Tag Archives: email

UK Company Gets into Snafu over Direct Marketing Emails

Direct marketing emails can quickly get a company into trouble. Two companies in the UK found themselves on the wrong end of compliance with the Privacy and Electronic Communications Regulations 2003 (PECR).

The Information Commissioner’s Office (ICO), tasked with enforcing PECR, recently issued a fine against Flybe and Honda for violating the direct marketing provisions under the regulations.

Flybe Case

Flybe is a regional airline carrier based in Exeter.

In August 2016, Flybe sent out emails with the subject: “Are your details correct?” The email requested recipients to amend any out-of-date information and update their marketing preferences. It also enticed participants to update their preferences to be entered for a prize drawing.

After a complaint to the ICO by an email recipient, an ICO investigation ensued and found that Flybe sent emails to 3.3 million customers who explicitly opted out of direct marketing from the airline company.

ICO fined Flybe £70,000 for their violations of the direct marketing provisions under PECR.

Honda Case

ICO issued a similar fine against Honda on the same day for £13,000.

Honda similarly sent almost 300,000 emails asking customers to clarify their marketing preferences. Without direct evidence to show whether the recipients consented to direct marketing, Honda violated PECR.

Again, the ICO found the emails in violation of PECR. The fine assigned is significantly lower that Flybe’s due to the smaller size of emails involved. The comparison of Honda’s negligence with Flybe’s deliberate noncompliance is also relevant when reflecting on the disparaging fine amounts

ICO Reflections

ICO made several assertions regarding the two cases and the subject of direct marketing under PECR.

Steve Eckersley, ICO Head of Enforcement, confirmed that emails asking recipients if they want to change any marketing preferences are themselves marketing emails… not customer service emails. And thus, they are subject to the rules of PECR.

Further, any company sending these types of emails to customers who opted out of marketing emails are in violation of PECR.

In providing a solution for compliance, ICO referenced their recently

Key Takeaways

Interestingly enough, the violating companies were supposedly preparing for compliance under the GDPR for provisions related to consumer consent.

As the effective date for GDPR is approaching, expect to see more companies over the next year’s countdown looking for clever ways to comply with the consent requirements. Many companies with a presence in the UK will face similar dangers, like those impacting Honda and Flybe.

We’ve seen related issues with marketing emails in Canada as well. As we noted here, Canada’s law opens up to private right of action starting July 1st.

Companies should use caution when preparing for GDPR compliance or cleansing their marketing lists. Remember:

Don’t break one law in order to follow another…

Be Aware that Emails Can be Spoofed

Be aware that email addresses can be spoofed, and email accounts taken over by cyber thieves. A recent scam alert from the Internet Crime Compliant Center (IC3) provides examples of reported complaints:

  •  Businesses were contacted fraudulently via legitimate suppliers’ e-mail accounts (email takeovers). Recipients were asked to change the wire transfer payment of invoices. Businesses became aware of the scheme after the legitimate supplier delivered the merchandise and requested payment.
  • A business partner, usually chief technology officers, chief financial officers, or comptrollers, receives an e-mail via their business accounts purportedly from a vendor requesting a wire transfer to a designated bank account. The e-mails are spoofed by adding, removing, or subtly changing characters in the e-mail address that make it difficult to identify the perpetrator’s e-mail address from the legitimate address.

Key takeaway: Emails are easily spoofed. Do NOT rely on email for important instructions. Review your processes and instruct employees as appropriate.

Court Order Required to Delete Misdirected Email

In a great example of the trouble that can result from a misdirected email, a Reuters report details how Goldman Sachs Group Inc was compelled to ask a U.S. judge to order Google Inc to delete an email to avert a “needless and massive” breach of privacy. Goldman filed a complaint in a New York state court in Manhattan.

A Goldman contractor intended to email a sensitive report to a “gs.com” account, but inadvertently sent it to a similarly named but unrelated “gmail.com” account. The email apparently included highly confidential brokerage account information. Goldman has been unable to retrieve the report or get a response from the Gmail account owner. According to Goldman, a member of Google’s incident response team indicated that the email cannot be deleted without a court order.

Final Canadian Anti-Spam Regulations Released

The Canadian Radio-television and Telecommunications Commission (CRTC) has released final regulations to implement Canada’s Anti-Spam Legislation (CASL).  The final Electronic Commerce Protection Regulations and Regulatory Impact Analysis Statement are designed to resolve some uncertainties arising from the language of CASL. CASL will be implemented in three phases.  Most of the CASL provisions will go into effect on July 1, 2014.  Rules regarding installation of computer programs become effective January 15, 2015.  The private right of action provisions become effective July 1, 2017.

California Court Rules that E-mail Addresses are Protected Under Song-Beverly

The federal District Court for the Eastern District of California has ruled that consumer e-mail addresses are personal identification information (PII) under California’s Song-Beverly Act (the Act). As such, retailers may not require consumers to provide their e-mail address prior to making a credit card purchase. In a class-action lawsuit brought against retailers Nordstrom Inc, (Capp v. Nordstrom, Inc.) the Court found that, like zip codes, consumer e-mail addresses fall within the definition of PII under the Act. The Court also found that the federal CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003) is not preemptive because, unlike CAN-SPAM, the Act does not address or regulate the content of the e-mail messages sent to consumers.  The Court found that retailers should comply with both the Act and CAN-SPAM.

Use of Remote Images May Violate CAN-SPAM Act

The United States District Court for the District of Utah has found that the use of remote images in place of legally required text in the body of an email violates the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”). The Court relied on the Internet Engineering Task Force’s (“IETF”) Request for Comments publication (“RFC”) and the United States Department of Homeland Security’s United States Computer Emergency Readiness Team (“US-CERT”) communications in making the determination. Both sources led the Court to rule that remote-hosted images do not comply with the CAN-SPAM Act’s directive that commercial email messages (a) contain a valid physical postal address of the sender, (b) provide clear and conspicuous identification that the message is an advertisement or solicitation and include a (c) clear and conspicuous notice of the opportunity to decline receiving further messages (i.e. unsubscribe “opt-out functionality”).

According to the judgment, “In a commercial communication through an electronic medium ‘clear and conspicuous’ is defined as follows: the ‘disclosure must be unavoidable . . . [and] [a]ny visual message shall be of a size and shade, with a degree of contrast to the background against which it appears, and shall appear on the screen for a duration and in a location sufficiently noticeable for an ordinary consumer to read and comprehend it.” The Court noted that while some consumers have the capability to read and display text in HTML email messages, many others do not.  Therefore, many consumers may be unable to read the content of an email with remotely hosted images in lieu of text, and never see the required information within such email messages, and therefore does not meet the condition of being “clearly and conspicuously displayed.”

UK Commission fines City Council £120,000 for Unencrypted Emails

The Information Commissioner’s Office (ICO) reminds organizations that sensitive personal information should be encrypted when being stored and sent electronically. Stoke-on-Trent City Council received a monetary penalty of £120,000 for emailing unencrypted sensitive information about a child protection legal case to the wrong person. On 14 December 2011 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to Counsel instructed on a child protection case. The ICO took into account a 2010 incident at the authority in which sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick.