The Information Commissioner's Office ("ICO") is responsible for enforcing the Privacy and Electronic Communications Regulations 2003 ("PECR"), which set out the rules for organisations wishing to engage in direct marketing calls, texts or emails. Since April 2023, the ICO has issued more than £2,590,000 in fines against companies responsible for nuisance calls, texts and emails. This serves as a crucial reminder to organisations about the financial consequences they may face following electronic marketing violations. Below is a round-up of fines issued by the ICO in 2024.
Privacy and Electronic Communications Regulations 2003
1. HelloFresh – fined £140,000 for electronic marketing violation
Background
The ICO launched an investigation into HelloFresh, a food delivery company, following a review of data from the UK's spam reporting service. Between 23 August 2021 and 23 February 2023, a total of 15,221 complaints about unsolicited messages from HelloFresh, including texts and direct marketing emails, had been received. Customers also reported issues of receiving marketing communications during unsociable hours, after opting-out and following cancelled subscriptions. The ICO found that HelloFresh had contravened Regulation 22 of PECR and on 12 January 2024 issued a financial penalty of £140,000, concluding that HelloFresh had sent out 79 million spam emails and 1 million spam texts over a seven month period.
Findings of the ICO
The marketing messages were sent relying on HelloFresh's 'opt-in' statement which failed to inform customers about receiving future marketing communications via text. Whilst there was reference of marketing via email, the email 'opt-in' option had been bundled in an age confirmation statement which the ICO considered may have unfairly pressured customers to agree. Customers were also not provided with adequate information that their personal data would be used for up to 24 months after cancelling their subscription to HelloFresh. On this basis, the ICO ruled that HelloFresh failed to obtain specific and informed consent from customers when receiving marketing messages as:
- the consent statement did not inform customers of receiving direct marketing messages via text;
- the consent statement was not clear as it had been combined with an age conformation statement; and
- HelloFresh did not adequately inform customers about the use of their personal data for up to 24 months after cancelling their subscription.
The ICO also found that HelloFresh had either taken too long or failed to respond to customers opt-out options to marketing messages, which "marked a clear breach of trust of the public by HelloFresh. Customers weren't told exactly what they'd be opting into, nor was it clear how to opt out".
This decision is a clear warning to other organisations that the ICO will take "clear and decisive action" where the law is not followed as the ICO will "always protect the right of customers to choose how their data is used."
2. Unsolicited marketing calls, nuisance calls and spam messaging resulting in a total of £300,000 fines
Background
In January 2024, the ICO officially disclosed the imposition of fines on two home improvement companies, Poxell Ltd and Skean Homes Ltd. The combined penalty amounts to £250,000, with sanctions levied in response to the companies' engagement in unsolicited telephone communications with individuals listed on the UK's 'do not call' register.
Additionally, LADH Limited, a financial services company, was fined £50,000 by the ICO. This penalty stems from the company's broadcasting of spam messages, contravening the provisions outlined in PECR.
Findings of the ICO
Poxell Ltd and Skean Homes Ltd – unlawful marketing calls
Both companies had engaged in unlawful marketing calls between March and July 2022, purporting to have a specialisation in energy saving products, such as double glazing and resin driveways, and promoting such services by contacting individuals on the Telephone Preference Service ("TPS").
Poxell Ltd, incurred a substantial fine of £150,000 for its involvement in over 2.6 million unauthorised marketing calls. The ICO received evidence indicating that Poxell Ltd had taken deliberate measures to obscure its identity and evade detection. This was through the purchase of multiple telephone lines used for the making of unlawful marketing calls. Furthermore, the company was found to have employed aggressive and misleading sales tactics, causing distress and potential financial harm. Notably, Poxell Ltd was observed targeting vulnerable individuals, including those with dementia and other serious illnesses. These actions have led to the imposition of a significant financial penalty by the ICO.
Likewise, Skean Homes Ltd incurred a fine of £100,000 for the commission of 600,000 unlawful marketing calls. During these calls, the company misrepresented itself as a local council and adopted names such as 'Eco Hub', 'Driveway Solutions', and 'Eco Driveways'. The ICO found that Skean Homes Ltd demonstrated a lack of accountability for the breach by attempting to attribute responsibility to a third party who had supposedly been using Skean Homes Ltd's call identity list. The company also attempted to refute liability by contending that there had been technical errors with the TPS checks. However, the ICO found no substantiating evidence for this claim and held the company liable for the contravention of data protection laws through unlawful marketing calls.
