On 6th September 2022, the Information Commissioner's Office (ICO) announced that it has imposed a £30,000 fine on Halfords for sending unsolicited marketing emails without consent. 

The unsolicited marketing

On 28th July 2020, Halfords sent 498,179 direct marketing emails to its customers. These emails related to a "Fix Your Bike" government voucher scheme. The scheme allowed people to use a voucher of up to £50 towards a bike repair. Halfords' communications encouraged customers to book a free bike assessment and redeem the voucher with them. The ICO considered this email as "marketing services which would generate income for the company."

The complaint

The ICO received three complaints from the members of the public. These complaints related to receiving direct marketing email from Halfords despite not granting consent to receive them. Halfords later admitted that they received further seven direct complaints initiating from the same campaign. They also experienced a 0.4% unsubscribe rate.  

The unsolicited email contained the following disclaimer:

"This is a service message and does not affect your marketing opt-in status"

The ICO were concerned that the email appeared to contain direct marketing material and thus was subject to obtaining customer's consent in line with the Privacy and Electronic Communications Regulations (PECR). 

Response by Halfords

Halfords denied any wrongdoing and considered the email as a "service" message rather than direct marketing.

Halfords relied on the "legitimate interest" clause behind the email whose purpose was to "inform customers of the launch of the Fix your bike scheme". The retailer expanded further, stating that it is in customer's interest to be notified about this scheme as they recently purchased a bicycle. As a result, they felt justified to target customers which "opted out who have bought an adult or junior bike in last 3 years."

Secondly, Halfords denied that the purpose of the message was to promote their products and service. Rather, the purpose was to promote the government initiative. In support, Halfords stated that the email contained no links to Halfords services, sales or offers, outside to terms and conditions. 


The ICO ruled that Halfords' email amounted to direct marketing in breach of regulation 22 of PECR. The ICO rejected Halford's legitimate interest argument and ruled that the brand failed to obtain necessary content for direct marketing communications. According to the ICO, Halfords "intentionally" targeted customers without consent on the basis that their communications were a "service" and not "direct marketing".

Further justifications behind the ICO's reasons are as follows:  

1. The use of phrases such as "Halfords", "Free £50" and "Fix Your Bike" in Halfords' brand colours implied a connection with the Government and emphasised Halfords' service. 

2. The email encouraged individuals to "visit halfords.com to find out more now" which the ICO claims is "a typical marketing strategy". 

3. The email failed to inform the customer that the voucher can be used at any shop participating in the scheme, not just Halfords. 

4. The email consisted an advertisement for Halfords' services, which individuals could pay for by redeeming a government voucher. 

Halfords were fined £30,000.


The key take-home here is that brands must be very careful about misusing "service messages" as a cloak for marketing messages. Failure to do so may result in a financial penalty of up to £500,000. The ICO refers brands to its' Commissioner's online guidance which provides greater clarity on what does not count as direct marketing. Service messages are "routine" to a current contract or a past purchase. On the other hand, a message becomes a marketing message when it includes "significant" promotional material aimed at getting customers to buy extra products or services. 

Secondly, brands need to be absolutely sure that they use data solely in line with permissions obtained. Misuse of data under PECR, such as that of Halfords' remains high on ICO's radar. At the very least, brands need to ensure that customers give explicit consent to have data collected and used for each specific purpose; such as marketing or industry updates. Customers have to have the ability to withdraw consent at any time, without any unreasonable inconvenience preventing them from doing so. Lastly, brands, as data controllers, must not hold data for longer than necessary and use them beyond the scope of permission. If in doubt, brands should contact the ICO for a consultation or seek independent legal advice. For a more detailed look at this case from my colleague Ali Vaziri, see here.