The U.K. data protection authority recently fined a lead generation company £90,000 ($118,000) for a 2017 unsolicited email marketing campaign. The company, Boost Finance Ltd, sent over 4 million emails promoting pre-paid funeral plans under the name findmeafuneralplan.com. In reaching its decision, the ICO (the UK data protection regulator), said that the company violated the UK’s Privacy and Electronic Communications Regulations by sending the messages without consent.

The recipients of the messages were subscribers of websites operated by Boost’s affiliates. While the individuals had, according to Boost, consented with its affiliate sites to receive generic “third party marketing,” the ICO noted that the request for consent did not specifically mention either Boost or findmeafuneralplan.com. The ICO did acknowledge that in one case the subject matter (funeral plans) was mentioned, but neither Boost nor findmeafuneralplan.com were mentioned by name. One site did mention Boost, but it was “embedded in a very lengthy list of organizations.” The sites also did not give individuals the ability to opt-out of marketing from third parties. The ICO concluded that the consents were inadequate, generic, vague and misleading, and as such insufficient to meet the requirements of the law.

Putting it Into Practice: This enforcement demonstrates the type of consent -informed and specific- that the ICO expects companies to receive before sending marketing emails.