Enforcement action by ICO against Just Hype

The £60,000 fine recently issued by the Information Commissioner’s Office (ICO) against UK youth fashion brand Just Hype is a timely reminder of the rules governing the use of personal data for digital marketing.

In June 2020, more than 1.7m consumers received direct marketing from Just Hype. The ICO launched an investigation into the company’s practices after receiving 151 complaints from recipients of text messages which offered a free face mask in return for downloading the Just Hype app.

The specific rules governing direct marketing by unsolicited text message, email and voice messages are set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

PECR says organisations which engage in digital marketing must have the consent of the recipient or be able to rely on the “soft opt-in” exemption. This exemption essentially enables businesses to send electronic communications to existing customers about products or services similar to those they have bought (or been in negotiation to buy) previously, even if they have not specifically consented to being contacted in this way. The organisation must, however, give the consumer a simple opportunity to refuse or opt out of the marketing at the time of collecting their details and in every subsequent message.

In its response to the ICO investigation, Just Hype said it had relied on the “soft opt-in” exemption. The ICO, however, found that the steps Just Hype had taken when collecting personal data from customers on the checkout page of its website were insufficient to satisfy the PECR requirements. The checkout page contained an opt-out to marketing located below the e-mail collection box which read “keep me up to date on news and exclusive offers”. Just Hype told the ICO that they relied on this opt out box to indicate consent for marketing by both email and text. Separately, the checkout page had a box for entering the customer’s telephone number. This stated that customers would receive messages from the company, but there was a “?” symbol in the box which, when hovered over, stated Just Hype would only contact the customer about their order. The telephone number box was a required field and customers could not proceed without completing it.

Just Hype’s customers had not, the ICO decided, been given a simple means for refusing the use of their contact details for marketing. This meant that Just Hype did not have the valid consent required for messaging the 1.7m recipients.

In its enforcement notice, the ICO also criticised Just Hype for capitalising on the Covid-19 pandemic by offering a free mask in return for downloading the Just Hype app.

The ICO acknowledged that Just Hype did not deliberately intend to contravene the regulations; however, it should have been aware of its responsibilities and taken reasonable steps to be compliant.

The ICO has the power to issue penalties of up to £500,000 for PECR infringements. In this case, the ICO took into account the remedial steps Just Hype had taken since being notified of the complaints, including updating their privacy policy, training staff, and amending their consent statement on their website.

This case highlights the specific requirements businesses need to meet when engaging in direct marketing by electronic means and the importance of making sure their forms and processes for collecting personal data are compliant.