The ICO has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them in breach of Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
The monetary penalty notice follows an ICO investigation relating to emails sent from the Conservative Party in the name of Boris Johnson during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website to join the Conservative Party. Direct marketing is defined in section 122 of the Data Protection Act 2018 as any communication of advertising or marketing material…directed at particular individuals, and the emails fell within that definition.
The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails. Between 24 July and 31 July 2019, the party sent out a total of 1,190,280 marketing emails. However, the ICO has found that not all emails were in breach of PECR, because it accepts it is likely that some of the emails will have been validly sent, though it is not possible to identify what that proportion is.
The ICO concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants. The party failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider.
While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019. The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019.