The ICO emphasised that engaging in live marketing calls to individuals registered with the TPS constitutes a violation of the law. "People register with the TPS for a clear reason: to stop unwanted marketing contact and protect their privacy. Both these companies have not only broken the law by failing to check the 'do not call' register, but also caused distress and disruption to those they bombarded with unwanted and unlawful calls."
LADH Limited – spam messaging
Following complaints lodged with the Mobile UK's Spam Reporting Service, the ICO launched an investigation into the activities of LADH Limited. Between March and April 2022, an excess of 31,000 unsolicited messages were sent to individuals without their valid consent. Further, complaints highlighted the absence of an 'opt-'out' mechanism for these unwanted text messages.
Throughout the ICO's investigation, LADH Limited sought to contest enforcement actions claiming "it had received a verbal assurance that the data it had received from a third party contained details of people who had consented to being contacted". Despite such claims, the ICO issued an enforcement notice to LADH Limited, explicitly restraining direct marketing messaging without valid consent.
Furthermore, a monetary penalty of £50,000 was imposed. It is crucial to note that "sending unsolicited direct marketing messages is illegal" and "relying on third party claims of consent, without undertaking checks, leaves organisations open to enforcement action".
3. Pinnacle Life - fined £80,000 for predatory spam call campaign
Background
Between May 2021 and May 2022, Pinnacle Life attempted to promote and sell life insurance products to individuals whose details were obtained from a public telecommunications service. During the year long unlawful spam campaign, the company's employees insulted and harassed members of the public, adopted aggressive sales techniques, and misled individuals into believing that they were employed by the company with whom they had their life insurance policy.
Examples of the spam calls included:
- "Asked for me by name and incorrect address. Said did I have life insurance [sic]. I said yes but [that] I was not interested and [asked them] to remove me from their marketing list at which point he became abusive and called me stupid. I hung up but the same number called me thirty minutes later, so I ignored it.
- Another example of a spam call, taken from call recording obtained from the company to a TPS registered number was made on 8 June 2021:
Complainant: Sorry, I'm not interested. Thank you.
Caller: May I ask why you're not interested in your policy, sir?
Complainant: Don't call me again, thank you. Bye.
Caller: No problem, I will call you all the time then.
Further attempts were made to call this individual on 11 and 14 June, twice on 16 June and on 23 June 2021".
The company had also attempted to conceal their identity by using disguises to avoid having to comply with cease contacting orders. This resulted in a financial penalty of £80,000 for breach of PECR.
Findings of the ICO
In the investigation launched by the ICO it was found that nearly 48,000 illegal calls were made to individuals registered on the TPS. When issuing the penalty, the ICO took account of aggravating features of the case including:
- the predatory nature of the calls;
- the misleading information presented to the victims;
- ignoring requests from individuals to not be contacted; and
- the callers' behaviour – persistent, aggressive and rude.
The ICO commented "as with many of the actions we take on unlawful marketing, this began with one complaint from a consumer who had been contacted by this company whilst being registered with the TPS. This led to our investigation uncovering nearly 48,000 such calls. This demonstrates the value of reporting these types of calls to the ICO".
This decision demonstrates the ICO's underlying objective in imposing a monetary penalty in order to promote compliance with PECR. This notice should act as encouragement for other organisations to ensure compliance with the law, or as a deterrent for non-compliance to organisations that are currently engaging in these practices.
4. Charities warned by the ICO to stop sending spam texts
It is not an uncommon practice for charities to fall under scrutiny of the ICO when sending unsolicited text messages to individuals without their consent. The ICO has stated its intention to pursue enforcement action against charities who breach the law in their continued pursuit to protect the public from spam messages.
Background
Penny Appeal, a charity delivering medical aid worldwide, were under investigation for sending 460,000 unsolicited texts to 52,000 individuals over a ten-day period. These messages were sent in the absence of consent, or to individuals who had opted out from receiving direct marketing messages. Complaints were sent to the regulator using the Mobile UK's Spam Reporting Service, describing the texts as "intrusive" and "unwanted" and "often received late at night". Whilst still under investigation, the charity sent a further batch of spam texts to encourage individuals to donate over the month of Ramadan, which prompted further complaints.
Findings of the ICO
The sending of the texts violated Regulation 22 of PECR. An Enforcement Notice,
ordering Penny Appeal to stop spending direct marketing messages
was issued by the ICO requiring them to cease and desist within 30
days. The ICO provided the following guidance to assist charities in complying with
the law:
- "Only email or text someone if they have specifically consented to receiving emails or texts – for example, by ticking an opt-in box.
