The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them.
It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party.
Stephen Eckersley, ICO Director of Investigations, said:
“The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law.
“All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply.
“The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.”
The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law. Between 24 July and 31 July 2019, the party sent out a total of 1,190,280 marketing emails but the ICO has found that not all emails were in breach of PECR as it accepts it is likely that some of the emails will have been validly sent, but that it is not possible to identify what that proportion is.
The ICO concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants. The party failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider.
While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019. The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019.
Mr Eckersley said:
“It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.”
ICO guidance clearly sets out the law around direct marketing emails. Direct marketing is defined as any communication of advertising or marketing material directed at particular individuals.
It is against the law to send marketing emails to people unless consent has been freely given. This is contained in Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
Members of the public who believe they have been the victim of marketing emails, nuisance calls and texts are encouraged to report them to the ICO, get in touch via live chat or call the helpline on 0303 123 1113.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
- The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000.
- Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.