30. August 2022
On August 24th, 2022, the Austrian NGO noyb announced that it had filed a complaint against Google with CNIL, the French Supervisory Authority in the context of direct marketing emails.
According to noyb, several google users on whose behalf noyb filed the complaint, have received advertising emails for which these users have not given their consent. This would however contravene Art. 13 (1) ePrivacy Directive which reads the following: “the use […] of electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.”
The issue of “inbox advertising” has also received the attention of the Court of Justice of the European Union (CJEU). In its judgment from 2021, the CJEU pronounced itself on the lawfulness of this advertising practice holding the view that emails sent to user’s inbox for the purpose of direct marketing require consent.
Noyb highlights in its announcement that “[s]pam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider.”
It remains to be seen whether this complaint will lead to the imposition of a fine by the CNIL.
15. June 2021
The UK Information Commissioner’s Office (“ICO”) has fined several companies at the beginning of June for data protection infringements.
All fines have in common that the fined companies conducted marketing measures without having the required consent for doing so.
The ICO has fined the Conservative Party £10,000 for sending 51 marketing emails without having the required legal basis and in violation of Regulation 22 of the Privacy and Electronic Communications Regulation 2003 (PECR).
The Conservative Party sent out a total of 1.190.280 marketing emails between July 24th and July 31st 2019, right after the election and in the name of Rt Hon Boris Johnson MP.
The ICO investigated that the party failed to ensure having a valid legal basis for marketing emails when changing the email provider. Even though the ICO assumes that there are more than 51 concerned data subjects, the ICO only received complaints of 51 individuals, thus the fine is based on this amount of concerned data subjects.
The ICO has fined Colour Car Sales Ltd (CCSL) £170,000 for sending spam text messages from October 2018 to January 2020. CCSL is a credit intermediary for used car finance and the purpose of the spam texts was to direct the recipients to car finance websites.
Also in this case basis for the fine has been complaints of concerned data subjects which complained about not have given consent for receiving marketing emails from CCSL.
The ICO has fined Solarwave of Grays £100,000 for conducting 73.217 marketing calls about solar panel maintenance from January to October 2020.
The complainants that raised the concerns stated that they were registered with the Telephone Preference Service and should have received any marketing telephone calls based on this.
The Telephone Preference Service is the UK’s “do not call register” with which individuals can register to show that they are not interested in receiving any kind of marketing phone calls.
Beside the violation of the data protection law and the Telephone Preferences Service the concerned data subjects also stated that the callers were rude and persistent and ignored stop requests.
The ICO has fined LTH Holding, a Cardiff based telephone marketing company, £145,000 for conducting 1.4 million calls trying to sell funeral plans between May 2019 and May 2020.
In this case the ICO received 41 complaints and the complainants were also registered with the Telephone Preferences Service. Beside this infringement, the concerned data subjects also told the ICO that LTH adopted aggressive, coercive and persuasive methods to sell funeral plans.
The ICO has fined Papa John’s Limited, a national takeaway pizza company, £10,000 for sending 168,022 nuisance marketing messages to its customers.
In this case the ICO received 15 complaints also stating the distress and annoyance the messages were causing. Some customers received up to 100 messages in two months without ever have given consent for marketing emails.
The ICO investigated that Papa John’s has sent over 210.000 messages to customers between October 1st 2019 and April 30th 2020.
In the contrary to the opinion of Papa John’s the ICO did not see the possibility to rely on “soft opt-in” because the data used for the marketing emails has been obtained for processing orders and not receiving marketing emails. Furthermore, the required information of the customers on this processing activity is missing.
12. March 2020
The Dutch Data Protection Authority has fined the Royal Dutch Tennis Association (“KNLTB”) with EUR 525,000 for selling personal data of more than 350,000 of its members to sponsors who had contacted some of the members by mail and telephone for direct marketing purposes.
In 2018, the KNLTB illegally provided personal data of its members to two sponsors for a fee. One sponsor received personal data from 50,000 members and the other sponsor from more than 300,000 members. It turned out that the KNLTB sold personal data such as name, gender and address to third parties without obtaining consent of the data subjects.
The KNLTB found that it had a legitimate interest in selling the data. However, the data protection authority rejected the existence of a legitimate interest for the sale of the data and therefore decided that there was no legal basis for the transfer of the personal data to the sponsors. The KNLTB has objected to the fine decision. The Dutch Data Protection Authority will assess this.
4. March 2020
On February 10, 2020, Belgium’s Data Protection Authority (the Belgian DPA) has released their first recommendation of 2020 in relation to data processing activities for direct marketing purposes.
In the recommendation the Belgian DPA addressed issues and action proposals in regards to the handling of direct marketing and the personal data which is used in the process. It emphasized the importance of direct marketing subjects in the upcoming years, and stated that the DPA will have a special priority in regards to issues on the matter.
In particular, the recommendation elaborates on the following points, in order to help controllers navigate through the different processes:
- The processing purposes must be specific and detailed. A simple mention of “marketing purposes” is not deemed sufficient in light of Art. 13 GDPR.
- It is important to guarantee data minimization, as the profiling that accompanies direct marketing purposes calls for a careful handling of personal data.
- The right to object does not only affect the direct marketing activities, but also the profiling which takes places through them. Furthermore, a simple “Unsubscribe” button at the end of a marketing E-Mail is not sufficient to withdraw consent, it is rather recommended to give the data subject the opportunity to a granular selection of which direct marketing activities they object to.
- Consent cannot be given singularly for all channels of direct marketing. A declaration for each channel has to be obtained to ensure specification towards content and means used for direct marketing.
The Belgian DPA also stated that there are direct marketing activities which require special attention in the future, namely purchasing, renting and enriching personal data, e.g. via data brokers. In such cases, it is necessary to directly provide appropriate information to the data subject in regards to the handling of their data.
Further topics have been brought forth in the recommendation, which overall represents a thorough proposal on the handling of direct marketing activities for controller entities.
