Royal Mail has vowed to undertake a full internal data protection audit of its direct marketing practices – and implement changes – after yet another breach of the law has resulted in the postal giant sending more than 200,000 emails without valid consent.
The incident dates back to April 2021 when Royal Mail submitted a written breach report to the Information Commissioner’s Office confessing that – due to an error – it had sent direct marketing emails to 215,202 consumers who had expressed a desire to no longer receive marketing from Royal Mail. This is a direct breach of the Privacy & Electronic Communications Regulations.
In preparing to send the email, promoting Royal Mail’s War of the Roses special stamp collection, the company said it had identified 245,850 potential recipients. It then ran their details against its internal “marketing permissions master database” and determined that 215,202 of them had opted-out, leaving 30,648 potential recipients.
Royal Mail then sent the email to 30,648 individuals, with the 215,202 opt-outs being “moved to a holding step in the campaign”. However, due to an “internal routing error”, the 215,202 individuals were accidently sent a “reminder email” which had been intended only for the 30,648 customers who had been sent, but had not opened or engaged with, the initial email.
Out of all those unlawfully contact, just six responded, three made formal complaints and three enquired about their “permissions”. Royal Mail replied to these customers with an apology.
However, the ICO takes a very dim view of such actions. Late last year Virgin Media was found guilty of circumventing PECR to send marketing emails to 451,217 customers who had already opted out in an effort to get them to change their minds. Only one person – who just so happened to be a Decision Marketing reader – complained to the ICO, triggering an investigation, enforcement action, a fine and ultimately reputational damage for Virgin Media.
And so it has proved with Royal Mail, with the ICO ruling stating: “The Commissioner is satisfied that the contravention was serious. These messages contained direct marketing material for which subscribers had not provided valid consent. The Commissioner is satisfied that Royal Mail failed to take reasonable steps to prevent the contraventions.”
In mitigation, Royal Mail has said that it is to undertake a full internal data protection audit of its direct marketing practices which is expected to lead to reform. The Commissioner also acknowledged that this was an isolated incident arising from human error.
These circumstances, and the fact that the company self-reported the incident, have led to a minimal fine of just £20,000.
However, this is the second time the company has been found in breach of PECR; in 2018 it was fined for sending out more than 300,000 emails to customers without permission to do so.
At the time, the ICO said: “Royal Mail did not follow the law on direct marketing when it sent such a huge volume of emails, because the recipients had already clearly expressed they did not want to receive them.
“These rules are there for a reason – to protect people from the irritation and, on occasions, distress nuisance emails cause. I hope this sends the message that we will take action against companies who flout them.”
Whether the ICO will be so lenient a third time remains to be seen.
Related stories
Royal Mail slapped by ICO for 300,000 unlawful emails
Insurance firm clobbered for 30 million illegal messages
ICO proves even a tiny PECR can be reputation wrecker
Big issues still to tackle in 2022: Keep your PECR up
Virgin Media fined for illegal email marketing campaign