ICO (UK) - Royal Mail Group Limited: Difference between revisions
From GDPRhub
Gauravpathak (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...") |
Gauravpathak (talk | contribs) m (spacing errors) |
||
| Line 58: | Line 58: | ||
=== Facts === | === Facts === | ||
Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”. | Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”. | ||
Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign. However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.” | Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign. However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.” | ||
The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error. | |||
Before the ICO, Royal Mail submitted the following: | The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error. Before the ICO, Royal Mail submitted the following: | ||
• It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent. | |||
• In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email. | • It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent. | ||
• In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.” | |||
• At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.” | • In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email. | ||
• Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence. | |||
• In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.” | |||
• At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.” | |||
• Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence. | |||
• Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized. | • Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized. | ||
=== Holding === | === Holding === | ||
The ICO determined as follows: | The ICO determined as follows: | ||
• Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers. | • Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers. | ||
• Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent. | • Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent. | ||
• For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.” | • For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.” | ||
• The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”. | • The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”. | ||
• Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.” | • Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.” | ||
• Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.” | • Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.” | ||
The ICO considered the following aggravating factors: | The ICO considered the following aggravating factors: | ||
• Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance. | • Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance. | ||
• The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR. | • The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR. | ||
The ICO considered the following mitigating factors: | The ICO considered the following mitigating factors: | ||
• Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices. | • Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices. | ||
• This was an isolated accident resulting due to human error. | • This was an isolated accident resulting due to human error. | ||
• Royal Mail itself reported the incident, despite there being no legal requirement for the same. | • Royal Mail itself reported the incident, despite there being no legal requirement for the same. | ||
The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003. | The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003. | ||
Revision as of 11:15, 10 March 2022
| ICO (UK) - Royal Mail Group Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 03.06.2021 |
| Decided: | 07.03.2022 |
| Published: | 08.03.2022 |
| Fine: | 20,000 GBP |
| Parties: | Royal Mail Group Limited |
| National Case Number/Name: | Royal Mail Group Limited |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | gauravpathak |
The UK DPA issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
English Summary
Facts
Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”.
Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign. However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.”
The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error. Before the ICO, Royal Mail submitted the following:
• It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent.
• In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email.
• In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.”
• At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.”
• Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence.
• Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized.
Holding
The ICO determined as follows:
• Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers.
• Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent.
• For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.”
• The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”.
• Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.”
• Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.”
The ICO considered the following aggravating factors:
• Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance.
• The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR.
The ICO considered the following mitigating factors:
• Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices.
• This was an isolated accident resulting due to human error.
• Royal Mail itself reported the incident, despite there being no legal requirement for the same.
The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To: Royal Mail Group Limited
Of: 185 Farringdon Road,
London,
United Kingdom,
EC1A 1AA
1. The Information Commissioner (“the Commissioner”) has decided to
issue Royal Mail Group Limited (“Royal Mail”) with a monetary penalty
under section 55A of the Data Protection Act 1998 (“DPA”). The penalty
is in relation to a serious contravention of Regulation 22 of the Privacy
and Electronic Communications (EC Directive) Regulations 2003
(“PECR”).
2. This notice explains the Commissioner’s decision.
Legal framework
3. Royal Mail, whose registered office address is given above (Companies
House Registration Number: 04138203) is the organisation stated in
this notice to have transmitted unsolicited communications by means
of electronic mail to individual subscribers for the purposes of direct
marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECR states:
1, “(1) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual
subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient
of that electronic mail in the course of the sale or
negotiations for the sale of a product or service to that
recipient;
(b) the direct marketing is in respect of that person’s similar
products and services only; and
(c) the recipient has been given a simple means of refusing
(free of charge except for the costs of the transmission of
the refusal) the use of his contact details for the purposes
of such direct marketing, at the time that the details were
initially collected, and, where he did not initially refuse the
use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contravention of
paragraph (2).”
5. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines
direct marketing as “the communication (by whatever means) of
2, advertising or marketing material which is directed to particular
individuals”. This definition also applies for the purposes of PECR (see
regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of
the DPA18).
6. Consent in PECR is defined by reference to the concept of consent in
the UK GDPR as defined in section 3(10) of the DPA 2018 [1: see
regulation 2(1) of PECR, as amended by Part 3 of Schedule 3,
paragraph 44 of The Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019/419.
Article 4(11) of the UK GDPR sets out the following definition:
“‘consent’ of the data subject means any freely given, specific,
informed and unambiguous indication of the data subject's wishes by
which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to him
or her” .
