The lesson learned from this case, is that the definition of direct marketing is so broad, that arguably any advertising or marketing material that is directed at an individual, will constitute direct marketing. To argue that it does not, is pointless.
Premier Foods Ltd is a UK food manufacturer that owns many well-known brands, including Bisto, Homepride and Mr Kipling. Premier Foods obtained my personal information when I entered a Mr Kipling Prize Draw in 2018: the ‘Roald Dahl Splendiferous Summer’ prize draw.
For the purpose of this article, when I refer to Mr Kipling, I’m referring to the controller – Premier Foods Ltd. I’m choosing to use the brand name as it’s more recognisable, and because it was my trust in the Mr Kipling brand that contributed towards my decision to submit my personal information to Premier Foods Ltd.
Entering a prize draw is not something that I would normally do. However, in 2018, I was regularly purchasing Mr Kipling Country Slices for my weekly walk on the hills, so when the ‘Roald Dahl Splendiferous Summer’ promotional packs started to appear on the shelves, I thought, “Why not?” Afterall, it was Mr Kipling – a trusted brand, and I had been further assured by the Prize Draw specific Privacy Notice. My understanding was that I would not receive direct marketing by entering the Prize Draw.
When I won a prize; a ‘Roald Dahl BFG Giant Jigsaw puzzle’, I received a ‘Prize Notification’ email that outlined the process for claiming the prize. This ‘information only’ service message needed to be devoid of marketing messages. However, Mr Kipling had added the following message to the email:
‘In the meantime, why not purchase another one of our Roald Dahl promotional packs to try again with another code. There are still lots of super prizes to be won!’
I instantly concluded that this marketing message had been injected into, what should have been, an administration-only service message. This was unexpected and annoying. It was particularly odious because it constituted direct marketing by stealth, in my view; that Mr Kipling was endeavouring to sneak small marketing messages through to me – regardless.
I concluded that Mr Kipling had unlawfully targeted me with unsolicited electronic marketing by failing to comply with R22 PECR. If they wanted to target prize draw entrants with direct marketing by email, then all they had to do was to include a R22 PECR compatible mechanism on the form, and I would have opted out.
Mr Kipling’s first response
I submitted a complaint about the marketing message to Mr Kipling’s Privacy Team but surprisingly, their initial response was dismissive and failed to address the specifics of my complaint. They said:
Whilst we are of the opinion that all of our emails are compliant with the Privacy and Electronic Communication Regulations, we have raised your concerns with the marketing team who will take them into account for any future competitions.
It wasn’t clear why they’d opted to generalise their reply, bearing in mind that I had forwarded the Prize Notification email to them and added my complaint to it. One has to reasonably conclude that they would have seen the Prize Notification email – directly below my complaint.
Mr Kipling’s second response
My reply was more detailed in the hope that it would elicit a competent response from someone who is supposed to have expertise in data protection law. I said:
‘As a compliance person, please will you clarify exactly why you hold the view that this e-mail is complaint [sic] with Regulation 22 PECR? Are you saying that the marketing is not significant enough to constitute direct marketing or is it something else? Thanks!’
Mr Kipling’s Privacy Team replied as follows:
As mentioned in my previous email, please be assured that your concerns have been highlighted to our marketing team, who have confirmed that they will take them into consideration for future competitions.
So much for that idea. It was now apparent to me, that Mr Kipling’s Privacy Team either lacked the competency or, more likely, were deliberately endeavouring to frustrate my complaint by refusing to engage with me on the specifics of my complaint.
Mr Kipling’s third response
I followed-up with a few more emails, and threatened legal action, but these emails went unanswered. However, it would appear that my threat prompted an internal investigation. Finally, nearly a month after my initial complaint, Mr Kipling’s Privacy Team replied as follows:
We thank you again for bringing your concerns to our attention and apologise for our delay in responding whilst we continued to investigate.
The email sent to you confirming your prize and delivery details was not intended to be a marketing communication, but rather an administration email. The fact that our email could be construed as marketing, we apologise for, this goes against our company policy and was a result of an overzealous member of our marketing team rather than an intentional company decision.
Once we discovered our mistake, we immediately made changes to the process to ensure that no other competition winners received that line of the email, and furthermore that the team don’t include such statements in future emails (including by way of providing them with additional training). We also contacted the ICO to notify them of our mistake, and the action we have subsequently taken. In response, the ICO felt we had taken all steps necessary in this situation.
This was a calculated and somewhat devious response in my view.
If you recall, I specifically asked the Privacy Team to clarify why they were of the view that the Prize Notification email was compliant with Regulation 22 PECR. In this more detailed response, they’ve said that it was not meant to be a marketing communication, and they’ve apologised that it could be construed as marketing, but they’ve avoided answering my R22 PECR question. Is it reasonable to conclude, that having taken almost a month to carry out “an investigation”, they forgot to answer my R22 PECR question?
