£120k fines highlight need for the right consents and clear privacy statements

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

In three separate but connected cases the ICO has fined Leave.EU £60k and Eldon Insurance £60k for Privacy and Electronic Communications Regulations (PECR) offences relating to unsolicited emails. The cases had come to light during the ICO’s investigation in the use of personal data and analytics by political campaigns, whereby it was observed a clear link between Leave.EU and Eldon (same offices and same directors):

  1. In the first incident Leave.EU subscribers received emails containing banner ads from GoSkippy (Eldon Insurance) offering a discount to Leave.EU supporters and whilst Leave.EU said they had the subscribers consent to advertise “other products and services” to the list, the ICO concluded that the privacy notice did not go far enough in being clear that these “other services” may be completely unrelated (£45k fine)
  2. The second incident occurred when a Leave.EU newsletter was sent to Eldon Insurance customers, apparently due to an error (different organisation’s email lists stored in the same MailChimp account). The ICO found that appropriate consents were not in place to indicate the recipients would expect completely unrelated third-party services advertised via the email list. (£15k fine)
  3. The third case relates to the GoSkippy (Eldon Insurance) part of the advertising in Leave.EU’s newsletter emails (£60k fine)

Whilst these cases were actioned under the old Data Protection Act 1998 (because they occurred before GDPR came into force) they highlight a number of concerns for any business:

  • If you’re managing multiple email lists for multiple companies (whether connected or not) you need to be sure you send the right message to the right subscribers
  • You must make sure you have the right consent that is clear and transparent if you plan on advertising someone else’s non-related services to your subscribers

But what seems intriguing is a further issue that’s not addressed in these cases, is that was whilst both Leave.EU and Eldon shared the same offices, in some cases the same personnel and same directors, they were two separate entities who shouldn’t have access to each others organisation’s data. These lists should have been maintained separately (apparently there are now two MailChimp accounts to avoid further accidentally sending the wrong messages to the wrong list) and surely an unauthorised access to each others data may have occurred because both email lists were on the same account (even though they related to separate organisations)? That sounds like a breach to me?

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy