By Tim Rollins
The United Kingdom’s Information Commissioner’s Office (ICO) has stepped up its enforcement of privacy and related compliance regulations, fining Halford’s, the UK’s leading retailer for automotive and bicycling products and services, £30,000 for sending nearly half a million marketing emails.
The ICO fined Halford’s for breaking the Privacy and Electronic Communications Regulations (PECR), the law governing nuisance marketing for an email marketing campaign it launched in July 2020. This fine, issued on 7 September 2022, comes at roughly the same time as it issued two enforcement actions for violations of the Freedom of Information Act 2000 (FOIA), sending a strong signal that the ICO will be taking a more vigorous approach to enforcing its regulatory prerogatives.
In July 2020, Halfords sent almost 500,000 emails to people regarding a “Fix Your Bike” government voucher program. The emails encouraged recipients to book a free bicycle check-up and then redeem a £50 government voucher for the cost of repairs at one of its stores—but Halfords had not received informed consent from the people it emailed with the offer. They claimed they were allowed to send the emails under “legitimate interests,” but since the email advertised a service they would profit from, Halfords were not entitled to send the messages under that exception.
Who It Applies To
While the fine is rather small given the number of individuals emailed, it’s important that organisations recognize the changing trend toward more vigorous enforcement of privacy and related rights in the UK. ICO Head of Investigations Andy Curry explained, “It is against the law to send marketing emails or texts to people without their permission. Not only this, it is a violation of their privacy rights as well as being frustrating and downright annoying. Halfords are a household name and we expect companies like them to know and act better… This also sends a message to similar organisations to review their electronic marketing operations, and that we will take necessary action if they break the law.”
Expert Analysis from Paul Lewis, FIP, CIPM, CIPT, CIPP/C, CIPP/A, CISSP, Senior Privacy Advisor, Exterro
The enforcement action demonstrates that consent is not just about Cookies or Data Collection. Organizations must be cognizant of other laws and regulations that “sit alongside” core privacy ones, and which may apply to specific business activities, and so act accordingly. It is important that you know what data you have, where it is, what freely given consents for the intended purposes were obtained at the time of collection and are being applied, and that you offer an easy way or individuals to opt out of any communications or other marketing activities.
Establishing and maintaining a “central point of truth” in the organization for an individuals’ consent is both helpful and will become essential for managing it and meeting Privacy Commissioner’s expectations, as opposed to having consent being fragmented and distributed across multiple applications and jurisdictions.
It should also be normal practice that new and legacy initiatives are considered in respect of their compliance with applicable regulations using suitable screening methods, and if justified or required, Privacy Impact Assessments. This approach helps mitigate against changing business processes and “wouldn’t be great if we…” initiatives that may creep in unexpectedly.
Data Privacy Tip
Appropriately managing consumer consent is critical for businesses operating in more and more jurisdictions. Make sure you understand what the cookie-less future holds for your organization by watching this webinar.