The Information Commissioner’s Office (ICO) remains focused on enforcement relating to unsolicited marketing communications in contravention of the Privacy and Electronic Communications Regulations (PECR), particularly nuisance calls, emails and text messages. A significant number of penalties were imposed in 2019 and the maximum penalty was imposed on a company in February 2020.

Fines under PECR remain capped at £500,000. As explained in its Regulatory Action Policy (2019-2021), the ICO focuses on more serious, high-impact and intentional breaches. Nuisance calls and spam messages can cause significant distress to individuals. The ICO takes action if there is a marketing element, whereas scam cases are referred to Action Fraud, the UK’s national fraud reporting centre.

As part of Operation Linden, the ICO, together with stakeholders from across the regulatory spectrum, holds quarterly meetings to report on levels of unsolicited marketing and action taken. Complaints about cold calls for accident claims top the list. However, Q3 of 2019 has seen a drop in the number of complaints, which was attributed to the ban on accident claims cold calls (introduced in September 2018) and that on pensions cold calls (introduced in early 2019) along with the related media attention. Going forward, key sectors of focus remain pensions, life insurance and accident claims lead generation.

Recent enforcement cases

1. In January 2019, Alistart Green Legal Services Limited was fined £80,000 for making 213 calls to individuals registered with the Telephone Preference Service (TPS) to generate road traffic accident leads. The company blamed an employee who did not inform management about consumer complaints for fear of losing his job. The company failed to carry out checks against the TPS register and produce a contract with its data broker. On appeal, the fine was increased by £10,000 by the tribunal judge due to a director’s previous involvement in similar offences.
2. In February 2019, Tax Returned Limited was fined £200,000 for negligence in instigating the sending of 14.8 million text messages. A third-party service provider was engaged to collect the data and send marketing communications with user consent. The firm failed to enter into an appropriate contract with the service provider. The lead generating website failed to name the company as a recipient and it was not sufficiently clear as to give the subscriber a reasonable expectation that they would receive direct marketing text messages.
3. EU Group Limited was fined £45,000 for sending 1,069,852 emails about third party products to individuals without obtaining their consent. The privacy notice was not sufficient for indirect consent as it only referred to “selected third parties”. Eldon Insurance Services Limited, which instigated the marketing, was fined £60,000. A further fine of £15,000 was imposed for sending 296,522 emails in error to individuals on the marketing list of an affiliated company with whom Leave.EU Group Limited shared a marketing team.
4. In March 2019, Vote Leave Limited was fined £40,000 for sending 196,154 texts to individuals without their consent. The firm was negligent in allegedly deleting marketing consent records following the EU referendum.
5. A director of Miss-Sold Products UK Limited and Your Money Rights Limited described as “one of the worst offenders we [ICO] have come across in … 15 years” was disqualified from holding director roles for 8 years following complaints relating to 146 million nuisance calls and 75 million automated calls relating to unsolicited payment protection insurance. The £350,000 fines issued against each of the companies remained unpaid as they were wound up, a practice often adopted by those responsible.
6. Grove Pension Solutions Limited was fined £40,000 for sending 2 million marketing emails without consent. The firm was not named as a selected partner on the lead generating websites. Mitigating factors included the low number of complaints and the advice from a data protection consultancy and a data protection solicitor that the firm had mistakenly relied on.
7. In April 2019, Avalon Direct Limited was fined £80,000 for 53,447 calls to individuals registered with the TPS. The lead generating website’s transparency and consent processes were insufficient. No complaints were received by the ICO. However, it was noted that the firm offered funeral planning services to particularly vulnerable people.
8. In May 2019, Hall and Hanley limited was fined £120,000 for sending 3.5 million texts without consent. The firm was either inconspicuously named, or not named at all, as recipient on the lead generating websites. Users had no option to opt-out from respective third-party marketing. The consent was invalid as it was a condition for the service.
9. In June 2019, EE was fined £100,000 for sending unsolicited marketing messages to 3 million people who had previously opted out. The ICO rejected that the messages were service messages because they included significant promotional material aimed at encouraging customers to buy extra products, renew contracts or use an EE app to do so.
10. Smart Home Protection Ltd was fined £90,000 for making 118,000 nuisance calls about home security products to individuals registered with the TPS. The firm was criticised for lack of due diligence on its marketing list obtained from a third party.
11. In July 2019, Making it Easy Limited was fined £160,000 for making 853,769 calls to individuals registered with the TPS. The caller’s identity was not disclosed and, when asked, the callers provided false information about the company’s identity reading from a script. The firm was criticised for the lack of a contract and due diligence performed on a marketing list obtained from a third party.
12. In September 2019, Superior Style was fined £150,000 for making 518,771 calls to individuals registered with the TPS. The company demonstrated “very little effort to screen the data” and a particular lack of care and attention when it tried to deny that some of the offending telephone numbers belonged to it.
13. In March 2020, CRDNN Limited was fined £500,000 for making 63.5 million automated calls from 193.5 million attempted calls. Over 3,000 complaints were received. The ICO executed a search warrant to access the company’s premises in March 2018. The ICO will generally not investigate marketing activities originating from outside the UK but it was able to reveal the calling line identity numbers which were concealed as international calls by the company. The ICO seized emails that indicated the directors’ awareness of PECR requirements. No record of individuals’ consent was provided.

