The UK Information Commissioner’s Office has imposed a £30,000 fine on Halfords Limited, a bicycle sales and repair company based in Worcestershire, England. According to the ICO, Halfords sent 498,179 unsolicited marketing emails in 2020 without the consent of the recipients, in contravention of Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (“PECR”), which prohibits the transmission of unsolicited direct marketing communications by email in the absence of one of several enumerated exceptions.
As stated in the Monetary Penalty Notice, several complaints were filed concerning emails sent by Halfords about a program initiated by the UK government that provided a £50 voucher toward the cost of bicycle repair. The voucher could be used with mechanics and bike repair shops that were registered with the government voucher program. Although Halfords claimed that the emails it sent to former customers who had not opted-in to receive direct marketing communications were a “service message” intended “to promote a government initiate and not a Halfords produce or service,” the Information Commissioner determined that the emails contained direct marketing material and were subject to the PECR. Referencing the online direct marketing guidance provided by the Information Commissioner, the Information Commissioner found that the emails were sent for the purposes of direct marketing as defined by section 122(5) of the Data Protection Act 1998 (“DPA”), that they were transmitted without valid consent, and that Halfords failed to take reasonable steps to prevent the contraventions. The commissioner thus concluded that the email campaign contravened regulation 22 of the PECR, but the contravention was negligent rather than deliberate. In light of these findings, the Information Commissioner determined that a penalty of £30,000 is reasonable and proportionate and satisfied the requirements of the DPA.