I believe that this response was carefully crafted to placate me by using the word ‘mistake’ to admit fault, without actually admitting fault. They also mentioned that they contacted the ICO to make them aware of their mistake. So, did they phone the ICO to inform them that they had failed to comply with R22 PECR?
If this response was designed to placate me, it didn’t work because I wanted an answer to my question, so I filed a claim for compensation.
Mr Kipling’s Defence
The underlying argument given in Mr Kipling’s Defence, was that the marketing message was added by mistake due to a failure of process. They said:
The Confirmation Email was sent as an administration email to collect postal addresses of [sic] winner (to avoid collecting and storing this from all entrants) prior to sending their prize, the inclusion of the Marketing Paragraph was a mistake made by a member of the Defendant’s Marketing Team which was then missed due to a process failure, which meant that the Privacy Team did not see or approve the drafting used for the Confirmation Email. The Defendant has subsequently retrained its marketing team and put additional processes in place to prevent the same error occurring again in future.
And while they accepted that they had added a Marketing Paragraph to an administration only communication, they had doubts as to whether or not this had caused the communication to constitute direct marketing, or that I had suffered distress as a direct result. They said:
Whilst it is admitted by the Defendant that the Marketing Paragraph could constitute direct marketing for the purposes of The Privacy and Electronic Communications (EC Directive) Regulations 2003, it is denied that the Confirmation Email or the Marketing Paragraph contained therein has caused the Defendant to suffer distress, as elaborated upon in Paragraph 12 to 16 of this Defence.
Paras. 12 to 16 of their Defence focussed on the following:
1. Mr Kipling’s legal representative attacked me personally by referencing my website and my Twitter account and how I’d had a go at the BBC, the Royal Mail and the ICO. He said:
It is arguable from reading his publications that the Claimant thrives on identifying the mistakes of organisations and at the opportunity to receive compensation from them as a result of his tenacity.
2. Mr Kipling’s legal representative argued that a paragraph of marketing text would not be capable of causing any individual distress because they were being notified that they had won a prize. He said:
In any event the Defendant’s position is that the Marketing Paragraph would not be capable of causing any individual to suffering distress, particularly given it was accompanied by text informing the recipient that they had won a prize.
3. As always, I quoted Halliday v Creative Consumer Finance Ltd to support my case, but Mr Kipling’s legal representative sought to distinguish the Halliday case from this case by arguing that Halliday was a far more serious and prolonged abuse, and did not relate to marketing communications.
Analysing the Defence
In Mr Kipling’s Defence, it was said that the Marketing Paragraph had been added by a member of their Marketing Team, but due to a process failure, their Privacy Team did not see or approve this draft. Err, was this the same Privacy Team that directed my complaint to their Marketing Team?
Let’s break it down.
Mr Kipling confirmed that they operated a process, whereby members of the Marketing Team had to seek approval of any draft communications from their Privacy Team. As this view was supported by a statement of truth, I have to reasonably accept that such a process existed.
Mr Kipling also confirmed that two things happened: the inclusion of the Marketing Paragraph was a mistake made by a member of the Defendant’s Marketing Team, and the communication was sent out without being reviewed by the Privacy Team.
If this information is correct, then I have to reasonably conclude that Mr Kipling’s Privacy Team would have been well aware – when they received my initial complaint, that there had been a failure of process. Yet, rather than admit to a failure of process, it’s reasonable to conclude that they deliberately tried to frustrate my complaint to cover-up that failure of process.
The problem that I have with this version of events though, is that marketing messages had also been injected into service messages during Mr Kipling’s 2017 Roald Dahl Splendiferous Summer promotion. I managed to find this YouTube video of some children reading out the letter than accompanied the prize and that letter includes a significant marketing message: https://www.youtube.com/watch?v=s3wliBqQljM.
Was this letter also the result of a double failure? Two separate administration-only communications, during two separate campaigns; both containing marketing messages that had been added by mistake and both subject to a failure of process? As you’ll see from my questions below, I asked Mr Kipling to clarify but he never did.
To be honest, I don’t know what to believe. However, as they admitted to a failure of process that caused a marketing messages to be injected into an administration-only communication, I would have expected Mr Kipling’s Privacy Team to have admitted that they had unlawfully targeted me with direct marketing by failing to comply with R22 PECR.
Seeking answer to my questions
I obviously had a lot of questions about the Defence, so I submitted a Response to Defence. Mr Kipling failed to answer any of these questions. So, I followed-up with a Notice to Admit Facts and asked the following questions. D is the Defendant – Mr Kipling, and I’m the Claimant – C:
QUESTION 1: Were the members of D’s Privacy Team operating an approval process that specifically checked for marketing material within administration-only communications, when they targeted C with the Confirmation Email?