- People cannot provide consent as a condition of subscribing to a service – consent must be freely given and fully informed.
- Offer an opt-out option (by reply or unsubscribe link) and act on this promptly.
- Keep a clear 'do not contact' list of anyone who opts out or unsubscribes from your communications, and screen against this list every time you send an email or text".
Fundraising Regulator CEO, Geral Oppenheim added "The Fundraising Regulator supports the ICO's decision which echoes an investigation into the same issue that the Fundraising Regulator completed in 2022. While communicating with donors via text can be an effective tool for charities, it is vital that those charities abide by not only the law, but also the Code of Fundraising Practice – which stipulates that fundraising must be open, honest, legal, and respectful."
It is clear that the ICO will take action against a charity despite their special operational status. Charities are not exempt from legal obligations when protecting individual privacy rights. Those hoping to make use of the proposed extension of the soft-opt in exemption in the Data Protection and Digital Information ("DPDI") Bill will have to stick with the status quo for now as the DPDI Bill did not make it into the "wash up" before the dissolution of Parliament in preparation for the General Election on 4 July 2024 (for more information see our article here).
5. Aggressive and unwanted marketing calls resulted in a combined total fine of £340,000
Background
In April 2024, the ICO fined, Outsource Strategies Ltd £240,000
("OSL"), and Dr Telemarketing Ltd £100,000
("DRT"), after making approximately 1.43 million
unsolicited calls. From February 2021 to March 2022, the companies
had contacted people on the "do not call" register, using
aggressive and high-pressure sales tactics to coerce people to sign
up to their services and purchase products. The ICO found that the
companies targeted the elderly and vulnerable people.
Findings of the ICO
The ICO investigated OSL after receiving 74 complaints from
individuals who had been subjected to repeated aggressive marketing
calls, despite requests to stop. An example of the complaint
included:
- "We've requested numerous times to be taken off the list but to no avail. The telephone number today is one of several different numbers that they use. This has now become harassment of two senior citizens."
The company attempted to attribute blame to its contracted partners, responsible for TPS screening, but the ICO rejected this as calls were still made to people marked as "do not call" on the companies own internal systems. Although OSL co-operated with the ICO's investigation, the company submitted an appeal against the penalty and enforcement notice issued by the ICO. The outcome of the appeal is pending.
DRT were issued with a fine following highly exploitative unwanted calls regarding Lotto Express that were targeted at vulnerable people in a bid to maximise profit. The ICO identified a network of five people and eight companies all involved in the unsolicited calls. In their investigation, the ICO confirmed "there was no mechanism in place to identify and mitigate against making unwanted calls and that screening was not contracted to cover all the data providers involved". Initially DRT engaged with the ICO's investigation, however despite repeated attempts the company failed to provide an explanation for the unwanted calls. Further, the ICO commenced financial recovery action as DRT failed to pay or submit an appeal.
Andy Curry, ICO Head of Investigations said "All companies engaging in direct marketing should take note. If you flout the law, you can expect the ICO to use the full force of its regulatory powers against you".
Takeaways
The decisions above highlight the importance of obtaining appropriate consent for the sending of direct marketing messages. The position is clear. The ICO have an ongoing commitment to safeguarding the public against nuisance and unlawful communications. It will impose hefty fines on organisations who fail to comply with the provisions of PECR, whether in a deliberate attempt or not. Furthermore, the ICO will not tolerate justifications for organisational failures to comply.
Recommendations for organisations include:
- make sure consent is 'specific' and not bundled with other consents or confirmation statements such as an age confirmation statement;
- ensure customers are 'informed' about the use of their personal data for marketing purposes, particularly if the organisation intends to use personal data to target former customers;
- provide customers with clear guidance on how they will be contacted with the option to either accept or reject such communication methods;
- comply with the withdrawal of marketing consents;
- review business practices to ensure organisations are only contacting individuals who are not registered on the TPS and/or those who do not object to receiving direct marketing calls; and
- ensure compliance with existing ICO guidance, in particular in relation to the sending of electronic mail and the use of live telephone calls for direct marketing purposes (for more information see our article here).
Organisations are encouraged to get the basics right. Marketing practices should be compliant with data protection regulations particularly with regards to direct marketing campaigns. The ICO's readiness to levy financial penalties in instances of data protection law breaches is indicative of their firm approach to upholding regulatory standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.