ICO issues fines for emails seeking consent to marketing
The ICO has fined Flybe and Honda a total of £83,000 for emails sent to customers to obtain consent to future marketing messages.
Flybe sent an email titled "Are your details correct?" asking customers to confirm their details and update any marketing preferences in return for the possibility of being entered into a prize draw. All 3.3 million customers emailed by Flybe had previously opted out of receiving marketing messages from the company.
Honda sent a similar email to 289,790 customers titled "would you like to hear from Honda?" The emails were sent to customers who had indicated some form of marketing consent, but whose specific marketing preferences had not been recorded due to a design flaw in Honda's systems. Honda explained that it had not sent the emails for marketing purposes, but as a service message, in order to meet the company's obligations under data protection law.
The ICO found that both Flybe and Honda had contravened the Privacy and Electronic Communications Regulations (PECR) and fined the companies £70,000 and £13,000 respectively. Unsurprisingly, the ICO took the view that organisations cannot e-mail an individual in order to obtain consent to future marketing messages, as that email itself is sent for marketing purposes for which consent is required.
Steve Eckersley, Head of Enforcement at the ICO, said "Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law."
The ICO issued a significantly more substantial fine to Flybe, which it found had deliberately breached PECR. The company intentionally sent emails to customers who, according to the company's own records, had previously opted out.
While the emails were sent by both companies ostensibly to secure appropriate marketing consents ahead of the introduction of the GDPR, the ICO made clear that organisations must respect customers' data wishes. Mr Eckersley warned that, “Businesses must understand they can’t break one law to get ready for another."
Why is this important?
As organisations look to ready themselves for the introduction of the GDPR in May 2018, the fines provide a timely reminder of the existing requirements which must be met when asking customers about marketing preferences. The ICO has demonstrated that it will continue to keep a keen eye on compliance with the rules on marketing consents.
Any practical tips?
Don't forget about the ePrivacy Regulations issued by the European Commission in January 2017! Whilst still draft, these are due to land on the same day as the GDPR (25 May 2018), and these explicitly set out new rules on marketing consents, including for 'Over-the-Top' services and for cookies etc.
Remember also that the ICO has issued specific guidance on direct marketing (19 May 2016), although this is directed only at the current rules under PECR.