Three cases were decided this week which have the potential to make customer engagement harder as businesses get ready for the forthcoming General Data Protection Regulation (GDPR). The cases involved fines for Flybe and Honda and a reprimand for Lands’ End.
What did Flybe do?
Flybe are a European regional airline based in Exeter. The airline has a history of data protection issues and in September 2015 its CEO signed an undertaking to the UK data regulator, the Information Commissioner’s Office (ICO) promising that the airline would improve. The most recent case includes an email campaign that Flybe undertook in August 2016. They sent more than 3.3 million emails entitled “Are your details correct?” to customers asking them to amend any out of date information and update any marketing preferences. The email was an incentivized opt-in campaign – Flybe said that if they updated their preferences they could be entered into a prize draw.
One of the email recipients complained to the ICO.
An investigation by the ICO found that Flybe used a third party agent to send these emails and it had instructed the agent to send emails to customers that they knew had previously opted-out of direct marketing from Flybe. Flybe seemingly told the agency to do this because it wanted to clean up its database. The ICO fined Flybe £70,000 under the Privacy and Electronic Communication Regulations (PECR). The requirements in PECR often work in parallel to the requirements under the Data Protection Act 1998 (DPA 1998) but in this case the ICO made it clear that an attempt to improve compliance with the DPA 1998 (and the forthcoming GDPR) cannot excuse a breach of PECR.
What did Honda do?
There was a separate investigation into Honda Motor Europe Limited. They sent 289,790 emails to try, in their belief, to clean up their database to help them comply with data protection law. Honda was unable to produce to the ICO any evidence that customers had given consent to receive this type of email and were fined £13,000 under PECR. The ICO decided that Honda’s conduct was negligent rather than deliberate and the fine is less as a result.
What was the Lands’ End case about?
The Lands’ End case was an investigation by the UK advertising regulator, the Advertising Standards Authority (ASA). Lands’ End is an online clothing company. They drafted an email to people who visited their page as part of a retargeting campaign managed by an agency on their behalf. The agency said that they had obtained consent from individuals to retargeting. One of the recipients of the email complained however and said that he had not consented. Lands’ End provided a screenshot from their records showing that he had submitted his details to an affiliate website and they believed that a statement next to an opt-in box gave them consent.
The ASA disagreed. They said that the individual concerned had consented to being contacted by “our network of affiliated partners” but it didn’t make clear the nature of those third parties or the types of communications that might be received. The ASA said that there was no clear connection between the types of products or services provided by the website the complainants had signed up to and those provided by Lands’ End. They also said that it was Lands’ End’s responsibility to supervise the agency and that they, Lands’ End, had primary responsibility for ensuring that their marketing communications complied with all of the relevant advertising codes. They also said that it was up to the advertiser to prove that they had explicit consent to receive marketing communications. As a result the ASA decided that the campaign had breached the CAP Code and they told Lands’ End to ensure that all of their future marketing emails were only sent to people where they had evidence of the relevant consents.
What do these cases tell us?
It is important to remember that at least two of these cases involve just one complainant – out of 3.3 million emails sent in the Flybe case. As we’ve mentioned before in our alerts people are exercising their data protection rights more and regulators are more ready to act.
These cases also show that marketing and handling data are becoming ever more complex. As well as the forthcoming GDPR we have additional changes to the rules with the proposed EU ePrivacy Regulation. You can find out more about GDPR in our FAQs here – http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and about the ePrivacy Regulation in our FAQs here – http://www.corderycompliance.com/proposed-eu-e-privacy-regulation/. In addition the ICO is currently consulting on consent guidance under the GDPR. This consultation closes today. We have a more detailed analysis of the draft consent guidance in our GDPR Navigator subscription service here – http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
Would the consequences be worse in 2018?
It is important to remember that the consequences of breaches like this increase when the new rules come in in May next year. As an indication the maximum fine based on current turnover for Flybe could be up to £24.8million and for Honda £4.2billion. Applying the same formula in the two ICO cases to the new maximum penalties the fines would be for £2.9m for Flybe and £110m for Honda.
Marketing campaigns will become more challenging and equally getting databases ready for the GDPR will require proper thought.
Cordery’s GDPR Navigator includes resources to help understand GDPR including a video guide, summary and helpful table to deal with consent. It also includes guidance on fine determination and on how to reduce risk when appointing third parties. There are also checklists for consent and privacy notices. All of these resources, together with a monthly conference call on hot GDPR topics are included for one fixed annual fee. More details of GDPR Navigator are at www.bit.ly/gdprnav
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |