketing communications”.

This led the ICO to launch an investigation and based on interactions with the company, the ICO determined the following facts and arrived at the following conclusions:

a)??????The company sent 1,964,562 emails concerning a price freeze (price freeze emails)

b)?????Of this,

a.??????1,303,671 emails were sent to customers who had opted in to marketing communications

b.??????209,376 emails were sent to customers who had opted out to marketing communications (“opt-out customers”) without the Marketing Preference Reminder

c.??????451,515 emails were sent to opt-out customers with the Marketing Preference Reminder

c)??????In its defence, the company stated:

a.??????it received “feedback” from customers (it is not specified how many) that “a number of them would like to be informed about packages, products and discounts that may be available and some customers are unaware that they have not opted-in to all forms of marketing.”

b.??????Based on that feedback, it “selected a segment of opted-out customers who we reasonably considered might have changed their marketing preferences. The customers selected were those who had opted out over a year ago.”

c.??????it does operate a suppression list for marketing communications, but the suppression process was only applied for opted-out customers who the company considered were unlikely to have changed their mind about their marketing preferences.

d)?????The ICO determined that:

a.??????The Marketing Preference Reminder sought to entice or encourage customers to update their marketing preferences.

b.??????It also marketed the company’s commercial offerings, i.e. “the great ….. ?stuff we have on offer for you…our latest TV, broadband, phone and mobile news, competitions, product and bundle offers.”

c.??????As such, the price freeze emails containing the Marketing Preference Reminder fell within the definition of direct marketing

d.??????The company, as the sender of the direct marketing, was required to ensure that it was acting in compliance with the requirements of regulation 22 of PECR, and that valid consent to send those messages had been acquired.

e.??????In this instance, the requisite consent was not obtained because the recipients of the direct marketing had opted out of marketing communications.

The company sought to rely on a specific paragraph (194) in the Direct marking guidance issued by the ICO in its defence, which stated that people can change their minds and that marketing strategies also change, and that there is some merit in making sure that the information about people’s preferences is accurate and up-to-date.?But this was negated by the ICO by drawing attention to paragraph 193 which stated that “Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the DPA, and will also breach PECR if the contact is by phone, text or email.”

So, what are the lessons marketing functions in companies should draw from this proceeding??The following are important guardrails that are key to compliance:

• There are limits to legal creative thinking when it comes to consent as the lawful ground of processing – no ifs and buts – either you have it or you do not have it and so, marketing functions will do well in not cutting corners here
• Numbers do not matter when it comes to drawing the attention of the regulator – note that it is just one complaint that drew the ire of the regulator (and rightly so) as you or me is the new sovereign when it comes to our privacy
• One cannot use the regulator's guidance as a curate's egg, leaning on what suits the objective and ignoring what does not suit the objective being pursued. The guidance has to be read and interpreted harmoniously
• In this instance, the company had a opt in approach and new customers are required to tick the box to opt-in to marketing communications.?That way, the company did well in doing the right thing.?Examples are legion of companies doing this in a cheeky way, even today, where the customer journey involves arriving at the page which is pre-ticked for marketing communications and the potential customer has to untick the box (opt-out mechanism) if not keen to receive marketing communications.?Wonder when the luck will run out for such a practice!

It is all a case of paying heed to the design principle noted by the U.S. Navy in 1960 – Keep It Simple, Stupid. The KISS principle states that most systems work best if they are kept simple rather than made complicated; therefore, simplicity should be a key goal in design, and unnecessary complexity should be avoided.?The same is true for data protection too!