Morrisons fined £10,500 for breaching data privacy rights
morrisons fined for email breach

Morrisons fined £10,500 for breaching data privacy rights

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

The 4th largest supermarket chain in the U.K. has been fined by the Information Commissioner’s Office (‘ICO’) for breaking data protection laws in regards to how personal information is being used when sending marketing emails.

The ICO undertook an investigation into the supermarket chain after allegations were made by an individual that WM Morrison Supermarkets PLC (‘Morrisons’) were sending emails that customers had previously opted out of.

The Commissioner wrote to Morrisons on 28th November 2016 notifying them of the complaint made against them.

Regulations broken

The investigation found that Morrisons intentionally sent 130,671 emails to customers who had previously opted out of receiving marketing emails relating to their ‘Morrisons More’ card.

The ICO warned that civil monetary penalties of up to £500,000 could be issued for breaching the Privacy and Electronic Communication Regulations (‘PECR’). Regulation 22(1) states: “this regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.” Regulation 22(2) states that a person shouldn’t send “unsolicited communications for the purpose of direct marketing via email” unless they’ve obtained the consent of the recipient.

Regulation 22(3) lists exceptions to the general rule. A person may send emails for direct marketing where:

  • They’ve obtained consent of the recipient in the course of the sale or negotiations
  • Direct marketing is in respect of that person’s similar products and services only
  • The recipient was given the means to refuse the use of his contact details, they didn’t initially refuse the use of the details, at the time of each subsequent communication

Background to the breach

The emails were reportedly sent between 24th October and 25th November 2016 titled ‘Your Account Details’.

The email invited customers to change their marketing preferences to start receiving money-off coupons, extra ‘More Points’ and the latest news from Morrisons. This appears to have had the intended effect of making customers opt-in to their marketing emails so they could receive the listed benefits above.

However, this was done wrongfully to start with because customers had already opted-out of these emails, and Morrisons seem to have circumvented those wishes.

Morrisons defence?

Morrisons tried to argue that, because they were receiving multiple queries from customers stating they weren’t receiving emails, they had chosen to send the ‘Your Account Details’ email to opted-out customers to advise them of their marketing preferences.

Unfortunately, Morrisons weren’t able to prove that the customers receiving the emails had consented to the same. Therefore, the ICO found that Morrisons had in fact breached Regulation 22 of the PECR.

The importance of consent

Deputy Commissioner, Simon Entwisle, noted the importance of a customers’ free will over their personal data:

“It is vital that the public can trust companies to respect their wishes when it comes to how their personal information is used for marketing. These customers had explicitly told Morrisons they didn’t want marketing emails about their More card. Morrisons ignored their decision and for that we’ve taken action.”

Email marketing is only allowed to be sent to individual customers if they’ve given their permission. Emails of this nature should clearly indicate:

  • Who you are
  • That you’re intending to sell or promote something
  • What the promotions are and any conditions attached to them

Companies and organisations must check they’re not sending emails to any customer who has opted out and explicitly asked not to receive them. In this case, Morrisons breached these provisions as customers who had “opted out” of receiving the marketing emails still received them.

Morrisons has been fined £10,500 for breaking the PECR.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon