Young man sitting on the floor with a laptop. He looks stunned as envelopes pour out of the screen

Brands fined for sending intrusive marketing emails in breach of GDPR

The Information Commissioner’s Office (ICO) has fined three major UK brands after finding them guilty of sending a collective 354 MILLION unsolicited marketing communications in a significant breach of the General Data Protection Regulation (GDPR).

The brands in question, We Buy Any Car, Sports Direct, and Saga, have been fined a collective £495,000 due to the breaches. This brings the total fines levied by the ICO for breaking marketing laws so far in 2021 to more than £1.7 million.

  • We Buy Any Car received a £200,000 fine for sending over 191 million unsolicited emails and 3.6 million text messages. And you thought the TV and radio adverts were the most annoying thing they did!
  • Saga received two fines, with Saga Services Ltd and Saga Personal Finance fined £150,000 and £75,000, respectively, for sending more than 157 million unsolicited emails between them.
  • Sports Direct received a fine of £70,000 for sending 2.5 million unsolicited emails.

Each case was brought by the ICO following complaints from the public about the receipt of the unwanted marketing communications.

We Buy Any Car: Guilty of sending illegal follow up emails

We Buy Any Car sent over 191 million emails and 3.6 million text messages without consent between April 2019 and April 2020.

The breach occurred after We Buy Any Car had legally sent emails to individuals who had requested an online valuation of their vehicle. The brand subsequently sent follow up emails and text messages that contained marketing material, sent without consent, which resulted in the £200,000 fine.

Saga: Millions of unsolicited emails sent via partners and affiliates

The ICO found that both Saga Services Ltd and Saga Personal Finance sent emails to people on data lists who had not given explicit permission to be contacted. Furthermore, these people were contacted by partners and affiliates of Saga, meaning personal data had also been shared. However, it isn’t clear if the people on the lists had given permission for Saga to share their data.

In total, over 157 million emails were sent between November 2018 and May 2019.

Saga defended itself by saying it relied on indirect consent. However, the law is stricter around the sending of electronic communications. In addition to fines totalling £225,000, both Saga Services Ltd and Saga Personal Finance have been ordered to cease any illegal direct marketing activity within 30 days or face court action from the ICO.

Sports Direct: Re-engagement emails sent to millions

Sports Direct was found guilty of sending 2.5 unsolicited emails between December 2019 and February 2020 as part of what it called a “re-engagement campaign.” While Sports Direct claimed they were communicating with customers they “had not contacted for some time,” the brand couldn’t provide evidence they had consent to contact them, resulting in a £70,000 fine.

ICO comments on fines and warns businesses of rules

In a press release announcing the penalties and details of each case, Andy Curry, ICO Head of Investigations, said,” Getting a ping on your phone or constant unwanted messages on your laptop from a company you don’t want to hear from is frustrating and intrusive.

“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.

“Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”

Can you make a data breach claim for unsolicited emails?

You can, in theory. However, while receiving such communications is annoying, it is unlikely you have become a victim of fraud or had your sensitive data compromised due to receiving unwanted communications. As such, it isn’t economical to do so, as the legal costs would outstrip what you could claim.