Royal Mail and Reed Online pay the price for unsolicited direct marketing emails

The two latest fines issued by the ICO to Royal Mail and Reed Online for breaches of the direct marketing rules contained in PECR reflect the no-nonsense approach of the regulator to contraventions of the legislation, with one-off mistakes caused by human error serving as no excuse.

Royal Mail 

On 7 March 2022, the ICO issued a £20,000 fine to Royal Mail for sending direct marketing emails promoting their commemorative War of the Roses ‘special stamp series’ campaign to 215,202 individuals for whom it did not hold valid consent. The reasons for Royal Mail not holding valid consent were twofold:

• 215,202 individuals received a marketing email but had taken steps to expressly opt out of direct marketing. The database used by Royal Mail for its marketing emails, Eloqua, relies on Royal Mail storing both consenting and non-consenting customer email addresses. The 215,202 individuals who had opted out of direct marketing were moved to a holding step in the campaign and did not receive a first marketing email. However, due to an internal routing error, those individuals were later accidentally sent a reminder email via Eloqua. The ICO considered that Royal Mail should have been alive to the risk of human error when storing all emails addresses on the same system. This decision serves as a reminder that organisations need to seriously consider the robustness of such systems and factor in additional checks when using automated systems.
• 123,466 of those individuals had used Royal Mail’s services as a guest (i.e. they had used Royal Mail’s online services without creating an account) and had not been presented with a privacy notice and given an opportunity to opt out of direct marketing. As a result, Royal Mail could not rely on the soft opt-in in relation to guests checking out on their website.

Royal Mail self-reported the incident to the ICO, initially as a technical fault but later as a human error. In mitigation, Royal Mail has stated that it will conduct a full internal data protection audit of its direct marketing practices, in addition to it having implemented additional checks to avoid repetition of the incident.

Reed Online

On 20 April 2022 the ICO issued a £40,000 fine to Reed Online for sending a direct marketing email to every jobseeker on their database, including 6,250,966 subscribers who had opted out. The incident came to the attention of the ICO by seven complaints being made through the ICO’s spam reporting facility. The email in question, which had been used in a targeted campaign that ran between 2016 and 2020, was moved to a new customer relationship management system last year as part of a migration procedure for all emails. The email’s status was accidentally amended as a result of human error, meaning that the email was sent to opted out individuals. The ICO was not persuaded by Reed Online’s argument that the email was unintentionally sent and therefore did not have marketing as its purpose, because PECR is not concerned with the intent (or lack of intent) of the sender. Reed Online immediately implemented new quality assurance to avoid repetition. They have also stated that they are re-considering sending any scheduled emails outside of core working hours and are looking at automated flag or sign-off requirements for email transmissions above a certain threshold.

Concluding thoughts

The fairly robust enforcement action taken by the ICO in these decisions evidences a strict approach by the ICO in pursuit of its underlying objective to promote wholesale compliance with the legislation. Given the ICO has said it expects organisations to learn from others’ mistakes, it is particularly important to keep abreast of ICO enforcement action in this area. Our briefing, Consents, records and disguises: lessons from ICO direct marketing enforcement actions, has further details on this topic.