The Information Commissioner’s Office (ICO) announced a £100,000 fine imposed on the telecoms company, EE Limited (EE), for breaching the Privacy and Electronic Communications Regulations 2003 (PECR). The timing of the breach meant that the General Data Protection Regulation 2016/679 (GDPR) was not applicable.

What happened?

EE sent customers a text message encouraging them to use the ‘My EE’ app and to consider upgrading their mobile handsets. A second round of messages was also sent to customers. In total, around 2.5 million text messages were sent by EE to customers who had not provided their consent in early 2018.

Breach

EE’s position was that the text messages sent were service messages and not covered by the electronic marketing rules. The text messages, however, were found to contain promotional content encouraging customers to buy further products and services.

The ICO found in its investigation that these text messages amounted to marketing messages, engaging the provisions in PECR. Indeed, regulation 22 PECR requires that marketing messages may only be sent if prospective recipients have given their consent and if they had a simple way to opt out of marketing when their details were initially collected and in every marketing message sent. Individuals have the right to opt out of receiving marketing at any time, at which point it’s the organisation’s responsibility to stop sending them.

Comment

EE has the chance to appeal the monetary penalty. In a similar context, another company subject to a fine by the ICO was able to overturn its fine on appeal at the First-Tier Tribunal (General Regulatory Chamber).

This is the latest fine in a line of enforcement actions taken by supervisory authorities here in the UK and elsewhere in Europe.

This case underlines the importance of reviewing and ensuring compliance of marketing processes and the recording of consents.