A recent decision by the UK’s Data Protection Authority, the ICO, throws some interesting light on the regulatory mood around enforcement of the rules governing how businesses can use their customer lists for marketing emails. It’s worth thinking about how easily an over-enthusiastic approach can go wrong.

On 6 September 2022, Halfords were fined £30,000 by the ICO for sending around half a million unsolicited marketing emails.

Halfords, working in the pandemic, were trying to do the right thing by publicising the UK government’s voucher scheme allowing people to use a voucher worth up to £50 towards the cost of bicycle repairs.

They sent emails out of the blue to their substantial customer list telling them about the scheme. The email linked customers to the government website and invited them to book a free bike assessment and to redeem the voucher at their chosen Halfords store.

Marketing or “service message”?

The decision looked at the rules protecting individuals under the Privacy and Electronic Communications Regulations (PECR).

Essentially, you are only permitted to contact customers out of the blue if your message is a “service message”.

The ICO has confirmed that a service message can include:

• information customers need about a current contract or past purchase; and
• general branding, logos or straplines

but must not include:

• “any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end”

You are at risk putting any promotional material in a message intended to be a service message. Don’t be fooled by the word “significant” – according to the ICO, the fact that the emails contain even some promotional material may be sufficient for them to constitute direct marketing.

Making the link

It is clear that including an email link in your service message through to a government website does not make the email a service message.

(And neither does adding a notice saying “service message”.)

What about keeping a service message “clean” by including a separate link to your own marketing site? The ICO sat on the fence about this – saying it is “not determinative” of whether that email constitutes direct marketing.

Other brands are available

It’s not safe to assume you can make something into a service message just by naming competitors. The ICO effectively shut off this avenue by noting that Halfords made this a marketing message by advertising the services of Halfords. Also advertising competitors would not change this.

Understanding the “soft opt-in”

You can send unsolicited messages to customers who have been offered the “soft opt-in”. This means that you need to offer them at every opportunity a simple means of refusing the use of their contact details for the purposes of direct marketing.

This must be offered on original contact and on each subsequent marketing contact (usually an ‘unsubscribe’ link).

Remember the embarrassment factor

It’s easy to forget that internal emails generally have to be disclosed to a regulator where they are investigating whether things have gone wrong.

Here, Halfords provided a copy of an internal email from their Data Protection Officer advising that the emails should contain a hyperlink to the Government website, “so that [Halfords] can not be accused of linking to a marketing site” (sic).

This had the opposite effect of what was intended, as it suggested to the ICO that Halfords were aware that they were taking a risk in their approach.

Look before you leap

It’s important to take advice before engaging on a campaign.

The ICO said that it was reasonable for any organisation engaging in direct marketing, particularly one of Halfords’ size, to consider the available public guidance, and to seek independent legal advice, or advice from the ICO, in advance.

A legally qualified DPO can help manage this risk - not only by providing informed advice, but by enabling sharing of legal advice which is likely to be protected from regulator interference by legal privilege.

A costly mistake?

The fine issued by the ICO seems relatively low (and, like a parking fine, came with a discount for early payment). The headline fine is of course only the tip of the iceberg. Along with reputational loss, there will be internal costs and distraction in going through a regulatory investigation. For some organisations there are the more serious consequences of penalties affecting future public procurement.

For Halfords, the number of complainants was very small: it’s important to remember that even a handful of annoyed recipients, and sometimes just one, can lead to real problems.

In addition, although currently delayed, it looks as if the UK government has plans to raise maximum PECR fines to the dizzying level that applies under the UK GDPR – which may allow for future fines of many millions.

Checklist:

• A service message can include general branding, logos or straplines but even “some” promotional material is risky
• Review your processes for “soft opt-in”
• Think about your protocols for internal messaging from your DPO and maybe appoint an external, legally qualified DPO to attract full legal privilege
• Take advice before you engage in any campaign you’re not sure about

A link to the ICO’s decision is here: Halfords fined for sending nearly 500,000 unwanted marketing emails ICO