A service email? ‘On your bike!’ says the ICO
23 September 2022
The ICO has fined Halfords £30,000 for sending unsolicited marketing emails about a bike repair scheme without consent, contrary to UK e-privacy law. It is the latest fine where the key issue in dispute is the distinction between a ‘genuine’ service message, and one which the ICO considers constitutes direct marketing.
The campaign
Readers may remember the ‘Fix Your Bike’ voucher scheme which was set up in 2020 by the then transport secretary during those early, socially distant, days of the pandemic. The scheme sought to encourage more people to embrace cycling by getting their neglected velocipedes roadworthy again. A voucher of up to £50 could be claimed and used towards a bike repair with repairers or mechanics that were registered for the scheme in England. Halfords was one such registrant.Coinciding with the government’s launch fanfare, on 28 July 2020 Halfords sent nearly 500,000 emails referencing the scheme to customers who had purchased a bike from Halfords within the last 3 years but who had not previously opted into marketing. Recipients were encouraged to book a free bike assessment and redeem the voucher at their chosen Halford’s store. The emails did not contain an unsubscribe link. They did, however, include a disclaimer in the following terms: “This is a service message and does not affect your marketing opt-in status”.
The investigation
Given the disclaimer, the ICO sought to clarify with Halfords why it considered the email to be a service message rather than direct marketing. Rather than address that query, Halfords apparently focussed instead on its lawful basis under the UK GDPR for sending the email – ‘legitimate interest’.This was, however, irrelevant given that to send e-marketing r.22 of the Privacy and Electronic Communications Regulations (PECR) requires organisations either to obtain a valid consent or to avail of the ‘soft opt-in’ exemption. That is why the battle line was being drawn around whether the email was a service message or marketing – if the former, then Halfords would not need to rely on consent or the soft opt-in. (For more information, see our earlier article “Blurred lines: The difference between a service communication and marketing communication”).
Pressed on why it considered the email to be a service email, Halfords’ justification was that it sought to inform customers who had previously purchased a bike from Halfords of the new government voucher scheme, rather than to promote its products and services. Unfortunately for Halfords, however, it went on to acknowledge that: “Notwithstanding, we appreciate that this could be interpreted by customers as a Marketing communication.” This concession later came back to bite.
As well as claiming that the purpose of the message was to promote the government initiative, other factors relied on by Halfords in support of its position were that the email contained no links to Halfords’ services, sales or offers – only links to the terms and conditions of voucher usage; and that message related to how to obtain and redeem the voucher.
The decision
The ICO disagreed. It noted Halfords’ U-turn from an initial concession that the email could be interpreted by customers as a marketing communication, to a subsequent categoric denial of the same.
The ICO found that the email was direct marketing based on the following:
1. The use of phrases such as “Halfords”, “Free £50” and “Fix Your Bike” in Halfords’ brand colours implied a connection with the government and emphasised Halfords’ service.
2. The call to action encouraged recipients to “visit halfords.com to find out more now”. Not only did this signpost Halfords’ website but it also instilled a sense of urgency which the ICO characterised as “a typical marketing strategy”.
3. No mention was made of the fact that the voucher could be used at any shop registered with the scheme, not just Halfords.
4. Whilst individuals might have been advised of the availability of the scheme, the fact that the emails contained even some promotional material was sufficient to constitute direct marketing.
5. Whilst information was provided about the scheme, information was also provided which promoted Halfords and its services, steering recipients towards its website.
6. The voucher may not have covered the whole cost of any bike repairs.
Since the emails were deemed direct marketing, ‘legitimate interest’ was not an alternative to obtaining the consent required by e-privacy law. The soft opt-in exemption could not apply either given that the targeted recipients had already opted out of marketing and, in any event, were not provided with a simple means of opting out in the email itself (e.g. via an unsubscribe link) – a requirement of r.22(3)(c) of PECR.
Take-homes
The ICO is clear that sending service emails to individuals who have already communicated that they do not want to receive e-marketing – such as was the case here – is a risky activity. In those circumstances, the ICO expects the sender to seek independent legal advice, or advice from his Office, before engaging the campaign; and most definitely to consider the available guidance.
Some additional thoughts:
1. When it comes to direct marketing, regulatory action is commonly prompted by a single complaint. That was certainly the case here (though once the Commissioner started digging, he unearthed 2 further complaints on his systems related to the same campaign).
2. Even if marketing is not the main purpose, the definition of direct marketing includes any message which includes a marketing element. This is not only clear from the ICO’s current direct marketing guidance, but has also been reiterated in various decision notices such as its £100,000 fine against EE and £90,000 fine against American Express.
3. Get your story straight from the get-go. If you are not sure whether you are on the right side of the service / marketing line, then make sure you have a defensible narrative – ideally before you press send. If that is not possible, then at the very least consult your specialist data and privacy lawyers with real world experience in the advertising and marketing sector before you respond to the ICO, to avoid having to change tack during the course of an investigation.
4. Tied with this is making sure that you have pre-empted the sorts of governance questions you are likely to be asked by the ICO when investigating, including having policies and procedures in place regarding responsibilities under e-privacy (i.e. not data protection) laws.
5. Be mindful of your non-privileged internal communications on these issues. The ICO asked to see the DPO’s advice and was informed that discussions were conducted via MST chat and therefore inaccessible (presumably due to a short retention policy). An email from the then DPO was, however, discovered which advised that the emails should contain a hyperlink to the Government website, “so that [Halfords] can not be accused of linking to a marketing site” (sic). This was used by the ICO against Halfords to demonstrate that the business was clearly aware of the risks of contravening e-privacy law by trying to frame its emails in such a way as to avoid them appearing as direct marketing.
6. Yes, you can consult beforehand with the ICO. But be mindful that there is also sometimes wisdom in asking for forgiveness, not permission. Had the ICO been consulted and then ignored, the hammer would doubtless have come down much harder. As it is, despite this fine (which is reduced to £24,000 if paid promptly), Halfords not only availed of the additional publicity from the email, but is also likely to have benefitted financially even after paying the fine (and legal fees given that the U-turn presumably marked Halfords’ instruction of external counsel). After all, Halfords informed the ICO that over 3,700 recipients claimed the £50 voucher. On our calculations, that is £185,000. That sum does not, however, reflect the actual cost of the repairs, which are likely to have been higher than the value of the vouchers; or the accessories likely also to have been purchased in-store by customers. This healthy contribution to Halford’s bottom line was perhaps worth the risk.
7. Whilst e-privacy fines are currently capped at £500,000, proposals in the Data Protection and Digital Information Bill look to bring them in line with the UK GDPR. This will likely affect the risk/reward ratio if direct marketing emails are found to have been dressed up as service messages.