Insights

Updating consent – implications of the Flybe and Honda fines

On 27th March 2017, the ICO issued Monetary Penalty Notices to Honda and Flybe, having determined that their approaches to confirming customers’ contact details and marketing preferences were not compliant with PECR (The Privacy & Electronic Communications Regulations 2003).

Since these fines were issued, there has been some concern about whether this means that verification of consent and/or marketing preferences is forbidden. The answer is “definitely not” – checking and confirming consent and marketing preferences is a useful activity which helps organisations comply with the data quality and fair use requirements of privacy law.

However, the way in which an organisation goes about verifying customers’ contact preferences is very important, and this is where Flybe and Honda got into trouble.

By following the guidance produced by the Fundraising Regulator and Protecture for obtaining and confirming consent - especially the consent Self-Assessment Tool - you can avoid the difficulties that Flybe and Honda encountered.

Flybe

Flybe’s email marketing database (held by a third party Data Processor) included records of customers’ marketing preferences, including whether the customer had refused or withdrawn consent for email marketing (“opted out”).

In August 2016, Flybe sent emails to more than three million customers who had previously opted out of email marketing, asking them to confirm that their details – including marketing preferences – were correct. The email also provided the recipients with opportunity to enter a prize draw when they responded.

Flybe had characterised this email campaign as being for “data cleansing purposes.”

  • It is difficult to see how this claim was justified, as there would be no need to update the contact details for those individuals who had opted out of receiving direct email marketing.
  • Their details would only need to be kept for suppression purposes (i.e. making sure that the specific contact details were excluded from future marketing campaign messages).

Following a complaint from a recipient of the email, the ICO advised Flybe that emails sent with the intention of “cleansing” or updating marketing databases are sent for the purposes of direct marketing and so prior consent would be required.

  • This means that Flybe’s emails were sent in breach of PECR, as there was no email marketing consent in place (in fact, consent had previously been explicitly refused or withdrawn by the recipients)
  • The ICO did not accept the justification of “verifying details”, as Flybe’s intention appeared to be the re-acquisition of consent that had previously been refused or withdrawn.

Flybe continued to send out “confirm your preferences” emails to customers who had refused or withdrawn consent to email marketing, even after the ICO had warned them that their activities were likely to be in breach of PECR.

As Flybe did not have prior consent to send email messages for marketing purposes to the 3,333,940 individuals who received the email asking them to confirm their preferences, the ICO found that they had acted in breach of PECR and fined them £70,000.

Honda

Honda’s email marketing database contained contact details from a number of sources – signups made through their website or at their promotional events, and customer contact details passed to them by authorised dealers when an order or sale of a Honda product took place.

  • Honda could not use the “soft opt-in” (which allows marketing emails to be sent when the email address was acquired during a sale or negotiations for a sale of good or services) as this can only be relied on by the organisation that collected the contact details – which in this case was the dealers.

Honda provided instructions and software for the dealers to record customer marketing permissions. However, although ‘consent for marketing from Honda’ status was a mandatory field in the software, the specific channels that the customer had agreed to receive Honda marketing on were not; and were therefore often not recorded by the dealers.

In 2016, Honda emailed the 343,093 customers that had missing or incomplete marketing permissions in their records, seeking to clarify whether the recipients did, in fact, want to receive email marketing from Honda. Only 289,790 of these messages were successfully delivered.

A complaint was made to the ICO by an individual who had received the “would you like to hear from us?” email and the ICO advised Honda that they may have been acting in breach of PECR.

Honda’s response was that the emails were “service messages” as they related to the administration of an ongoing relationship with the customer and were intended to make sure that the customer marketing records on their database were accurate and up to date by removing any individual who did not positively respond by confirming their consent to email marketing.

  • As with the Flybe case, an email sent in order to seek or verify consent for direct email marketing is itself “sent for the purposes of direct marketing”. If consent is not already in place, that email will have been sent in breach of PECR, so the ICO did not accept that the emails were only “service emails”.

As Honda could not provide evidence that they had consent to send email marketing to the 289,790 individuals who received the “would you like to hear from us” email, the ICO found that they had acted in breach of PECR and fined them £13,000.

By sending the emails to customers whose marketing channel preferences were not known, Honda had risked emailing customers who had either refused consent for email marketing or who had not given “prior consent.”

Key points to note:

“No” means ‘no’. When an individual refuses or withdraws consent for direct marketing by email, the organisation they have opted-out of hearing from is not allowed to send that individual any more emails relating to marketing. This includes prompts or incentives to induce the individual to change their mind about their consent status.

 “We don’t know” doesn’t mean ‘yes’. If you are in doubt as to whether you have consent in place for a particular marketing channel (perhaps you have gaps in your records, or you have bought in contact lists in the past without strong assurance that consent for your marketing was obtained), you should consider using postal mail to confirm marketing preferences rather than risking emailing or calling in breach of PECR.

However, if an individual exercises their right to make a blanket objection to all direct marketing (section 11 of the Data Protection Act or Article 21.2 of GDPR), then you must not send them any marketing-related messages by any channel. You should also make sure that blanket objections are recorded in all systems that store marketing preferences so you don’t accidentally send unwanted marketing messages.

Checking that “yes” still means ‘yes’, is fine. Where you already have some form of consent to send an individual direct marketing messages by email (or phone, or SMS) - but have concerns that the standard of consent currently held is not up to the GDPR level, and/or you want to make sure that they are still happy to hear from you (and that you have an up-to-date record of the channels that they have agreed to be contacted on) then using an electronic channel to seek updated consent is possible.

If you are considering refreshing or confirming the consent you currently hold, the data protection guidance produced by the Fundraising Regulator and Protecture includes a handy “Consent self-assessment tool” to help you assess the quality of consent you currently hold and decide, justify and document your approach to seeking updated, GDPR-standard consent.

There is no set interval for checking, however a minimum of every two years is considered to be reasonable.

Rowenna Fielding, Data Protection Lead, Protecture. 

 


Apr 27, 2017
Back to top