ICO fines Flybe and Honda
28 March 2017
The Information Commissioner’s Office has issued data protection fines to two household names: Flybe and Honda, for sending marketing emails in breach of the Privacy and Electronic Communications Regulations (“PECR”).
These fines show an increasing trend by the ICO to take action based on individual complaints and to fine companies rather than deal with the enforcement by way of an undertaking. Both cases involved the companies attempting to sort out their marketing databases to ensure continued compliance with data protection laws and each appears to be based on a single complaint although the quantity of emails involved are high. It’s a timely reminder that sending emails to ask if recipients want to remain on marketing lists won’t be lawful unless you’re sure that the recipient has opted-in to email marketing.
Flybe was fined £70,000 for breach of PECR when they sent more than 3.3 million emails asking “Are your details correct?” in an attempt to update their marketing lists. As an added incentive they asked recipients if they would like to be entered into an optional prize draw. The ICO’s published decision explains that a single individual made a complaint to the ICO which brought the email to the regulator’s attention. Flybe apparently deliberately instructed their third party e-mail distributor to send emails even to customers who had previously explicitly opted out of direct marketing for data cleansing purposes.
In Honda’s case, the fine was £13,000 and again came about due to a data cleansing exercise by the company. Their emails were entitled “Would you like to hear from Honda?” and were intended to clarify the marketing preferences of recipients where the company held an email address but had no record of either an “opt in” or an “opt out”. Honda viewed this as a ‘service email’ and they argued they were attempting to maintain compliance with the data protection principles, including not keeping data longer than necessary. Their marketing consents were recorded on a central database and it because the marketing preference field wasn’t mandatory, the preferences were not always recorded alongside the email. The ICO disagreed with the ‘service email’ argument and said the emails were clearly direct marketing. The emails had been received by over 280,000 people and again it appears that a single complaint to the ICO has resulted in a monetary penalty notice.
Organisations looking to re-permission their marketing consents in advance of the General Data Protection Regulation’s increased requirements, or otherwise simply looking to ensure their marketing databases are up to date should take note. The ICO’s Direct Marketing Guidance is clear on the requirements for sending marketing emails and was updated last year to remind charities in particular that they can’t rely on the soft-opt in. This guidance is essential reading for all marketers especially as it’s soon to be put on statutory footing once the current draft Digital Economy Bill is passed. In addition, just in case you thought you were familiar with the current rules and are getting to grips with GDPR, these marketing rules are also under separate review as the European Commission issued a new draft E-Privacy Regulation in January. The ambitious timetable set out by the Commission shows they are attempting to agree this to coincide with the GDPR’s effective date of 25 May 2018 but that remains to be seen.