Who: Information Commissioner’s Office (“ICO“)
Where: UK
When: 20 March 2017
Law stated as at: 10 April 2017
What happened:
On 20 March 2017, the ICO fined Flybe £70,000 for breaching the direct marketing provisions of the Privacy and Electronic Communications Regulations 2003 (PECR).
Specifically, the ICO fined Flybe for deliberately sending more than 3.3 million e-mails to people who (Flybe knew) had previously opted out of receiving direct marketing from Flybe. Those e-mails asked people to:
- amend any out of date information; and
- review and update their marketing preferences.
The e-mail also said that by updating their preferences, people may be entered into a prize draw.
In its monetary penalty notice (available here), the ICO re-iterated that:
- e-mails asking people if they want to change their marketing preferences are themselves marketing (they are not “customer service” e-mails); and
- organisations who send these types of e-mails to people who have already opted out of receiving marketing, will be in breach of the PECR.
The ICO pointed to its (recently updated) direct marketing guidance (available here), in which it makes this very clear (see paragraph 193, in particular).
This fine against Flybe can be compared with a fine issued by the ICO against Honda on the same day. Honda was fined £13,000 for sending just shy of 300,000 e-mails to people asking them to clarify their marketing preferences. For those particular individuals, Honda had no record of whether they had consented to receive direct marketing, because of a design flaw in Honda’s system which meant that authorised dealers (who had inputted the individuals’ data into the system) had not been required to specify those individuals’ marketing preferences sufficiently clearly. Again, the ICO confirmed that the e-mails were marketing (not “customer service” e-mails) and that Honda was in breach of the PECR by sending those e-mails without evidence that the individuals had consented.
The fine against Honda was significantly lower than the fine against Flybe; partly because of the number of e-mails involved, but also because – in the ICO’s view – Honda had negligently failed to comply with the PECR, whereas Flybe had deliberately failed to comply.
Why this matters:
Flybe was understood to have sent these e-mails as part of a data cleansing exercise undertaken in preparation for the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018. Many organisations will be looking to do the same.
These fines are a stark reminder that e-mails asking people to update their marketing preferences must only be sent in accordance with the requirements of the PECR (i.e. if the organisation has sufficient consent to send marketing e-mails, or – if relying on the soft opt-in rule – an individual has not opted out). As Steve Eckersley, ICO’s Head of Enforcement says: “Businesses must understand that they can’t break one law to get ready for another”.
However, the ICO does recognise – in its direct marketing guidance – that people can change their minds and that marketing strategies can change. In that guidance, the ICO considers that it can be acceptable to remind people that they can opt back in to marketing provided that the reminder forms “a minor and incidental addition to a message being sent anyway for another purpose”. This guidance pre-dates the GDPR being passed, but there is nothing in the ICO’s recent monetary penalty notices against Flybe or Honda that suggests this position has changed.
It may still be possible to (very sensitively) remind people that they can change their mind, but this will have to be done very carefully to avoid tripping into direct marketing territory under the PECR.