Over seven months, the ICO estimates that protein retailing e-commerce company Muscle Food sent 135,651,627 marketing emails and 6,354,426 marketing SMS messages without valid consent.
The ICO have issued Muscle Foods Limited, trading as Muscle Food, a monetary penalty notice and enforcement notice imposing a fine of £50,000 for sending approximately 135,651,627 marketing emails and 6,354,426 marketing SMS messages without valid consent over a period of seven months in 2019.
Muscle Foods Limited sells high-protein products such as meat, poultry and protein enriched foods online, targeting “health conscious consumers and budget-conscious families” according to reporting in Trade Publication – Food Navigator. Muscle Food’s distribution strategy extends into retail with selection from its own product lines listed in convenience retailers and supermarket chains in the UK. The brand is part of the DB Foods Group, one of the UK’s largest meat wholesalers.
The ICO launched their investigation following complaints made regarding Muscle Food’s marketing practices.
The ICO’s investigation found that Muscle Food’s had contravened Regulation 22 of PECR.
Regulation 22 of PECR concerns the use of electronic mail for direct marketing purposes. It permits electronic mail for direct marketing purposes – e.g. email marketing to be sent to individuals under specific circumstances.
To summarise the legislation, the rules state that electronic mail for direct marketing can be sent when consent has been given by the recipient to the sender. This “consent” must be adequate under the standards imposed by GDPR. It must be freely given, specific, informed and unambiguous.
Besides consent, firms may send marketing messages via electronic mail only if the firm has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or device to that recipient. Firms must also ensure that the direct marketing sent is in respect of that person’s similar products and services only. And that the recipient was given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected; and, where they did not initially refuse the use of the details, at the time of each subsequent communication. An e-commerce firm may decide to display this prominently at checkout for example.
Meeting this criteria is often referred to as the “soft opt-in”. This criteria is frequently relied upon by e-commerce companies such as Amazon, and airlines like Ryanair.
The ICO found that Muscle Foods Limited did not have the required consent to send marketing messages to the recipients concerned in the case. And that they were not able to qualify for the soft opt-in described previously.
In the office ICO enforcement notice, the ICO notes that “An organisation which is reliant upon regulation 22(3) of PECR to send marketing emails and SMS to its customers, must ensure the recipient has been given a simple means of refusing the use of his contact details for the purposes of such direct marketing at the time that the details were initially collected. MFL failed to do so.”
This case is of particular note because of the volume of marketing messages sent, the volume of individuals concerned and because of the ICO’s judgement regarding the PECR Soft Opt-in – a legal mechanism which many e-commerce companies rely on to send marketing messages to their customers.
If you are currently emailing customers located in the UK and EEA marketing messages without getting a GDPR valid consent, then we would advise you to review your processes urgently. You must ensure that you can properly apply the soft-opt-in under PECR. We would recommend an abundance of caution following this recent ICO enforcement.
To find out more about PECR you can check out the information available on the ICO’s website. You can also read the full legal text or try our PECR training course tailored specifically to marketing and sales professionals – it’s way less likely to send you to sleep than the first two options.
⚠️ Try our "painless" GDPR course. Certificate on completion. Sign up and start learning today.