The ICO’s recent enforcement action against Virgin Media shows us that some marketers are still failing to understand the ICO’s guidance on PECR.
In this article we’ll look at the case, examine what went wrong and provide some simple solutions that can help you reduce your risk of making the same mistakes.
On the 6th December 2021, Virgin Media were fined with a monetary penalty of £50,000 under section 55A of the Data Protection Act 1998. The penalty relates to a “serious contravention” of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Virgin Media is no stranger to ICO investigation. Just months prior to this enforcement action the ICO dropped a case relating to a data breach which left a database of over 900,000 customers exposed for 10 months.
Prior to this Virgin Media has hit the headlines for a string of incidents, including sending a bill to a deceased customer with a late payment charge, sending bailiffs to collect money from somebody who was never even a customer and exposing the CV data of 50,000 job applicants.
Sidenote: Do you know someone that works there? We’d be happy to set them up with a few training seats.
This time, the mistake relates to PECR, the law concerning direct marketing, communications and the use of cookies and tracking technologies within the UK.
Let’s look at what exactly they did, why it was wrong in the eyes of the ICO and how you can avoid the same fate.
What they did
Virgin Media sent 451,217 marketing emails to people who had previously opted out of marketing communications.
The ICO received a complaint that the offending email was “basically a service message dressed up as an attempt to get me to opt back in to marketing communications”
The email content read:
“We want to let you know that we won’t be raising your price this year.
This means the price you pay for your current package right now will stay the same in 2020.
We’d like to stay in touch about all the great Virgin Media stuff we have on offer for you. You have currently said no to receiving marketing messages from us, which means that we are not able to keep you up to date with our latest TV, broadband, phone and mobile news, competitions, product and bundle offers via online, email, post, SMS, phone.
You can change your preferences by simply registering or signing in to virginmedia.com/optin. Click ‘My Profile’, then ‘My Preferences’.”
The ICO opened an investigation following the complaint, asking to see the records of consent for the above email.
Virgin Media responded that for this email segment of 451,217 customers they did not have consent for this email.
In their defence they referenced feedback they had received from customers – “a number of them would like to be informed about packages, products and discounts that may be available and some customers are unaware that they have not opted-in to all forms of marketing.”.
Why it was wrong
This email was a marketing message under PECR. It sought to entice customers to opt back into marketing communications. It also promoted some of the products that Virgin Media sells stating: ““the great Virgin Media stuff we have on offer for you…our latest TV, broadband, phone and mobile news, competitions, product and bundle offers.”
Note: This would be considered a marketing message even if the product messaging was not included. The request to opt back into marketing communications is enough to qualify.
While there is merit to keeping customer opt-in preferences up to date and there is a clear business interest in encouraging customers to opt-back in.
The ICO are clear that the task of encouraging customers to opt in to marketing communications does not equate to an exception of Regulation 22 of PECR.
In the enforcement decision against Virgin Media they draw attention to the guidance they provide which states “Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the DPA, and will also breach PECR if the contact is by phone, text or email.”
The rules in this case are clear, you cannot send marketing messages to people that have opted out of marketing. General feedback from customers that they would like to hear about marketing offers, or misinterpretation of the ICO’s own advice cannot change this rule.
What you should do to avoid the same fate
Don’t run re-opt-in campaigns by email for customers who have opted-out of your marketing campaigns.
If you want to opt people back in you need to use a channel where this is allowed for example you may ask people when they return to your website to make a purchase.
Train your team on what counts as a transactional email and what counts as a marketing email. Make sure that the entire team is aware of the PECR rules so that they can collectively stop any campaigns like this going live. That means training all staff, not just managers. This would also help you align with the training requirements under the ICO’s accountability framework.