In three separate but connected cases the ICO has fined Leave.EU £60k and Eldon Insurance £60k for Privacy and Electronic Communications Regulations (PECR) offences relating to unsolicited emails. The cases had come to light during the ICO’s investigation in the use of personal data and analytics by political campaigns, whereby it was observed a clear link between Leave.EU and Eldon (same offices and same directors):
- In the first incident Leave.EU subscribers received emails containing banner ads from GoSkippy (Eldon Insurance) offering a discount to Leave.EU supporters and whilst Leave.EU said they had the subscribers consent to advertise “other products and services” to the list, the ICO concluded that the privacy notice did not go far enough in being clear that these “other services” may be completely unrelated (£45k fine)
- The second incident occurred when a Leave.EU newsletter was sent to Eldon Insurance customers, apparently due to an error (different organisation’s email lists stored in the same MailChimp account). The ICO found that appropriate consents were not in place to indicate the recipients would expect completely unrelated third-party services advertised via the email list. (£15k fine)
- The third case relates to the GoSkippy (Eldon Insurance) part of the advertising in Leave.EU’s newsletter emails (£60k fine)
Whilst these cases were actioned under the old Data Protection Act 1998 (because they occurred before GDPR came into force) they highlight a number of concerns for any business:
- If you’re managing multiple email lists for multiple companies (whether connected or not) you need to be sure you send the right message to the right subscribers
- You must make sure you have the right consent that is clear and transparent if you plan on advertising someone else’s non-related services to your subscribers
But what seems intriguing is a further issue that’s not addressed in these cases, is that was whilst both Leave.EU and Eldon shared the same offices, in some cases the same personnel and same directors, they were two separate entities who shouldn’t have access to each others organisation’s data. These lists should have been maintained separately (apparently there are now two MailChimp accounts to avoid further accidentally sending the wrong messages to the wrong list) and surely an unauthorised access to each others data may have occurred because both email lists were on the same account (even though they related to separate organisations)? That sounds like a breach to me?