British Telecommunications plc (BT) has been slapped with a £77,000 fine by the Information Commissioner’s Office (ICO) after sending nearly five million nuisance emails to customers.
An investigation found that the emails sent between December 2015 and November 2016 relating to charity initiatives were marketing messages, rather than simple service messages.
Because customers had not given their consent to receive such messages they were deemed to have been sent in breach of regulation 22 of the Privacy and Electronic Communications Regulations (PECR).
ICO Head of Enforcement, Steve Eckersley, gave the following unequivocal response: “Organisations have a responsibility to ensure they are acting within the law. Where they do not, the ICO can and will take action. This particular investigation was prompted by a concerned member of the public. We investigated the matter and uncovered the full extent of this activity which shows how important it is for people to report nuisance emails.”
The case is an important reminder of the requirements of PECR, something which might have been lost amid all the recent noise surrounding GDPR.
PECR sits alongside GDPR, giving people specific privacy rights in relation to electronic communications, such as marketing calls, emails and texts.
Under PECR, specific, express consent should be sought to send marketing emails or texts to individuals. However, there are limited exceptions for existing customers, known as the ‘soft opt-in’.
The ‘soft opt-in’ may seem to open the door to marketing to existing customers, however it does state that your customers must have ‘bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.’
In other words, it might be acceptable to send customers messages relating to the product or service that they have received from you (as long as a clear opt out is provided), but if you wish to share information that is not directly related to this product or service, you will need express ‘opt-in’ consent from the customer.
PECR 2003 is currently under review and is likely to be replaced by a new e-privacy regulation. The timescale for this review is uncertain, but it is definitely something to keep an eye on.