Outside view of RPC's transparent glass building.

ICO issues fines for emails asking customers to change marketing preferences

Published on 25 September 2017

The ICO has fined Moneysupermarket.com and Morrisons Supermarket a total of £90,500 for emails sent to customers who had previously opted out of marketing messages.

The facts

Moneysupermarket.com sent an email informing customers that it had updated its privacy policy and terms and conditions.  The email included a section titled “Preference Centre Update” which invited customers to change their marketing preferences to receive “personalised news, products and promotions”.  All 6,788,496 recipients of the email had previously opted out of receiving direct marketing emails.

Morrisons Supermarket sent a similar email to 130,671 customers who had previously opted out of receiving marketing related to their Morrisons More Card (though they had opted in to marketing for online groceries).  The emails were titled “Your Account Details”, and offered to send money-off coupons, extra More points, and the “latest news” from Morrisons if the customers changed their preferences.

The decisions

The ICO found that both Moneysupermarket.com and Morrisons Supermarket had breached their obligations under the Privacy and Electronic Communications Regulations 2003 (PECR) and fined the companies £80,000 and £10,500 respectively. The ICO restated its view, affirmed in other recent cases, that organisations cannot e-mail an individual to ask for consent to future marketing messages. Such an email is itself sent for the purposes of direct marketing and is subject to the same rules as other marketing e-mails.

ICO Head of Enforcement Steve Eckersley said “organisations can't get around the law by sending direct marketing messages dressed up as legitimate updates.  When people opt out of direct marketing, organisations must stop sending it, no questions asked, until such time as the consumer gives their consent.  They don’t get a chance to persuade people to change their minds”. The fact that marketing only constituted one section of the emails sent by Moneysupermarket.com was irrelevant.  Mr Eckersley added that emails sent “under the guise of “customer service”, checking or seeking their consent, is a circumvention of the rules and is unacceptable”.

Why is this important?

There is growing pressure on organisations to sort out their marketing consents ahead of the GDPR coming into force on 25 May 2018.  If they don't, the concern is that their ability to continue using their core databases may be severely compromised under the GDPR's tougher data regime. It explains why businesses are contacting customers now to try and maintain their marketing reach in the future. These fines (just like the recent ones against Flybe and Honda) are a reminder that customers who have opted out of marketing messages are off limits – at least from direct marketing messaging to get them to opt back in (whether dressed up as customer service or otherwise).

Any practical tips?

Be strong with the marketing teams, whatever the temptation to “refresh” marketing consents, or you could end up with a decent fine.  And don't forget that the ICO guidance on direct marketing still applies (for now) and that the ICO also published draft guidance on consent under the GDPR at the end of March 2017. This, and the draft ePrivacy Regulation (published by the European Commission on 10 January 2017), are essential reading materials if you are advising on the ongoing viability of marketing databases ahead of the (now fast-approaching) GDPR D-Day.