The recent fines issued by the Information Commissioner’s Office (“ICO”) to Flybe Limited and Honda Motor Europe Limited underlined the toughening stance regarding the sending of unsolicited emails to individuals for the purposes of direct marketing.
Between May and August 2016, Honda sent 289,790 unsolicited emails to individuals titled “Would you like to hear from Honda?” to clarify the marketing preferences of those individuals they were unsure of. Many of these emails were directed towards individuals for whom Honda did not hold the “opt in” or “opt out” information.
In August 2016, Flybe sent 3,333,940 unsolicited emails to individuals titled “Are your details correct?” asking them to amend any out-dated information and update their marketing preferences, thereby entering into a prize competition.
In both instances, the ICO’s view was that organisations cannot email an individual to obtain their consent to future marketing communications unless the individual has already specifically consented to receive such an email. The ICO did not regard Honda and Flybe’s emails as customer service emails to help those companies comply with their data protection obligations. Instead, it considered that the emails were sent for the “purposes of marketing” and accordingly they were subject to the same rules as other marketing emails.
Both companies were unable to show that all the individuals to whom emails had been sent had consented to receipt of the messages, although it was their responsibilities to safeguard that sufficient consent had been obtained. The ICO was satisfied that both companies did not have the consent to send unsolicited direct marketing emails.
The ICO further stated that the contraventions identified were serious in nature, and deliberate and negligent contraventions. Flybe, in particular, was aware that the emails were being sent to individuals who, according to their records, had previously indicated that they did not consent to receive direct marketing.
Practical points to note:
- Businesses should carefully record customer marketing consents, identifying the specific types of those requests (email only, email and telephone, offers, newsletters, etc.), and customer opt-out requests.
- Businesses should ensure to only send electronic marketing communications to individuals where they have those individuals’ specific consents to do so. The Honda and Flybe penalty fines demonstrate that the definition of communications for the “purposes of marketing” can be interpreted broadly.
The bar for valid consents will be raised under the EU General Data Protection Regulation from 25 May 2018, therefore businesses should be reviewing their policies and privacy statements to prepare for the changes now.
Our summary of the current direct marketing rules can be found opposite.