Email marketing has to comply with a lot of privacy and data protection laws, and if found to be in breach of these guidelines, businesses can face hefty fines and legal repercussions. With this in mind, here are five of the biggest email marketing fines, resulting from poor email marketing practices. This guide also covers what we can learn from their violations for future campaign safety.
Page Contents
What are the laws surrounding email marketing?
There are several email marketing regulations around the world to be aware of, from the CAN-SPAM act in America to the CASL laws in Canada and Privacy and Electronic Communications Regulations of 2003 in the UK. Each of these laws outline the conditions that email marketers have to follow to be in line with the law and avoid hefty fines.
It can sound overwhelming to businesses, but if you’re using a reliable email marketing service provider, chances are you’re already complying with the rules. However, it’s important to stay abreast of the regulations in your location to ensure you’re not inadvertently failing to comply.
Why do we need email marketing laws?
Email marketing regulations primarily target spammers and they’re in place to prevent people from acquiring people’s email addresses without their consent and sending them unsolicited emails.
How can I comply with these regulations?
There are several steps that email marketers need to consider to comply with regulations, though the specific details depend on the country you’re operating in. Here are some of the key highlights from GDPR regulations:
- Express permission
Firstly, you need to ensure you have express permission to email everyone on your list. Most country’s laws state that you have to have permission to email someone before you send them campaigns, although the definition of this permission varies from location to location. In most cases, there are two types of permission: implied and express permission.
Implied permission relates to people who you already have an existing business relationship with, such as current customers or active members of your website or community. Express permission is granted when someone explicitly says you can send them emails, such as signing up via your subscription form.
- Header information
Another way businesses need to comply is with header information. This is the extra information sent with your campaign, such as who the email is from, the subject line and reply address. Email marketing laws state that you can’t include any misleading or incorrect information in these fields, just to trick people into opening your emails.
- Postal address
Likewise, email marketers need to include their postal address in their emails. It can be your current street address, a post box address or a registered commercial mail-receiving company. But whatever details you include, it needs to be valid and genuine, and always included in every email you send to your subscribers.
Largest email marketing fines resulting from non-compliance
TIM – €27.8m/$31.5m
In 2020, Italian telecoms operator TIM was hit with a lofty GDPR fine from the Italian Data Protection Authority for several violations which had built up over several years. The infractions were primarily based on an overly aggressive marketing strategy that bombarded customers with unsolicited calls and communications, even those who had requested non-contact.
What can we learn from this?
Segmenting their data more efficiently could have prevented TIM from having to pay a fine, enabling the company to tailor their marketing campaigns. This would have enabled TIM to create specific opt-ins for each of their marketing activities.
Wind – €17m/$18.2m
Wind, the telecoms company, was fined €17 million ($18.2 million) by the Italian Data Protection Authority, due to Wind’s engagement in unlawful direct marketing practices. The enforcement action was initiated following complaints received by Italy’s regulatory body concerning Wind Tre’s marketing communications.
It was reported that Wind had sent unsolicited advertisements to Italian individuals without obtaining their consent and provided incorrect contact details, preventing consumers from unsubscribing. Additionally, the regulator discovered that Wind’s mobile applications compelled users to agree to direct marketing and location tracking, and the company’s business partners were involved in illegal data collection activities.
What can we learn from this?
To avoid the fine, Wind should have established a valid legal basis, such as obtaining consent from individuals, before utilising their contact details for direct marketing purposes. Alternatively, Wind could have demonstrated that sending marketing materials was in their “legitimate interests“. Regardless of the reason for engaging in direct marketing, it is crucial to provide consumers with an easily accessible unsubscribe option. Furthermore, it is essential to maintain an accurate and up-to-date Privacy Policy for your company.
Austrian Post – €9m/$10.23m
Austrian Post, Austria’s largest postal service, faced a significant GDPR fine of €9 million ($10.23 million) in September 2021, which was imposed due to allegations that Austrian Post failed to adequately facilitate data subject rights requests.
When individuals wished to exercise their rights to access, delete or correct their personal data held by Austrian Post, the company offered various channels for submitting such requests, including web forms, mail and phone numbers. However, the Austrian DPA found fault with the company’s approach as it did not recognise email as a valid means of communication for rights requests. The DPA stated that Austrian Post should have allowed data subjects to submit their requests through any preferred medium.
What can we learn from this?
To avoid the fine, Austrian Post should have ensured that data subject rights requests could be processed through any communication method. Forcing individuals to use a specific channel and excluding email as an option is not an acceptable approach to facilitate their rights.
It is essential for organisations to be flexible and accommodating in handling data subject rights requests, regardless of the chosen communication method. By doing so, companies can uphold their obligations under GDPR and maintain a respectful and compliant approach to data privacy.
National Revenue Agency of Bulgaria – €2.6m/$3m
The National Revenue Agency of Bulgaria faced a €2.6 million ($3 million) fine in August 2019. This penalty was imposed following a data breach that impacted 5 million individuals. The breached data included personal information such as names, contact details and tax-related data. The Bulgarian Data Protection Authority (DPA) determined that the agency had failed to implement adequate technical and organisational measures to protect the personal data under its control.
What can we learn from this?
To avoid the fine, the Bulgarian National Revenue Agency should have conducted a comprehensive risk assessment of its data processing operations and implemented effective measures to ensure the security of personal data.
Although the specific cause of this data breach remains unclear, it is worth highlighting that the FBI’s Internet Crime Control Centre identifies email as the primary threat vector in cybercrime. By securing your company’s email systems, you can significantly reduce the risk of such breaches occurring.
Royal Mail – £20k/$25k
The ICO fined UK postal service Royal Mail in 2022 for an email marketing fail which led to more than 213,000 customers receiving promotional emails that they hadn’t consented to. What sets this GDPR issue apart from usual fines, however, is that the case didn’t begin with complaints to the ICO but rather it started when Royal Mail used the PECR breach reporting system to notify the ICO of the potential breach.
Following investigations, they found that the marketing campaign was targeted towards people who had previously bought stamps or had expressed an interest in receiving marketing, but the list was cross-referenced against their internal marketing master database which left over 30,000 people eligible to receive the communications. The remaining 215,000 people who’d opted out were supposed to be skipped when the campaign went live, but several days later, the team realised their mistake.
What can we learn from this?
Given the mitigating circumstances, the ICO fined them £20,000 (which is small in relation to the other GDPR fines in this list) but still considerable from a business perspective. What email markets can learn from this mistake is the importance of regularly reviewing email lists and cleaning data, and setting up plenty of checks when using automation tools to ensure that you’re only ever sending to the right subscriber lists.
Stay complaint and avoid fines!
GDPR fines serve as a deterrent against non-compliance with data security regulations, aiming to make it a costly mistake.
The increase in violations and the substantial fines imposed in recent years highlight a growing concern regarding consent and transparency. But, it is reassuring to observe European regulators actively enforcing the law and imposing fines at an unprecedented rate.
No Comments
Leave a comment Cancel