7. Recital 32 of the GDPR materially states that “When the processing has
multiple purposes, consent should be given for all of them” . Recital 42
materially provides that “For consent to be informed, the data subject
should be aware at least of the identity of the controller” . Recital 43
materially states that “Consent is presumed not to be freely given if it
does not allow separate consent to be given to different personal data
processing operations despite it being appropriate in the individual case”.
8. “Individual” is defined in regulation 2(1) of PECR as “a living individual
and includes an unincorporated body of such individuals”.
[1The UK GDPR is therein defined as Regulation (EU) 2016/679 of the European Parl iament and of the Council of 27
April 2016 (“GDPR”) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue
of section 3 of the European Union (Withdrawal) Act 2018.
3,9. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services”.
10. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient’s terminal equipment until it is collected by the recipient and
includes messages sent using a short message service”.
11. The term "soft opt-in" is used to describe the rule set out in in
Regulation 22(3) of PECR. In essence, an organisation may be able to
e-mail its existing customers even if they haven't specifically consented
to electronic mail. The soft opt-in rule can only be relied upon by the
organisation that collected the contact details.
12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to
PECR, as variously amended) states:
“(1) The Commissioner may serve a person with a monetary penalty if
the Commissioner is satisfied that –
(a) there has been a serious contravention of the requirements
of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the person –
(a) knew or ought to have known that there was a risk that the
contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention.”
4,13. The Commissioner has issued statutory guidance under section 55C (1)
of the DPA about the issuing of monetary penalties that has been
published on the ICO’s website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
14. PECR were enacted to protect the individual’s fundamental right to
privacy in the electronic communications sector. PECR were
subsequently amended and strengthened. The Commissioner will
interpret PECR in a way which is consistent with the Regulations’
overall aim of ensuring high levels of protection for individuals’ privacy
rights.
15. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introduction of the DPA18: see paragraph 58(1) of
Schedule 20 to the DPA18.
Background to the case
16. On 29 April 2021, Royal Mail submitted a written breach report to the
Commissioner as it was aware that its actions in respect of a particular
marketing campaign may have breached PECR. It was confirmed at this
time that on 27 April 2021, due to an apparent technical error, Royal
Mail had sent direct marketing emails to “215,202 parties who had
expressed a desire to no longer receive marketing from [Royal Mail]”.
17. Royal Mail explained as background that on 20 April 2021 it sent a
direct marketing email in respect of one of its ‘special stamp series’
campaigns to previous customers, and to those who had previously
5, expressed an interest in receiving marketing from Royal Mail. The
direct marketing email concerned Royal Mail’s ‘War of the Roses’
campaign. In preparing to send this email, Royal Mail had identified
245,850 potential recipients, and proceeded to cross reference their
details against its internal “Marketing Permissions Master Database” to
ensure that the intended recipients had not, since the time of initially
providing their details to Royal Mail, subsequently opted out of direct
marketing. Of the 245,850 potential recipients, Royal Mail determined
that 30,648 had provided valid and existing consent to receive the
direct marketing messages, with 215,202 being deemed to have opted
out.
18. On 20 April 2021, Royal Mail transmitted its direct marketing email to
30,648 individuals, with those 215,202 identified as having opted out
being “moved to a holding step in the campaign”. Royal Mail explained
that on 27 April 2021, due to an internal routing error, the 215,202
individuals who had been moved to the “holding step” were accidently
sent a “reminder email” which had been intended only for the 30,648
individuals who had been sent, but had not opened or engaged with,
the initial email on 20 April 2021.
19. Royal Mail explained that the 215,202 individuals “who were identified
as being opted out (and who were not sent marketing in the first round
of emails) were placed at the wrong hold point in the routing map
which resulted in the being caught in the ‘reminder population on 27 th
April”.
20. An initial investigation letter was sent to Royal Mail on 3 June 2021
outlining the Commissioner’s concerns with the reported incident, and
requesting further details in relation to the volume of messages which
6, had been received by individuals, along with an explanation for the
cause of the routing error which had been identified.
21. Royal Mail responded on 23 June 2021 and provided a copy of the
particular direct marketing email which had been sent on 27 April 2021
and which invited recipients to purchase commemorative stamp sets
and souvenirs. Royal Mail provided an explanation for the routing error,
stating:
“The system used by Royal Mail (Eloqua) to send electronic marketing
communications to customers of our stamps and collectibles products
uses an automated journey to segment customers to whom we are
permitted to send marketing communications from the others. We
retain details of both permissioned and non-permissioned customers to
ensure that we have the latest and most up-to-date permission record
from our master marketing permission repository, which updates from
multiple source systems.