These fines show that deliberate breaches affecting a large number of individuals will attract the highest fines, whereas negligence may be considered as a mitigating factor. Unsurprisingly, breaches of security affecting a large number of people have attracted fines of similar levels.

How does this compare with other European countries?

Interestingly, other European supervisory authorities have already started imposing GDPR-level fines with a cap of the higher of € 20,000,000 or up to 4% of the annual worldwide turnover. For example, Italy’s regulator, the Garante, fined an energy company €11.5 million and a telecommunications provider €27.8 million for unlawful telemarketing. The Austrian authority fined the Österreichische Post AG €18 million for attributing political preferences to individuals by using statistical analysis. France’s authority, the CNIL, fined Futura International €500,000 for unlawful telemarketing.

Despite these examples, the UK government does not seem intent to increase the maximum fines under PECR in the near future.

Is there a focus on intrusive technologies?

According to the ICO’s Action Policy, novel or invasive technologies with a high degree of intrusion which are operated without DPIAs, appropriate mitigation or prior consultation, can also expect increased attention from the regulator. Could the downward trend in complaints relating to nuisance calls allow the ICO to focus on intrusive technologies in 2020?

To date, the ICO has been slower than its European counterparts in enforcement. French, Spanish and Belgian regulators have already imposed numerous fines ranging from €10,000 to €30,000 for non-compliant cookie banners.

On the one hand, the ICO could be praised for its restraint. Arguably there is little detriment to the consumer if a website uses analytics cookies without the correct granular consent. The measured approach is consistent with the ICO’s focus on upholding the law but also “ensuring that commercial enterprise is not constrained by red tape or concern that sanctions will be used disproportionately”.

However, having published comprehensive guidance on the use of cookies back in July 2019, and with 100+ complaints relating to cookies received by the ICO every month, one would think that regulatory action is imminent. The ICO has struck a serious tone about the issues it identified in the ad tech industry. Since releasing its report in June 2019, the ICO has engaged with stakeholders, issued updates and encouraged positive change.

An idea of what might be to come is offered in the Bounty case. In April 2019, a fine of £400,000 was imposed under the Data Protection Act 1998 on Bounty UK Limited for selling more than 14 million people’s data to data brokers, including Acxiom, Equifax, Indicia and Sky for online advertising purposes.

According to the ICO at the time, the number of people affected was unprecedented in the history of the regulator’s investigations. A significant factor was that the data that was collected related to potentially vulnerable individuals, including new mothers and very young children and special category data, including the birth date and sex of a child.

Although Bounty’s online registrations had “a reasonably clear description of the organisations they might share information with”, none of the four largest recipients were listed. In relation to users who did not register online, none of the merchandise packs and offline registration methods had an opt-in for marketing purposes.

The ICO certainly does not lack a focus on intrusive technologies but it continues to adopt a risk-based approach. It is likely that we will see regulatory action in this area in the near future.

Conclusion

The ICO continues to take action against breaches of the law that cause the most harm to individuals.

The rules around email, text and telemarketing are clear. In addition, following the consultation on the ICO’s new draft code of practice for marketing, now closed,[1] there will be no limits on the ICO’s ability to take legitimate regulatory action in areas such as tracking through cookies, email tracking, issues around ad tech or social media.

 

To be published in Privacy Laws & Business UK Report, March 2020. www.privacylaws.om/reports

[1] The consultation closed on 4 March. See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/ico-launches-consultation-on-draft-direct-marketing-code-of-practice/

• Share this blog

• Twitter
• Facebook
• Linkedin