Moneysupermarket.com fined £80,000 by Information Commissioner’s Office
The Information Commissioner’s Office (ICO) has fined Moneysupermarket.com £80,000. There was no loss of data, no entry by hackers, no malware installed on the company’s system or any other breach of any kind. Instead, the company was found guilty of sending emails to customers who had opted out of sending direct marketing emails under the pretence of sending out updated terms & conditions. The email tried to entice them to sign up for newsletters.
The 7.1 million emails sent over 10 days were a direct contravention of data protection laws which prevent companies from contacting data subjects who have opted out of direct marketing.
According to the ICO, Moneysupermarket’s email included a section entitled ‘Preference Centre Update’ which read: “We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”
Steve Eckersley, the ICO’s Head of Enforcement was damning in his indictment of the company’s actions: “Organisations can’t get around the law by sending direct marketing dressed up as legitimate updates.
“When people opt out of direct marketing, organisations must stop sending it, no questions asked, until such time as the consumer gives their consent. They don’t get a chance to persuade people to change their minds.”
What makes this case so interesting is the risks it exposes in seemingly mundane cyber policy. Whilst media coverage focusses almost exclusively on the ‘sexy’ aspects of cyber security such as hacking, malware or loss of personal data, incidents such as this emphasise the importance of managing risk for every eventuality, even something as simple as direct marketing.
Company data handling is highly sensitive and with more and more businesses handling higher and higher volumes of data it’s likely that we will see more fines like this being imposed. The authority of the ICO is wide reaching and it’s demonstrating its powers by imposing a hefty fine. Businesses need to give serious consideration to their entire data management risk and ensure they navigate across current and future data legislation with great care.
For more information on the risks posed by data handling issues and cyber security, please speak to your AT&A account director or contact our office.