The Information Commissioner’s Office is baring its teeth as we rocket towards the EU’s General Data Protection Regulation (GDPR) coming into effect.
As the relevant data protection authority in the UK, the ICO will be responsible for regulating the nation’s data economy when GDPR kicks in, which means ensuring businesses comply with new stringent rules regarding collecting and sharing individuals’ information.
Currently issuing sanctions in accordance with the UK’s Data Protection Act 1998 and some other EU legislation, the ICO has recently become very willing to uphold the letter of the law and crack down on the more widespread (and mistakenly expected to be tolerated) misuse of people’s personal information.
Just this week, the ICO fined two companies a total of £83,000 for breaking the rules regarding marketing emails. Although the figure seems small compared to the terminal fines issued to companies such as Media Tactics, it notably targeted a regular area for data misuse and the offending companies could have easily avoided being fined.
An investigation by the commissioner’s office found that Exeter-based airline Flybe had “deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm”.
Those emails ironically were asking customers to update their marketing preferences, including whether they wanted to receive emails like the ones Flybe had just sent, and offered customers the chance to be “entered into a prize draw” for contributing.
Flybe ostensibly sent to ensure that its data on customers was held in compliance with the GDPR but landed a a £70,000 monetary penalty notice [PDF] from the ICO for breaking the Privacy and Electronic Communication Regulations (PECR) while attempting to do so.
A separate ICO investigation into Honda Motor Europe Ltd revealed that the car company had sent 289,790 emails – again aiming to clarify certain customers’ choices for receiving marketing spam.
The firm believed the emails were not classed as marketing in and of themselves but instead were customer service emails to help the company comply with data protection law. Unfortunately, Honda couldn’t provide evidence that the customers had ever given consent to receive this type of email, which was also a breach of PECR.
The ICO issued Honda a £13,000 monetary penalty notice [PDF].
Steve Eckersley, the ICO’s head of enforcement, said: “Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent is still marketing and it is against the law.
“In Flybe’s case, the company deliberately contacted people who had already opted out of emails from them. Businesses must understand they can’t break one law to get ready for another.” ®