ICO Fines Moneysupermarket.com for Unsolicited Email Campaign

Security and Compliance
21.07.2017 10:15 am

Price comparison website Moneysupermarket.com Ltd has been fined £80,000 by the Information Commissioner’s Office (ICO) for sending millions of emails to customers who had made it clear they didn’t want to be contacted in that way.

The company sent 7.1 million emails over 10 days updating customers with its Terms and Conditions. But all the recipients had previously opted out of direct marketing.

Moneysupermarket’s email included a section entitled 'Preference Centre Update' which read:

"We hold an e-mail address for you which means we could be sending you personalised news, products and promot¡ons. You've told us in the past you prefer not to receive these. If you'd like to reconsider, simply click the following link to start receiving our e-mails.”

Asking people to consent to future marketing messages when they have already opted out is against the law.

ICO Head of Enforcement Steve Eckersley said:

“Organisations can’t get around the law by sending direct marketing dressed up as legitimate updates.
“When people opt out of direct marketing, organisations must stop sending it, no questions asked, until such time as the consumer gives their consent. They don’t get a chance to persuade people to change their minds.”

Moneysupermarket sent the messages between 30 November and 10 December 2016. The ICO’s investigation found that 6,788,496 were successfully received.

Mr Eckersley added:

“Emails sent by companies to consumers under the guise of ‘customer service’, checking or seeking their consent, is a circumvention of the rules and is unacceptable. We will continue to take action against companies that choose to ignore the rules.”

Ashish Koul, President at Acqueon said:

“The fine issued by the ICO to moneysupermarket.com for sending over seven million ‘nuisance’ e-mails, highlights a worrying trend of businesses failing to ensure ethical marketing activity. There is no excuse – especially considering the ready availability of technologies that can check hundreds of thousands of ‘Do Not Contact’ (DNC) records in mere seconds. Organisations that ignore customers’ rights in this way will continue to face sanctions. In addition, no customer is going to frequent a business that has been bombarding them with e-mails – especially after they’ve opted out of receiving them. Businesses must ensure compliance in all marketing campaigns – whether telephone, email, SMS, or social media. Businesses must put in place the right systems to avoid incurring further fines and annoying customers.”

Tim Dimond-Brown, Head of EMEA North at GMC Software:

“With the GDPR less than a year away, privacy needs to be at the forefront of every organisation’s strategy. While most focus on privacy has been on security, these penalties from the ICO make clear that businesses have far more basic questions to answer on how they store customer data and actually communicate with customers. The right to privacy is a fundamental part of the GDPR; meaning that every single communication, and every process behind it, must be made with this in mind. This means ensuring that in every part of the business, and across every channel of communication, data is being both entered correctly and shared across the organisation to ensure there is no opportunity for error.
“Businesses have a responsibility to communicate with their customers and inform them of changes to terms and conditions: but they also have a responsibility to do this in the correct manner. An unsolicited marketing email, warning of changes to marketing emails, is precisely the wrong way to do this. Instead, organisations should be able to communicate with customers in the right way, at the right time, over the right channel, safe in the knowledge that they have all relevant data to do this. For instance, automated systems that control how customer data is entered and shared could have prevented this; as would systems preventing non-compliant emails being sent in the first place. Similarly, an unsolicited email, or worse still phone call, can be seen as an invasion of privacy. Yet sharing information via social media, or when a customer makes contact with the business themselves, is much less likely to get a positive reception. The sooner businesses learn how to approach privacy, the better; it’s just a shame that, in this case, it took tens of thousands of pounds.”