ICO fines Royal Mail £20,000 for sending direct marketing messages without individuals’ consent

The ICO continues to actively enforce the Privacy and Electronic Communications Regulations 2003 (PECR) as demonstrated by its fine, announced on 7 March, on Royal Mail. The fine is for a data breach concerning marketing emails sent to 215,202 individuals who had opted out.

Even if Royal Mail received only three complaints and three enquiries over the issue, and proactively reported the breach to the ICO, the ICO states that this was a serious contravention.

These individuals had been on a “holding step” but were accidently sent a reminder email. What was initially thought of as an internal routing error was later found to be a manual error.

The ICO says that Royal Mail cannot rely on soft opt-in here although the marketing campaign was aimed at people who had previously bought stamps online.

Royal Mail has said that it will conduct a full internal data protection audit of its direct marketing practices, and is making changes.

Law firm Slaughter and May will be writing more on this topic in the next issue of PL&B UK Report.

See the monetary penalty notice.

Read about the UK government’s proposals for legislative changes affecting direct marketing, in PL&B UK Report March 2022.