Prior to a campaign starting, Eloqua connects with our master
marketing permission repository to collect the up-to-date permissions
set for the in-scope customers. Permissioned customers then enter
Eloqua’s automated journey, in the course of which they are sent the
relevant marketing communications (in this case, both the initial email
and the reminder). Non–permissioned customers are routed to the end
of the campaign journey, bypassing the stage at which marketing
communications are sent. This process has been used successfully
since May 2018, for circa 25 campaigns a month, without error.
Sending reminder emails is a recent innovation deployed for some
marketing, known as non-responder campaigns. We use these where
stamps and collectibles items have a window of interest due to external
7, events (e.g. the commemorative edition of stamps to celebrate the life
of The Duke of Edinburgh) or there may be a restricted number of
items, such as special product sets.
In these campaigns we send a reminder email to permissioned
customers who have not interacted with the original communication to
give them a further chance to engage. We have used this approach
successfully on six occasions. However, for the Wars of the Roses
campaigns, the non-permissioned set of customers were referred to
the stage of the automated Eloqua journey which triggers the
reminders, rather than to the end of the journey. This resulted in the
reminder email being sent to those customers.
22. Royal Mail explained that the incident in fact arose due to a manual
error, rather than a technical fault as had initially been reported. It was
also explained that it had received six responses to the email from
customers, with three being categorised as formal complaints and
three being enquiries from customers around their “permissions”;
Royal Mail replied to these customers with an apology.
23. Royal Mail explained that since the incident it had implemented a
number of measures to minimise the potential of recurrence, including
additional checks, and all future “non-responder reminder campaigns”
using a reusable template to remove the risk of human error in
deploying the automated Eloqua process.
24. It was also confirmed on 25 June 2021 that of the 215,202 messages
sent, the number delivered was “no more than 213,191”.
25. On 6 July 2021 the Commissioner requested further details as to how
the error took place, together with copies of the six customer
8, responses which had been received by Royal Mail, and the opt-out
statement provided to customers when their details are obtained by
Royal Mail.
26. On 12 July 2021 Royal Mail provided a copy of its Fair Processing
Notice; copies of the six customer responses; and a walkthrough of the
manual error which had occurred in respect of the ‘War of the Roses’
reminder email. By way of brief summary, each customer who is
considered for a marketing campaign is uploaded to Eloqua; this
includes customers that Royal Mail do not hold consent for. A
marketing email is then configured with a date and time for the email
to be sent. At this stage the intended recipients are cross referenced
with Royal Mail’s ‘Permissions’ database. After screening against the
database, two pathways are created; opted-in customers are further
checked for relevant permissions and then sent the marketing email,
and the remaining customers are supposed to be sent to the end of the
process to ensure they are not included in any marketing emails. In the
usual course, a reminder email is sent to recipients who did not engage
with the initial email. In this case the 215,202 customers without the
relevant marketing permissions were incorrectly and manually routed
to the area of Eloqua used to send the reminder email. The customers
who were sent the marketing email in error had not received the initial
email and had therefore not engaged with this email, which caused
Eloqua to send the reminder email.
27. In a subsequent email to the Commissioner of 17 August 2021, Royal
Mail clarified that the 215,202 customers who were sent the ‘War of
the Roses’ reminder marketing email fell into two groups: One group
was made up of 91,736 customers who were registered with Royal
Mail. This group had previously been presented with Royal Mail’s Fair
Processing Notice at the point of registering, and subsequently opted
9, out of marketing emails. The second group comprising the remaining
123,466 individuals were customers who had not registered for a Royal
Mail account and had, at the time of using a Royal Mail service,
checked out as a ‘guest’. These individuals were not asked about their
marketing preferences and had not provided consent to receive future
direct marketing.
28. The responses which Royal Mail received from individuals to its ‘War of
the Roses’ email reminders included:
• “Why am I receiving this email? I have not ever opted-in or
signed up to any marketing information from Royal Mail.”
• ”Please show me where when I ordered stamps that I agreed to
receive marketing emails. I ALWAYS Make sure I never opt in.”
• “Why have I got this as not requested emails from you.”
