The 4th largest supermarket chain in the U.K. has been fined by the Information Commissioner’s Office (‘ICO’) for breaking data protection laws in regards to how personal information is being used when sending marketing emails.
The ICO undertook an investigation into the supermarket chain after allegations were made by an individual that WM Morrison Supermarkets PLC (‘Morrisons’) were sending emails that customers had previously opted out of.
The Commissioner wrote to Morrisons on 28th November 2016 notifying them of the complaint made against them.
Regulations broken
The investigation found that Morrisons intentionally sent 130,671 emails to customers who had previously opted out of receiving marketing emails relating to their ‘Morrisons More’ card.
The ICO warned that civil monetary penalties of up to £500,000 could be issued for breaching the Privacy and Electronic Communication Regulations (‘PECR’). Regulation 22(1) states: “this regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.” Regulation 22(2) states that a person shouldn’t send “unsolicited communications for the purpose of direct marketing via email” unless they’ve obtained the consent of the recipient.
Regulation 22(3) lists exceptions to the general rule. A person may send emails for direct marketing where:
- They’ve obtained consent of the recipient in the course of the sale or negotiations
- Direct marketing is in respect of that person’s similar products and services only
- The recipient was given the means to refuse the use of his contact details, they didn’t initially refuse the use of the details, at the time of each subsequent communication
Background to the breach
The emails were reportedly sent between 24th October and 25th November 2016 titled ‘Your Account Details’.
The email invited customers to change their marketing preferences to start receiving money-off coupons, extra ‘More Points’ and the latest news from Morrisons. This appears to have had the intended effect of making customers opt-in to their marketing emails so they could receive the listed benefits above.
However, this was done wrongfully to start with because customers had already opted-out of these emails, and Morrisons seem to have circumvented those wishes.
Morrisons defence?
Morrisons tried to argue that, because they were receiving multiple queries from customers stating they weren’t receiving emails, they had chosen to send the ‘Your Account Details’ email to opted-out customers to advise them of their marketing preferences.
Unfortunately, Morrisons weren’t able to prove that the customers receiving the emails had consented to the same. Therefore, the ICO found that Morrisons had in fact breached Regulation 22 of the PECR.
The importance of consent
Deputy Commissioner, Simon Entwisle, noted the importance of a customers’ free will over their personal data:
“It is vital that the public can trust companies to respect their wishes when it comes to how their personal information is used for marketing. These customers had explicitly told Morrisons they didn’t want marketing emails about their More card. Morrisons ignored their decision and for that we’ve taken action.”
Email marketing is only allowed to be sent to individual customers if they’ve given their permission. Emails of this nature should clearly indicate:
- Who you are
- That you’re intending to sell or promote something
- What the promotions are and any conditions attached to them
Companies and organisations must check they’re not sending emails to any customer who has opted out and explicitly asked not to receive them. In this case, Morrisons breached these provisions as customers who had “opted out” of receiving the marketing emails still received them.
Morrisons has been fined £10,500 for breaking the PECR.