Honda, Flybe, £83,000 & The Information Commissioner’s Office – 3 Lessons for Us All
It’s now over 2 months since the Information Commissioner’s Office (ICO) fined Flybe and Honda £70,000 and £13,000, respectively, for infringing PECR (Privacy and Electronic Communication Regulations). So, why are these two cases still being talked about? Partly, of course, because it’s very rare that blue-chip brands like Flybe and Honda are subject to Enforcement action – and all the resultant reputational damage – by the ICO because of their customer contact and marketing activities.
But there are 3 wider lessons that stand out and should be considered by marketers of brands big and small.
It’s now over 2 months since the Information Commissioner’s Office (ICO) fined Flybe and Honda £70,000 and £13,000, respectively, for infringing PECR (Privacy and Electronic Communication Regulations). So, why are these two cases still being talked about? Partly, of course, because it’s very rare that blue-chip brands like Flybe and Honda are subject to Enforcement action – and all the resultant reputational damage – by the ICO because of their customer contact and marketing activities.
But there are 3 wider lessons that stand out and should be considered by marketers of brands big and small.
First – What Flybe & Honda Did
Flybe sent an “Are your details correct?” email to 3.3 million people on their database who had already stated they did to want to receive marketing communications. This pretty blatant breaking of the PECR rules was compounded by Flybe including a prize draw incentive to encourage recipients to update their marketing permissions.
www.ico.org.uk/media/action-weve-taken/mpns/2013731/mpn-flybe-limited-20170320.pdf
Honda sent 343,000 “would you like to hear from Honda?” emails, but only to prospects / customers who were neither flagged as having ‘opted in’ or ‘opted out’ of marketing contacts. The lack of clarity was due to a design flaw in the database portal Honda dealers used. This meant that a ‘Yes’ or ‘No’ to marketing contact was not mandatory and it was possible for dealers to input new records with a null entry, so Honda couldn’t tell if prospects had opted in to marketing contacts or not.
www.ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda-europe-20170320.pdf
What These Cases Can Teach Us
1. Don’t Look For Forgiveness
As a motto to go through life with Rear Admiral Grace Murray Hopper’s “better to ask for forgiveness than permission” isn’t a bad one. However, it won’t wash with the ICO. Honda argued that trying to address a previous technology failing and giving people on their database the opportunity to re-state their preferences was a customer service exercise, not marketing. The ICO disagreed.
Organisations large and small now face a big challenge if they are going to be able to reassure themselves, their stakeholders and the ICO of the accuracy and probity of the personal data they hold. The challenge isn’t new, of course, but the introduction of (General Data Protection Regulation) GDPR regulations in May 2018 makes it more pressing. Honda won’t be unique in not being able – due to technical or process reasons – to be certain about data sources and permissions. Their experience suggests that the scope to re-contact prospects and customers to check their status and engagement will be limited.
2. Listen for the Whistle!
Although Honda sent far fewer emails than Flybe, they did so over an extended period of time (4 months). The ICO Notice makes clear that Honda’s failure to stop sending the “would you like to hear from Honda?” emails immediately after the ICO’s initial correspondence with them has been held against Honda and contributed to the ICO’s view that Honda “…failed to take reasonable steps to prevent the contraventions…”. So, if the ICO make contact then, even if you think you’re in the right, engage quickly and stop any marketing activities they are questioning.
3. Complaints – Molehills as well as Mountain
Most of us think that a key trigger for ICO investigations will be consumer complaints, so that any brand behaviour that provokes multiple complaints is likely to attract the ICO’s attention. However, the ICO Penalty Notices suggest that in both Flybe and Honda’s cases just one complaint was received about their emails. Therefore planning to base your data protection compliance approach simply on attempting to remain ‘below the radar’ is fraught with danger, particularly if you’re a household name!
As ever, the DMA and ICO are the best first stops for guidance on data protection and the treatment of consumer data. Their current advice around the existing Data Protection Act and GDPR can be found here:
www.dma.org.uk/guide/data-guide
www.dma.org.uk/gdpr
www.ico.org.uk/for-organisations/guide-to-data-protection/
www.ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
