The Service Message scam

What constitutes a service message has not been defined by law. Yet whenever I submit a complaint about being targeted with unlawful direct marketing to a controller, their Data Protection Officer (DPO) will often reply by telling me that the communication is a ‘service message’.

What is a service message?

A “Service Message” is not defined by law. In my view, a service message is a communication that a controller sends to the subscriber of a service that they operate. Some service messages will promote the benefits of the service to the recipient. Some will offer advisory information about their account – to inform the recipient that their statement can now be viewed online for example. While others are essential for account management – a verification code sent to a recipient by text as part of a multifactor authentication process, for example.

Many service messages will constitute direct marketing

The statutory definition of direct marketing is given at Section 122(5) DPA as follows:

Direct marketing means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals’.

Given this very broad definition of direct marketing, it’s reasonable to conclude that a promotional service message – a communication that contains advertising or marketing messages, will also constitute direct marketing. Indeed, in every case that I have taken to court so far, the judge has accepted that the promotional communication in each case, constituted direct marketing.

When is a service message not a service message?

It is essential for controllers and their DPOs to be honest with themselves, so that they can be honest with us. A suitably qualified DPO should be well aware that a service message will constitute direct marketing – if it contains any advertising or marketing messages. Therefore, DPO’s should not refer to direct marketing messages as service messages.

To be clear, it makes no difference what a DPO believes. They need to look objectively at the communication and if it contains advertising or marketing material, then they should deem it to constitute direct marketing. The ICO is of the view that generic logos and branding does not constitute advertising or marketing material and this is fair enough as a rule, as it forms part of the document template. However, if the document template includes a generic marketing message, then this would fall into scope in my view.

Why DPOs lie to us

Most organisations hate the fact that they cannot target all of their customers with direct marketing emails, texts and phone calls. They hate it! Most of the organisations that I do business with are likely looking for ways to target me with direct marketing by stealth, and their DPOs are likely told to tell me that it’s not direct marketing, it’s a service message. 

How DPOs lie to us

In my initial complaint to a controller’s Privacy Team, I will ask them to confirm whether they are of the view that they have targeted me with direct marketing. From the many responses that I’ve received over the years, here are some of the excuses. The service message does not constitute direct marketing because…

  • We’re informing you about a service that you have subscribed to.
  • We’re not trying to sell you a product or service.
  • We’re obligated to send you this message.
  • We’re aiming to improve our service.
  • We’re trying to help you get more out of our service.

This is what controllers and their DPOs will say to dupe their customers, and I don’t understand it. What do they think they’re going to gain by disguising direct marketing as a service message? Do they honestly think that the millions of people that hate receiving unwanted direct marketing will change their minds? It’s an outright abuse in my opinion.

Let’s not forget the customer survey scam

Genuine customer surveys, undertaken for research purposes – pursuant to Section 87(4) DPA, do not constitute advertising or marketing material. As such, a communication that invites us to complete a Section 87(4) DPA compatible survey, will not constitute direct marketing. However, two key areas for abuse are as follows:

1. If the communication that invites us to complete a Section 87(4) DPA compatible research survey contains incentives, then this will cause the communication to constitute direct marketing. This is because the use of incentives is a marketing tool. For example, if the communication informed the recipient that, by completing the survey they will be entered into a free prize draw, then that communication will constitute direct marketing and it’s an easy case to win. The survey may well be for research purposes but the communication will constitute direct marketing.

2. Seeking public feedback is a marketing tool. I would argue therefore, that any communication that invites the recipient to submit public feedback to their website, or to Trustpilot et al, will constitute direct marketing. Again, this is an easy case to win because only a moron, a liar or a cheat would go into court and argue under oath that public feedback is not a marketing tool. Or that seeking public feedback is for research purposes.

An example to demonstrate how controllers lie to us

I’ve been subject to both of these survey scams, and I currently have a case in my court queue. In this case, the controller refuses to accept that the email that invited me to submit public feedback on their website, does not constitute direct marketing. Their DPO said:

As we have previously stated we do not consider receiving an email requesting feedback to be direct marketing as it is not directly selling you a product or service

It would appear that this DPO is of the view that direct marketing only applies to the sale of a product or service. Based on the definition of direct marketing, it’s reasonable to conclude that this DPO is either incompetent, or is deliberately lying to me. I’m keen to see what happens in court.

Another example to demonstrate how controllers lie to us

I recently received a promotional communication from my insurance provider – an email that promoted an app to me. The email included the message, “We wanted to remind you that there’s lots of things you can do in our app.” The subject of the email advised me by name to “Get started with your app.” The email promoted some of the key features of the app – I can access my policy documents, I can call the breakdown company etc.

I am of the view that this email constitutes direct marketing because they are promoting aspects of the service to me. I receive a response form their Data Protection Executive, who said:

This email is not a marketing email, this is classified as a service email and is informing you of the ways [the company] may be able to assist you with your policy.

We apologise if you have felt that this is not relevant to you at this time but is purely for information purposes and not with the view to sell you anything.

You have opted out of marketing emails which is noted within your account file.

So again, this DPE seems to be of the view that direct marketing only applies to the sale of a product or service. This one is also in my court queue.

The ICO is not helping

The ICO’s definition of direct marketing is fairly accurate but it contains at least one major flaw, and I’ve contacted them twice on two separate occasions asking them to update it. On both occasions I’ve been informed that my enquiry has been forwarded to the relevant person but the definition has not been changed. The ICO’s definition of direct marketing is:

‘Routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide information they need about a current contract or past purchase (eg information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs). General branding, logos or straplines in these messages do not count as marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply’.

Can you see the obvious flaw? They’ve opted to limit the statutory definition of direct marketing to the sale of a product or service or the renewal of a contract. This does not reflect the law so they’re not doing anyone any favours.

Watch out for bogus DPOs

Some controllers are obligated to appoint a DPO. This will depend on the nature of the organisation and the type of data processing being undertaken. If a controller has determined that they need to appoint a DPO, then they must do so in accordance with Section 69(2) DPA, which defines a DPO as follows:

69 Designation of a data protection officer

(1) The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.

(2) When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—

(a) the proposed officer’s expert knowledge of data protection law and practice, and

(b) the ability of the proposed officer to perform the tasks mentioned in section 71.

(3) The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size.

(4) The controller must publish the contact details of the data protection officer and communicate these to the Commissioner.

However, many controllers have adopted the “DPO” job description, even though they’re not lawfully required to appoint a DPO. This widespread adoption of the job title has served to water down the expertise in my view. So, now, when you get a reply from a controller’s DPO, you don’t know whether they’re a DPO who has been appointed subject to Section 69(2) DPA, or some chump with delusions of grandeur. Or worse still, and ex-ICO Case Officer.

When I contact a DPO these days, I ask them to confirm whether they have been appointed to the role in accordance with Section 69(2) DPA.


I believe that many of the organisations that we do business with every day, are constantly looking for ways to sneak marketing message to us by email or text, disguised as a service message. As is often the case, the ICO is to blame for their incompetent interpretation of direct marketing. If a controller does this with me, they go on my court list and they’ll need to admit fault to avoid a claim for compensation.

Related article: ICO Assessment (RFA0858363): Understanding what constitutes a genuine customer survey.