Burger King email ban exposes 'woeful' data practices

Burger King’s data governance has been branded “woeful and potentially illegal” after an ad watchdog investigation has exposed major issues with its “YourBurgerKing” loyalty scheme sign-up, which not only mean marketing can be sent to underage kids but that some data may be being held unlawfully.

The issue has been sparked by a campaign featuring three separate emails which were sent over an eight day period last summer; one promoted the Doritos King Box meal deal and two pushed a “buy one get one free” offer for its Spicy Mayo range.

Although the emails were not worded to appeal to kids, health campaigning group Food Active discovered that one subscriber aged 15 had been targeted, and rifled off a complaint to the Advertising Standards Authority.

The organisation challenged whether the emails were for products high in fat, salt or sugar (HFSS) that were directed at under 16s in breach of the CAP Code.

In response to the ASA’s investigation, Burger King claimed it was careful to take all reasonable steps to avoid targeting ads at those who were under age, adding that the “YourBurgerKing” service was designed for use by people who were at least 16.

However, the firm admitted it did not have any way of ensuring kids did not sign up, conceding the age field on the sign-up form was optional because it believed it was not mandatory for a consumer to share their date of birth during the process.

But in its ruling, the ASA reaffirmed CAP Guidance that stated if data is used to create a mailing list for direct or email marketing, “marketers must ensure they take all reasonable steps to exclude under-16s from the list or targeting criteria. Anyone with a date of birth that meant they were under-16 should be removed”.

The ASA found that the only mandatory information users are required to provide when signing up for a “YourBurgerKing” account is a first name and an email address. The sign-up page only includes a drop-down section labelled “Optional Information”, which allows users to enter their date of birth and postcode if they wish.

The terms of service state that “YourBurgerKing” is intended for use by people who are at least 16 years old, or that users who are under the age of 16 have obtained permission from their parent or guardian.

However, the regulator found that this information is not presented on the sign-up page, and registration can be completed without needing to have read the terms of service.

The ASA said: “We considered that if data was used to create an audience that it should, where necessary, be used to exclude individuals on the basis of their age, and it was not sufficient only to state that the service should not be accessed by under-16s.”

In addition, the ASA said it should still be possible to exclude users who had provided a date of birth which showed that they were under 16 from receiving promotional emails and notifications for HFSS foods.

The regulator added: “We considered that Burger King should have taken further steps, beyond self-declaration at the point of sign-up, to ensure that children under the age of 16 were not at risk of receiving promotional materials for HFSS foods.”

Banning the ads from future activity, the ASA warned Burger King to ensure that HFSS product ads were not directed at children through the selection of media or the context in which they appeared.

In response, Food Active lead director of public health Professor Matthew Ashton said: “This ruling highlights the need for tighter controls to ensure children are protected from advertising of HFSS food and drink products online. Brands have a responsibility to ensure that they exclude any subscribers under the age of 16 from email communications, and clearly this ruling shows some are not doing so.

“We hope this ruling serves as an important reminder to other food and drink companies that they cannot directly promote HFSS products to under 16s across broadcast and non-broadcast media.”

Even so, the company has yet to change its sign up process.

One data expert said: “For a company of Burger King’s size and reputation this is not only woeful but potentially illegal. Not only is it bad practice to hide conditions in the small print, under UK GDPR, if an organisation relies on consent as their lawful basis for processing a child’s personal data, only children aged 13 or over are able to provide their own consent. It is illegal to hold personal data on anyone under that age without parental consent.”