school ico

Why schools should take note of ICO “EE” fine.

ICO Fines EE £100,000 for combining service messages with marketing

The practice of including marketing and fundraising messages within other essential school communications, such as a school newsletter, has just become a lot riskier.

On 24th June, the ICO fined “EE” £100,000 for sending over 2.5 million direct marketing messages to existing customers, without consent. The messages encouraged customers to use the ‘My EE’ app but, also to upgrade their phone. Read details here.

EE argued that the communications were “service messages” and not direct marketing. The ICO disagreed and said this:

“These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply.

“Companies should be aware that texts and emails providing service information which also include a marketing or promotional element must comply with the relevant legislation or could face a fine up to £500,000.”

EE was not fined under the GDPR but under the Privacy and Electronic Communications (EC) Regulations 2003 (PECR). PECR, regulates the sending of unsolicited direct marketing messages by email, text, phone and fax. The term “marketing” is interpreted broadly to include fundraising messages. In general terms, PECR provides that sending unsolicited marketing via electronic means, usually requires an individual to specifically consent.

Why is this case important for schools?

Under the GDPR, sending individuals essential school communications, via email, can usually be legitimised on the ground that it is necessary for the school’s legitimate interests. Consent is usually not required. However, where those messages include unsolicited direct marketing, PECR will also be engaged. The concept of “legitimate interests” has no relevance under PECR because consent is required in any event.

Those schools which have “held off” from insisting on consent for electronic marketing or “tag on” marketing and fundraising messages to other school communications such as newsletters, must now reassess the risks.

The ISBA Data Protection Health Check Service not only measures your school’s compliance with the GDPR, but also PECR. For more information see here.