MoneySuperMarket Fined for Sending Emails

Published on August 8, 2017

The Information Commissioner’s Office has fined MoneySuperMarket £80,000 for sending 7 million emails to former subscribers who had already opted out of receiving communications from the company.

What Happened?

It has been reported that MoneySuperMarket sent 7.1 million emails over 10 days between 30th November and 10th December 2016 to people who had once been subscribers, but had already opted out of receiving direct marketing correspondence from the price comparison website. This was reported to the Information Commissioner’s Office (ICO) which then fined MoneySuperMarket £80,000. The company confirmed to the ICO that out of the 7.1m emails sent, 6.7m were received by former subscribers.

Against The Law

According to the ICO, in this case, MoneySuperMarket broke the law and received the fine because they sent direct marketing messages ‘dressed up’ as legitimate updates people who had opted out of receiving all / any kind of communications anyway.


The ICO also found a disclaimer section in MoneySuperMarket’s email which stated that since MoneySuperMarket held the subscriber’s email address, it could still send marketing communications to them.

MoneySuperMarket also stated that even though the subscriber had already opted out of receiving communication, the email was a chance for them to ‘reconsider’ receiving future marketing messages by clicking a link to start receiving emails again.

Both ideas were found by the ICO to be against the law, particularly the Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act.

No Means No

By imposing a hefty fine on MoneySuperMarket, the ICO has made very clear that when people choose to not receive direct marketing anymore, in the eyes of the law, no means no, and under no circumstances should organisations keep sending communications. Using another email to ask people to ‘reconsider’ is also not a viable (or legal) tactic because the person has opted out of all communications.

Fine For Morrisons

Last month, the ICO imposed a fine of £10,500 on grocery supermarket Morrisons when it sent out a chain of more than 200,000 emails to customers who had already chosen to opt out from their direct marketing. The ICO has made it clear that in the light of both the Morrisons and MoneySuperMarket incident, they will continue to take action against companies that choose to ignore or act in ignorance of the law.

Smaller Fine For Early Payment

MoneySuperMarket has been instructed to pay the £80,000 by 17 August 2017. If the company pays the fine early, however, the fine will be reduced to £64,000. If the company uses its right to appeal the matter, the discount will be revoked.

In the meantime, a spokesperson for the company has already issued an open apology, stating that MoneySuperMarket takes the protection of its customers’ data and privacy very seriously, and that measures will be out in place to stop anything like it happening again.

What Does This Mean For Your Business?

Direct marketing and communicating with subscribers is an area that is governed by law, and it is, therefore, not open to creative interpretation of any kind. This case is a reminder of the fact that ‘no means no’ when subscribers choose the opt-out option, and companies should make sure that they are clear on at least the basic aspects of the law before undertaking direct marketing.

The introduction of GDPR next year will mean that businesses will need to re-visit how they manage their direct marketing because, for example, businesses need to be very careful around the area of consent to process data as failure to meet the new standards could mean the need to alter consent mechanisms, seek fresh GDPR-compliant consent from subscribers, or find an alternative to consent.

The PCI Security Standards Council warned UK businesses last year that failing to comply with GDPR could see them facing fines of up to €20m or 4% of annual worldwide turnover, whichever is greatest for data breaches. These kinds of fines far exceed the current £500,000 maximum fine. This is particularly worrying since a survey by PwC back in September 2016 showed for example, that 98% of organisations had no idea what they were going to do to ensure GDPR compliance.