News and Events

Morrisons supermarket chain found to be in breach of the Privacy and Electronic Communication Regulations (PECR)

View profile for Christopher Buck
  • Posted
  • Author

The Privacy and Electronic Communication Regulations (PECR) set out specific rules which govern the use of marketing by electronic communications such as; e-mail, telephone, text message and automated calls.


The Regulations only apply to unsolicited marketing, that is marketing that has not been specifically requested by the receiver. The Regulations make it clear that direct marketers must obtain a positive indication of consent and this may involve clicking an icon, sending an email or subscribing to a service. The Information Commissioner’s Office (ICO) provides that there must be some form of communication or positive action, by which the individual clearly and knowingly indicates consent to receiving the marketing material.

In most cases where direct marketing is conducted by way of email, the individual’s opt-in consent will be required. This provides a box for the individual to “tick” to indicate that they agree to receive the specified marketing or alternatively to leave blank in the event that they do not wish to receive such marketing material.

An investigation by the ICO found that WM Morrison Supermarkets PLC attempted to send 236,651 emails to customers who had previously opted out of receiving marketing relating to their Morrisons More reward card of which 130,671 were successfully received by customers. The emails invited customers to amend their marketing preferences to enable them to start receiving money off coupons, additional reward card points and the “latest news” from Morrisons.

The ICO considered Morrisons to have sufficient knowledge of their obligations under the Data Protection Act and the PECR and despite such knowledge they continued to email customers who had explicitly opted out of receiving direct marketing.

As a result of its findings, the ICO decided to take action against Morrisons for a deliberate breach of Regulation 22 of the PECR which provides that a person shall neither transmit nor instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that they consent for the time being to such communications being sent by the sender.

The ICO has the power to enforce certain sanctions for a serious breach of the PECR and in consideration of the extent of the breach by Morrisons, the supermarket chain has been issued with a fine in the sum of £10,500.00.

The ICO has published detailed guidance for firms carrying out direct marketing by phone, text, email post or fax which is available here.

If you should have any additional queries in respect of the PECR or data protection law generally, please do not hesitate to contact me on 01908 660966 or alternatively at