• “I did not subscribe for these mailings. Please ensure that I DO
NOT receive any further emails of this nature.”
• “Why am I getting these emails now? I NEVER had this problem
before.”
• “How were you able to send me the below mail? I opted out of
marketing for stamps.”
29. The Commissioner has made the above findings of fact on the
balance of probabilities.
10,30. The Commissioner has considered whether those facts constitute
a contravention of regulation 22 of PECR by Royal Mail and, if so,
whether the conditions of section 55A DPA are satisfied.
The contravention
31. The Commissioner finds that Royal Mail contravened regulation 22 of
PECR.
32. The Commissioner finds that the contravention was as follows:
33. The Commissioner finds that on 27 April 2021 there were 213,191
direct marketing emails received by subscribers. The Commissioner
finds that Royal Mail transmitted those direct marketing messages,
contrary to regulation 22 of PECR.
34. Royal Mail, as the sender of the direct marketing, is required to ensure
that it is acting in compliance with the requirements of regulation 22 of
PECR, and to ensure that valid consent to send those messages had
been acquired.
35. In this instance, because of a manual error, Royal Mail sent a total of
215,202 direct marketing emails to individuals for whom it did not hold
valid consent. Of those, 213,191 were received by subscribers.
36. Royal Mail appears to accept that it did not hold valid consent to send
these messages, either because an individual had taken steps to
expressly opt out of direct marketing, or because they had used Royal
Mail’s services as a ‘guest’ and had not been presented with the ‘Fair
Processing Notice’ and given an opportunity to provide valid consent for
direct marketing. The Commissioner is satisfied that for those 123,466
11, individuals who checked out as guests, i.e. those who did not create a
Royal Mail account, Royal Mail cannot rely on the soft opt-in as it
cannot be said that individuals were given “a simple means of refusing
[…] the use of [their] contact details for the purposes of such direct
marketing, at the time that the details were initially collected”.
37. The Commissioner is therefore satisfied from the evidence he has seen
that Royal Mail did not have the necessary valid consent for the
213,191 direct marketing messages received by subscribers.
38. The Commissioner has gone on to consider whether the conditions
under section 55A DPA are met.
Seriousness of the contravention
39. The Commissioner is satisfied that the contravention identified
above was serious. This is because on 27 April 2021, a confirmed total
of 215,202 direct marketing messages were sent by Royal Mail, of
which 213,191 were received by subscribers. These messages
contained direct marketing material for which subscribers had not
provided valid consent, furthermore the Commissioner is satisfied that
Royal Mail cannot rely on the soft opt-in exemption.
40. The Commissioner is therefore satisfied that condition (a) from
section 55A(1) DPA is met.
Deliberate or negligent contraventions
41. The Commissioner has considered whether the contravention identified
above was deliberate. The Commissioner does not consider that Royal
Mail deliberately set out to contravene PECR in this instance.
12,42. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises two
elements:
43. Firstly, he has considered whether Royal Mail knew or ought reasonably
to have known that there was a risk that these contraventions would
occur. This is not a high bar and he is satisfied that this condition is
met.
44. The Eloqua system used by Royal Mail for its marketing emails relies on
Royal Mail storing all customer email addresses regardless of whether it
has the relevant consent to send marketing communications. The
Commissioner takes the view that by storing all consented and non-
consented email addresses on the same system from which direct
marketing emails were sent, and given the risk of human error which
could (and indeed did) occur, it is reasonable to think that Royal Mail
ought to have been aware of the risk that direct marketing emails
could be sent to customers who had opted out of marketing
communications.
45. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligations under PECR.
This guidance gives clear advice regarding the requirements of consent
for direct marketing and explains the circumstances under which
organisations are able to carry out marketing over the phone, by text,
by email, by post, or by fax. In particular it states that organisations
can generally only send, or instigate, marketing messages to
individuals if that person has specifically consented to receiving them.
The guidance also provides a full explanation of the “soft opt-in”
exemption. The Commissioner has also published detailed guidance on
13, consent under the GDPR. In case organisations remain unclear on their
obligations, the ICO operates a telephone helpline. ICO
communications about previous enforcement action where businesses
have not complied with PECR are also readily available.
46. It is therefore reasonable to suppose that Royal Mail should have been
aware of its responsibilities in this area.
47. Secondly, the Commissioner has gone on to consider whether Royal
Mail failed to take reasonable steps to prevent the contraventions.
Again, he is satisfied that this condition is met.
