In the run up to the GDPR many companies chose to inundate email inboxes seeking consent in relation to retaining individuals on their mailing lists. While this might have been regarded by many individuals as a good opportunity to purge their inboxes from unwanted newsletters and notifications the frantic contact made by such companies may have been unnecessary or even illegal.
In reality many companies had been operating with the required consent already. In such cases, these companies did not need to request individuals to “opt-in”. Other companies may have been contacting individuals validly in line with the legal basis that it was in their legitimate interests to do so.
More worryingly are the companies who never had consent in the first place. These companies were arguably in breach of data protection rules by contacting individuals in this manner.
This was well demonstrated by a decision of the Information Commissioner in the UK last year, where two companies, Flybe and Honda, were fined £83,000 for breaching rules in relation to an individual’s personal information when sending marketing emails.
An investigation by the Information Commissioner’s Office (the “ICO”) found that Exeter-based airline Flybe had “deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm”. Those emails, somewhat bizarrely, asked customers to update their marketing preferences, including whether they wanted to receive emails like the ones Flybe had just sent, and offered customers the chance to be “entered into a prize draw” for updating their preferences.
Similarly, a separate investigation by the ICO revealed that Honda had sent 289,790 emails aiming to clarify certain customer’s choices for receiving marketing emails from the company.
Honda submitted, without success, that the emails were not classified as marketing but instead were customer service emails to help the company comply with data protection law. Of note is that Honda could not prove that the customers contacted had ever provided consent to receiving such an email
Going forward, organisations are advised to consider whether it is really necessary to send such emails or whether there is another legal basis that may be relied on for contacting customers under the GDPR.