QUESTION 2: If the members of D’s Privacy Team were operating the process referenced at Q1, were they checking for marketing material to avoid non-compliance, or was it for another reason?
QUESTION 3: Please will D confirm whether or not their Privacy Team actually viewed the Confirmation Email that C had forwarded to them when he submitted his complaint – prior to responding to his complaint on the 2 and 6 August 2018?
QUESTION 4: If the members of D’s Privacy Team were actively operating the process referenced at Q1, please will D clarify why they didn’t acknowledge the failure of process when C submitted his complaint?
QUESTION 5: Please will D clarify when the members of their Privacy Team became aware that the Confirmation Email contained marketing material?
QUESTION 6: Please will D confirm that the Roald Dahl prize winners normally receive the Confirmation Email, followed by a Prize Winner Letter that accompanies their prize. In other words, that they receive two separate administration-only communications; one by email and one by post?
QUESTION 7: Please will D confirm that the 2017 Roald Dahl Prize Winner Letter that C references in his Statement of Case, included a very similar marketing message to that contained in the Confirmation Email that that C received?
QUESTION 8: Please will D clarify; are they of the view that the inclusion of marketing material in the 2017 Roald Dahl Prize Winner Letter constitutes direct marketing?
QUESTION 9: Please will D confirm whether or not, the Confirmation Email and the Prize Winner Letter for both their 2017 and 2018 Roald Dahl Campaigns, all contained a marketing message? In other words, that all four admin-only communications over a two-year period, constituted direct marketing.
QUESTION 10: Please will D confirm whether or not any administration-only communications used with the 2019 Roald Dahl Campaign, contained a marketing message?
QUESTION 11: Please will D clarify why they’ve said that it could constitute direct marketing, not that it does, when they’ve implemented these changes in order to comply with the statutory definition of direct marketing?
QUESTION 12: Is there a specific aspect of the law that is causing D to have doubts about what does and does not constitute direct marketing?
QUESTION 13: Please will D confirm that the members of their Privacy Team are paid for their understanding of data protection law and to make determinations to ensure compliance?
QUESTION 14: Please will D confirm what they mean by “our mistake”.
QUESTION 15: Please will D clarify whether they contacted the ICO to report their non-compliance or to seek advice?
QUESTION 16: Please will D clarify what exactly they discussed with the ICO? What was the “error made by the Defendant” and what was the ICO’s response?
QUESTION 17: Please will D confirm whether any reference to “direct marketing” was made during the conversation, either by them or by the ICO? If so, please will they clarify what was said, specifically in relation to direct marketing?
Mr Kipling did not answer any of these questions.
The Court Hearing
Prior to the court hearing, I had prepared the Trial Bundle, which takes many hours, but I quite enjoy doing. The judge commented at the hearing that it was well prepared, so that was nice. At the start of the Bundle, I had summarised the case in two paragraphs:
C is of the view that D unlawfully processed his personal data by deliberately injecting a marketing message into an email that should not have contained marketing messages. D accepts that the marketing message should not have been added to the email, but it was added by mistake, due to a failure of process.
However, D is of the view that the email could constitute direct marketing, not that it does. As such, whether or not the email constitutes direct marketing will need to be determined at the hearing. If the judge accepts that C was unlawfully targeted with direct marketing, then whether or not C has suffered damages due to an infringement of statutory instrument, will also need to be determined’.
Once we’d settled into the hearing the judge focussed on the Defendant’s Legal Counsel to seek clarification about whether or not the email constituted direct marketing. At which point, Counsel confirmed that it did. This response caught me by surprise, and it seemed to me that the judge was surprised too!
The judge picked-up on this response and pointed out that, in their Defence, they had stated that it “could” constitute direct marketing not that it did. Counsel clarified that it was a matter of phrasing, and that it had been made clear to me previously, that the Prize Notification email constituted direct marketing. The Judge asked Counsel to find that communication, and of course, he was unable to, as it didn’t exist.
Thus, within minutes of the hearing starting, Mr Kipling’s Legal Counsel had settled a key point of contention in this case; that Mr Kipling was of the view that the marketing message constituted direct marketing.
Moving on, the judge was keen to understand the nature of my distress. He indicated that there appeared to be two aspects of distress: the annoyance of having received the direct marketing email and the frustration of dealing with the Defendant. I’d outlined my frustration with the Defendant in the Trial Bundle and the fact that they’d failed to answer my questions.
Distress has to be directly related to the infringement. So, when the judge asked me if I wanted him to take both of these aspects of distress into account, I said that I just wanted to focus on the distress caused by the annoyance of having received the marketing email as a direct result of unlawful data processing.