48. Royal Mail has, since the time of this incident, taken steps to put in
place a “templated solution” for those campaigns where ‘reminder
emails’ are sent, to remove the risk of future human error when
operating Eloqua; as well as introducing a further ‘permissions’ check
to ensure that individuals for whom it does not hold valid consent do
not receive unsolicited direct marketing messages. Particularly with
reference to the first of those steps, the Commissioner notes that Royal
Mail has advised that such a solution has been effectively used in other
”single contact” campaigns for a number of years. The Commissioner
therefore respectfully submits that Royal Mail could reasonably have
been expected to use such a system for all of its campaigns to prevent
any such contraventions from taking place.
49. In the circumstances, the Commissioner is satisfied that Royal Mail
failed to take reasonable steps to prevent the contraventions.
50. The Commissioner is therefore satisfied that condition (b) from section
55A (1) DPA is met.
14, The Commissioner’s decision to issue a monetary penalty
51. The Commissioner has taken into account the following
aggravating features of this case:
• The six responses / complaints received by Royal Mail from the
individuals who unlawfully received direct marketing emails
demonstrate a level of annoyance from recipients.
• The Commissioner has previously (in 2018) taken action against
Royal Mail for a contravention of Regulation 22 PECR, at which point
it would have been provided with clear advice as to its compliance.
52. The Commissioner has taken into account the following mitigating
features of this case:
• Royal Mail has indicated that it is to undertake a full internal Data
Protection audit of its direct marketing practices which is expected
to lead to reform.
• The Commissioner acknowledges that this was an isolated incident
arising from human error.
• The Commissioner also recognises Royal Mail’s cooperation in
reporting the incident despite there being no statutory requirement
to do so.
53. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A (1) DPA have been met in this case. He is
also satisfied that the procedural rights under section 55B have been
complied with.
15,54. The latter has included the issuing of a Notice of Intent, in which the
Commissioner set out his preliminary thinking. In reaching his final
view, the Commissioner has taken into account the representations
made by Royal Mail on this matter.
55. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
56. The Commissioner has considered whether, in the circumstances, he
should exercise his discretion so as to issue a monetary penalty.
57. The Commissioner has considered the likely impact of a monetary
penalty on Royal Mail. He has decided on the information that is
available to him, that Royal Mail has access to sufficient financial
resources to pay the proposed monetary penalty without causing
undue financial hardship.
58. The Commissioner’s underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The sending of
unsolicited direct marketing messages is a matter of significant public
concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. The issuing of a
monetary penalty will reinforce the need for businesses to ensure that
they are only messaging those who specifically consent to receive
direct marketing.
59. For these reasons, the Commissioner has decided to issue a monetary
penalty in this case.
16, The amount of the penalty
60. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £20,000 (twenty thousand pounds) is
reasonable and proportionate given the particular facts of the case and
the underlying objective in imposing the penalty.
Conclusion
61. The monetary penalty must be paid to the Commissioner’s office by
BACS transfer or cheque by 6 April 2022 at the latest. The monetary
penalty is not kept by the Commissioner but will be paid into the
Consolidated Fund which is the Government’s general bank account at
the Bank of England.
62. If the Commissioner receives full payment of the monetary penalty by
5 April 2022 the Commissioner will reduce the monetary penalty by
20% to £16,000 (sixteen thousand pounds). However, you should
be aware that the early payment discount is not available if you decide
to exercise your right of appeal.
63. There is a right of appeal to the First-tier Tribunal (Information Rights)
against:
(a) the imposition of the monetary penalty
and/or;
(b) the amount of the penalty specified in the monetary penalty
notice.
17,64. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
65. Information about appeals is set out in Annex 1.
66. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the monetary
penalty has not been paid;
• all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and
• the period for appealing against the monetary penalty and any
variation of it has expired.
67. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner as
an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
Dated the 7 thday of March 2022
Andy Curry
Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
18,ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 55B(5) of the Data Protection Act 1998 gives any person
upon whom a monetary penalty notice has been served a right of
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that he ought to have exercised
his discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
General Regulatory Chamber
HM Courts & Tribunals Service
PO Box 9300
Leicester
LE1 8DJ
19, Telephone: 0203 936 8963
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your
representative (if any);
b) an address where documents may be sent or delivered to
you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the
notice of appeal must include a request for an extension of time
20, and the reason why the notice of appeal was not provided in
time.
5. Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier
Tribunal (Information Rights) are contained in section 55B(5) of, and
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
21
