Papa don't breach: UK data watchdog fines that other pizza place £10,000 over unsolicited marketing blitz

Papa John's falls foul of 'soft opt-in' exemption in PECR rules


Pizza takeaway and delivery outfit Papa John's has been fined £10,000 by the UK's data watchdog for sending marketing fluff to punters without their say-so.

Following a year-long investigation, the Information Commissioner's Office (ICO) found that the company had sent 168,022 "nuisance marketing messages to its customers without the valid consent required by law."

One of the unnamed complainants said they had "never [given their] consent for marketing text messages" resulting in "distress."

Another said they had received almost 100 messages in what was described as the "textbook definition of harassment."

The case hinges on rules in the Privacy and Electronic Communications Regulations (PECR) 2003.

In particular, the ICO found that Papa John's was relying on the "soft opt-in" exemption to send marketing texts and emails.

The "soft opt-in" exemption – for those unfamiliar with Regulation 22(3) PECR – means that organisations can send marketing messages by text and email to individuals whose details they've obtained in the course or negotiation of a sale, and in respect of similar products and services.

However, the organisation must also give the person a "simple opportunity to refuse or opt out of the marketing," both when first collecting the details and in every message after that.

This, ruled the regulator [PDF], was the snag.

"The law is clear and simple," said Andy Curry, ICO Head of Investigations. "When relying on the 'soft opt-in' exemption, companies must give customers a clear chance to opt out of their marketing when they collect the customers' details.

"Papa John's telephone customers were not given the opportunity to refuse marketing at the point of contact, which has led to this fine."

A Papa John's spokesperson told The Register: "Clearly, our intention was to reach only those potentially interested in our offers and we apologise unreservedly to any customers who were inconvenienced. Since this happened, we have performed a thorough review to ensure that we have got the correct permission from those we contact."

In May, American Express was fined £90,000 by the ICO after spamming people who opted out of its marketing emails with 4.1 million unwanted messages.

In the same month, the ICO fined Tested.me Ltd of St Albans £8,000 for sending 84,000 direct marketing emails without consent to people who had provided their personal data for contact-tracing purposes. ®

Similar topics


Other stories you might like

  • UK watchdogs ask how they can better regulate algorithms
    We have bad news: you probably can't... but good luck anyway

    UK watchdogs under the banner of the Digital Regulation Cooperation Forum (DRCF) have called for views on the benefits and risks of how sites and apps use algorithms.

    While "algorithm" can be defined as a strict set of rules to be followed by a computer in calculations, the term has become a boogeyman as lawmakers grapple with the revelation that they are involved in every digital service we use today.

    Whether that's which video to watch next on YouTube, which film you might enjoy on Netflix, who turns up in your Twitter feed, search autosuggestions, and what you might like to buy on Amazon – the algorithm governs them all and much more.

    Continue reading
  • UK criminal defense lawyer hadn't patched when ransomware hit
    Brit solicitor fined after admitting it took 5 months to install critical update

    Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

    The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018*.

    The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.

    Continue reading
  • Brit watchdog fines financial services biz £80k for text spam
    Company changed address to avoid probe after sending 378,553 messages

    Britain's data watchdog has issued an £80,000 penalty to a financial advisor that dispatched hundreds of thousands of unsolicited text messages during lockdown.

    H&L Business Consulting, based in Penrith, Cumbria, was found by the Information Commissioner's Office (ICO) to have sent 378,553 texts between January and June 2020, resulting in more than 300 complaints [PDF].

    The spam promoted the debt management scheme devised by UK government as the outbreak of the novel coronavirus morphed into a pandemic. This is despite the fact that H&L Business Consulting was unauthorized by the Financial Conduct Authority to sell regulated financial products or services.

    Continue reading

Biting the hand that feeds IT © 1998–2022