26 October 2017

Insurers could face million-pound fines if data collection practices don't change

Thomas Brennan-Siegert

By Thomas Brennan-Siegert LinkedIn

Three-quarters of insurers are currently using auto opt-ins which could mean they’re non-compliant when the EU General Data Protection Regulation (GDPR) comes into force in 2018

GDPR – the General Data Protection Regulation – will change the way all organisations collect consumers’ contact details.

For example, if you want to get in touch with your customers via contact channels like email or SMS, they will have to actively opt in.

This will have substantial implications for all financial services businesses. But according to research carried out by Fairer Finance, insurers will be the most at risk of substantial fines.  

Of those analysed in our research, we found that 72% of insurers (across car, home, travel and pet insurance) are pre-ticking the boxes to get marketing consent from customers. This ranged from 80% of pet insurance providers, to 65% for home insurance.

An even bigger problem

What’s even more concerning is that 25.3% of general insurers don’t offer an opt-out option within the purchase journey. After the enforcement of the new regulation on 25th May 2018, the fines for this will be substantial. Non-compliant organisations could face fines of up to €20 million or 4% of global annual turnover for the preceding financial year – whichever is greater.

If you’re wondering whether GDPR will apply to you, considering the UK’s forthcoming departure from the EU – it will. The Information Commissioner’s Office has made it clear that UK companies will still be bound by these regulations, as they will be implemented before the UK has left the EU. Additionally, companies conducting business within EU countries will need to follow GDPR regardless of future changes to UK law.

Bad practice

There are a few common ways we’ve seen companies gaining consumers’ consent. Some of these methods are far less transparent than others.

Firstly, there are companies who state that by getting a quote, you’re agreeing to marketing communications. Here’s a typical example of this.

Bad practice for gaining consent


This practice will be non-compliant come May next year. You’ll have to give consumers an explicit means of opting out. This kind of practice will hopefully be stamped out.

Another fairly common method is to hide the opt-out button in drop-down box.

GDPR requires consent must be unambiguous and involve a ‘clear affirmative action’. Pre-ticked boxes are specifically banned. This dropdown method isn’t specifically banned but it’s definitely not best practice.

Best practice

Several companies are leading the way in developing transparent consent practices.

A good example is TSB. Not only does it ask customers to opt-in to communications via each individual channel, but it uses minimal jargon – though it could be a little more conversational.

Common con-sense

Fairer Finance has consistently argued that consumers should be free to easily opt in or out of marketing. Providing clear choices and channel options gives consumers power over how – or not – they are contacted.

Now it’s not only our advice – if your organisation does not abide by GDPR, the financial implications could be enormous.