In order to become GDPR compliant, many organisations are facing the job of checking whether they hold GDPR-compliant consent to send marketing emails to individuals. To prepare for the introduction of the GDPR in May 2018 some organisations have sent emails to their database to check that marketing consents are up to date. However, recent fines from the ICO have highlighted some potential risks involved.
On 27 March this year the ICO fined both Honda and Flybe for sending emails to their customers to ask for confirmation of their contact details and marketing preferences.
Flybe sent an email to 3.3 million people asking ‘Are your details correct?’ The email asked recipients to update their details and marketing preferences for the chance to be entered into a prize draw.
The problem with the Flybe email was that it was sent to people who had previously refused or withdrawn their consent for email marketing.
This was in breach of current data protection law. The ICO made clear that emails sent for the purpose of updating marketing preferences are still sent for the purpose of direct marketing so require prior consent.
Flybe were fined £70,000 after an initial warning from the ICO which was ignored.
Honda sent an email to over 300,000 customers who did not have marketing preferences set (either because they were incomplete or had never been recorded). The purpose of the email was to ask these customers whether they did want to receive marketing communications.
The ICO similarly confirmed that any email sent to verify consent for direct marketing is in itself direct marketing. As such, the organisation sending the email must already have consent in place. Unknown marketing preferences cannot constitute consent.
Although the email was sent to Honda’s customers, Honda could not rely on the fact that the email address was acquired during a sale of goods, because the email addresses were collected by Honda’s dealers and not Honda directly.
Honda were fined £13,000 by the ICO.
The lessons to learn here are:
If an individual has previously refused or withdrawn consent to direct marketing:
If a person has previously refused their consent to receive marketing by email, no further marketing emails should be sent. This includes an email asking whether that person has changed their mind and would now like to receive marketing.
If it is unknown whether an individual consents to direct marketing:
If there is no evidence that a person has consented to receive direct marketing by email, no marketing emails should be sent. This includes an email asking whether that person does consent to such marketing.
If an individual has given their previous consent to direct marketing:
If there is already evidence that the person consents to direct marketing, it is fine to send an email to check whether that person still gives their consent (and to ensure that the consent is GDPR-compliant).