Flybe, a regional airline, and Honda Motors have been fined £70,000 and £13,000 respectively for breach of the Privacy and Electronic Communications Regulations (PECR). Both companies failed to respect individuals’ opt-outs from future marketing.
Flybe had sent individuals on its database an e-mail titled “Are your details correct?” advising them to amend any out of date information and update any marketing preferences. There was also an opportunity to enter a prize draw.
However, the email was also sent to people who had previously opted out of receiving marketing e-mails. Flybe explained that the emails were sent for data cleansing purposes.
Honda Motor Europe Ltd also claimed that the emails sent were not classed as marketing but instead were customer service emails to help the company comply with data protection law. In Honda’s case, the company could not provide evidence that the customers had ever given consent to receive this type of email.
Honda said that the emails were sent with the aim of maintaining their compliance with the data protection principles relating to the retention of personal data and direct marketing. They stated that in particular, the e-mail was aimed to ensure that:
• they were not keeping any personal data on their marketing lists for longer than was reasonably necessary and
• any opt-ins received from customers were both current and correct.
Honda claimed that the incident took place due to a design flaw in the software portal. When some dealers were inputting data, the system had either failed to complete the actual marketing preferences field relating to that individual or had placed an ‘X’ rather than a yes or no answer in the applicable field. This was because a yes or no completion of the preferences field was not mandatory.
The ICO says it recognises that companies will be reviewing how they obtain customer consent for marketing to comply with the GDPR’s stronger requirements on customer consent.
Steve Eckersley, ICO’s Head of Enforcement, warned: “Businesses must understand they can’t break one law to get ready for another.”
“Any company unsure of the best way to prepare for the change in consent under GDPR should contact the ICO for advice.”
The monetary penalty notices can be seen at https://ico.org.uk/action-weve-taken/enforcement/