In an ironic twist, the British Information Commissioner’s Office (ICO) recently fined a Brexit advocacy group for violating regulations issued under an EU directive. The fines, totaling £120,000, were levied against Leave.EU and a related insurance company, Eldon Insurance, for sending marketing emails to each other’s subscribers without sufficient consent. Leave.EU had sent marketing emails to over 300,000 of Eldon’s customers, and the two entities had carried out unlawful joint marketing campaigns through Leave. EU’s mailing list.
The entities, which are run by the same individual, share a significant number of employees, senior employees, directors, and a corporate address. At the time, the marketing staffs were even using the same Mailchimp account. As a result of administrative error, a Leave.EU employee inadvertently used an Eldon distribution list to send a Leave.EU e-newsletter to nearly 300,000 of Eldon’s customers without their consent. In addition, as part of a more coordinated marketing scheme, the parties worked together to advertise Eldon’s insurance services through Leave. EU’s weekly newsletters.
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations of 2003 (PECR), which remains in force notwithstanding the enactment of GDPR in the EU, mandates that an organization cannot transmit, or instigate the transmission of, unsolicited marketing communications without the recipient’s consent. Section 55A of the UK’s Data Protection Act of 1998 gives the Commissioner the authority to issue monetary penalties for any “serious contravention” of the PECR, whether deliberate or negligent.
The Commissioner found that Leave.EU contravened the PECR by failing to take reasonable steps to segregate its mailing list from Eldon’s. The violation was magnified by the number of customers affected and Leave.EU’s failure to take reasonable steps to prevent it, such as using separate Mailchimp accounts or implementing a process for reviewing mass-marketing communications before they are sent. The Commissioner also found that the marketing scheme instigated by Eldon through Leave.EU’s weekly newsletters lacked sufficient consent from Leave.EU’s subscribers, specifically noting that Leave.EU’s privacy policy does not identify Eldon in such a way that would suggest they could lawfully instigate direct marketing to subscribers.
As we noted in a recent Law360 Article, misuse of private data will continue to garner more attention and enforcement from regulating bodies, and increased access to data from companies creates more opportunities for data privacy violations.
Putting it Into Practice: Companies that share personnel or are closely affiliated with other groups or companies should develop clear policies and procedures to ensure that marketing data and personal data are not inappropriately mixed. Companies should also implement a process for reviewing mass-marketing communications before they are sent and should obtain consent before instigating marketing efforts directed towards another company’s customers.