I was fairly confident that the judge was likely going to rule in my favour, but it wasn’t clear-cut. And to be fair, Counsel did a good job trying to convince the judge that this is something that I do as a hobby and therefore, it’s unlikely that I had suffered distress. However, I believe that this paragraph from “Halliday” clinched it. In this case, Lady Justice Arden said:
‘I would accept as a general principle that, where an important European instrument such as data protection has not been complied with, there ought to be an award, and it is to be expected that the complainant will be frustrated by the non-compliance’.
The judge specifically referred to this paragraph during his summation; prior to ruling in my favour.
Once the judge had ruled, the Counsel for the Defence argued that it was unreasonable for them to have to pay compensation because there was a danger that it could open the floodgates for claims and that this would have an impact on UK businesses. The judge considered and dismissed this argument because it was unsupported by law or by case law.
Once the judge had ruled, Counsel for the Defence suggested that had my claim been lower, they might have been more tempted to reach an out of court settlement. Personally, I’m not convinced. Mr Kipling’s Privacy Team were adamant that I had no right to claim compensation, and this was reflected in the Defence.
Finally, there was some confusion over the GDPR and PECR. To clarify, a failure to comply with the PECR is also a failure to satisfy a condition for processing, pursuant to Article 6 GDPR. As such, I had filed the following:
- a claim for non-material damages resulting from Defendant’s deliberate infringement of the PECR – pursuant to Article 169(1) DPA;
- a claim for non-material damages resulting from Defendant’s deliberate infringement of the GDPR – pursuant to Article 82(1) GDPR.
In this case however, the judge had focussed on the failure to comply with the PECR. When I mentioned the GDPR towards the end of the hearing, I got the impression that the judge had enough information to rule on the case, so I didn’t pursue it. So, I’ll do more to make this clear in future claims, perhaps using a graphic.
Funnily enough
During the court hearing, Mr Kipling’s legal representative attacked me personally by referencing my website and my Twitter account and how I’d had a go at the BBC, the Royal Mail and the ICO. Would you believe, that as I write this article, I’m currently challenging the BBC about the adverts at the start of iPlayer programmes – I believe they constitute direct marketing. I’m challenging the Royal Mail about whether or not a residential postal address on its own should constitute personal information – I believe that it should. And I’ve taken the ICO to a First Tier Tribunal because a Case Officer deliberately manipulated the law so that she could argue in favour of the controller. I shall be publishing these cases in due course.
I never received my prize
I never received my prize by the way – a Roald Dahl BFG Giant Jigsaw puzzle. What happened was, Mr Kipling had appointed a prize fulfilment company to deal with posting out the prizes. They required me to fill out a form that required me to agree to their entire Privacy Notice. Having to accept or agree to a Privacy Notice is one of my pet peeves because it serves no purpose but to mislead. What is the nature of that agreement? Are they contractually binding me to all of the processing given in their privacy notice? Really?
I asked the prize fulfilment company to clarify the nature of that agreement, but they failed to do so. Instead, they informed me that I could just send my postal address information by email rather than use the form. I refused to do so because they failed to answer my question. When I discussed this with Mr Kipling’s Privacy Team, they said:
Finally, having checked our records you have now received your the final email requesting your delivery details, if you fail to provide your details within 7 days from the date this was sent, your right to claim the prize will be forfeitted [sic] in accordance with Conditions 6 and 18 of the competition Terms and Conditions. The applicable Privacy Notice for your data is the same as the Privacy Notice made available to you at the point of entry.
It would appear that Mr Kipling’s Privacy Team were uninterested by the fact that their prize fulfilment company, was binding everyone to their privacy policy. So, for standing up for my rights, and asking them to explain what the nature of the acceptance was, I didn’t get my prize. Well, I should say, my great-niece never got her prize. Nice one Mr Kipling!
Conclusion
What this, and my other cases demonstrate, is that although controllers may think unwanted direct marketing is a trifling matter, the courts certainly do not. It is expected that an individual will be frustrated by the failure to comply with important European instrument such as data protection.
As far as Mr Kipling is concerned, I no longer trust this brand and I’ve stopped purchasing their products. I’ve switched to Eccles Cakes instead for my weekly hill walk. Their lawyer was a reasonable fella and did a good job in court, but I’ve got nothing good to say about Mr Kipling’s Privacy Team. They mocked my claim for compensation by repeatedly asking me to demonstrate why I had suffered distress – which I did. And in the end, the judge accepted my interpretation of the law.
If you have concerns about how Mr Kipling has handled your information, I would suggest that you submit a complaint to the ICO or seek legal advice. I wouldn’t bother wasting your time with their Privacy Team.