“Closely linked” firms Leave.EU and Eldon Insurance fined by the UK ICO for sending unlawful marketing messages

Posted on Thursday February 7, 2019

It was recently reported that the UK Information Commissioner’s Office (ICO) has issued large fines to an EU referendum campaign and insurance company for “serious breaches of electronic marketing laws”.

Pro-Brexit campaign group Leave.EU and an insurance company owned by its founder Arron Banks, Eldon Insurance (trading as “Go Skippy”), were fined £60,000 each by the ICO in relation to marketing messages and data protection violations carried out during the EU referendum campaign. The ICO will be auditing the handling of personal data by both firms, which will include interview directors and staff. It will also have access to documentation and the joint offices of the firms. The fines have been made under the Privacy and Electronic Communications Regulations 2003 (PECR) which set out rules regarding electronic marketing.

The fines follow an investigation which was carried out into the misuse of personal data by the firms in relation to political campaigns.

The ICO found the following:

  • The systems of each firm were closely linked and the segregation of personal data of insurance customers’ and political subscribers’ was ineffective. As such, Leave.EU used Eldon Insurance’s customers’ details to unlawfully circulate nearly 300,000 political marketing messages.
  • Eldon Insurance carried out unlawful direct marketing campaigns, meaning over a million emails were sent to Leave.EU subscribers without consent.

The Information Commissioner Elizabeth Denham stated her concern regarding the matter. She issued a statement, declaring “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes, and vice versa. It should never have happened.

We have told both organisations have made improvements and learned from these events but the ICO will now audit the organisations to determine how they are using customers’ personal information’.

We will await further details of the findings and report further once the ICO has completed its audits, which will be made public.

The ICO has the power under PECR to impose monetary penalties of up to £500,000. This enforcement action shows how important it is for businesses to take advice on direct marketing practices and understand that it is illegal to send out marketing emails without consent.

For advice on compliance with direct marketing laws and data protection, please contact Sej Lamba.