Opening Hours: Monday to Thursday 9:00 am to 5:30 pm, Friday 9.00 am to 5.00 pm

Papa John's fined

This is a reminder for all businesses carrying out direct marketing or holding customer data.

It is fair to say that the Privacy and Electronic Communications Regulations (the Regulations) do not sound that exciting, and it is hard to see what they have to do with pizza. However, these regulations sit alongside the Data Protection Act and the UK GDPR. Together they contain specific rules on, amongst other things, marketing calls, emails, texts and faxes.

The Information Commissioners Office (ICO) has recently reported that it has fined the Papa John's pizza company £10,000 for sending 168,022 nuisance marketing messages to its customers. Papa John's sent unsolicited emails to individual subscribers for the purposes of direct marketing which was not in compliance with the Regulations. It is a contravention of the Regulations to send unsolicited direct marketing communications by email unless the recipient has previously notified the sender that they consent for the time being to receiving those communications.

The Regulations are of huge significance to businesses, not least because contravention could lead to a penalty of up to £500,000.

Papa John's indicated that it only obtained details from its own customers where orders were placed directly with the company and further that it relied on the 'soft opt in' and said that it gave 'unsubscribe' options in every email and text message sent.  It transpired that these options were not made available in every case and people who placed an order over the telephone were not given an option to opt out of receiving marketing messages.  The company displayed their privacy notice in stores and online and customers could access the marketing preference centre on its website.  However, the ICO found that Papa John's actions were not in compliance with the Regulations and that the company could not evidence consent of the customers to receiving the direct marketing messages. 

Perhaps unsurprisingly, the ICO considered that the contravention was 'serious' although it did not consider that Papa John's deliberately set out to contravene the Regulations.

All businesses should be aware of their data protection and privacy obligations particularly when communicating directly with customers or potential customers.  What is interesting is that the ICO found that the actions of Papa Johns were carried out to generate business and to increase profits, which gave them an unfair advantage over those businesses which were complying with the Regulations.

This is a salutary reminder for all businesses which carry out direct marketing or hold customer data. If in doubt, a business should take specialist advice as to its responsibilities. Where data protection is concerned, consent is key.

To discuss this or any other business related matter, contact us.