This has been a busy month for the Information Commissioner’s Office (ICO): the G7 data protection and privacy authorities’ meeting; a proposed new Information Commissioner; the end of the transitional period for the Children’s Code; proposed reforms of the ICO itself in the Department for Digital, Culture, Media and Sports consultation and enforcement action totalling £495,000 for unsolicited marketing emails or texts, to name but a few!
Several companies found themselves on the wrong side of the law as they did not have permission to send “millions of frustrating and intrusive” marketing emails and texts. Members of the public complained and the ICO opened investigations that ultimately led to enforcement action and in each case a monetary penalty or fine.
Timing of the opt-out
Looking at each case in turn, we start with a vehicle purchasing and wholesale company, well known for offering to “buy any car” and providing a free valuation on submission of your personal details and car registration. The company fell foul of the direct marketing rules, namely Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), when it continued to send emails and texts after the initial response to a valuation was sent. Despite the company arguing that the subsequent emails and texts were “service” in nature, the ICO found that the subsequent emails/texts not only promoted the services of the company but also contained marketing information, and the company did not have consent to send such messages. The figures are staggering – the company sent 191.4 million marketing emails in the space of a year and 3.6 million marketing text messages to individuals “without fully satisfying the requirements of the soft opt in”. The ICO found that while customers were informed of future ways to opt out, at the point of collection of their details the “opportunity to actually object to marketing messages is presented only after provision of the vehicle valuation. Individuals have no opportunity to refuse marketing when initially inputting their details.” The ICO found that this was in contravention of Regulation 22(3)(c) in relation to the timing of the opt-out. This “serious contravention” landed the company with a £200,000 fine.
Instigating the transmission of direct marketing messages
Next two companies in a group, catering for the older members amongst us, were fined £150,000 and £75,000 respectively for “instigating more than 157 million emails between them.” Again we are looking at Regulation 22 of PECR, although in this instance the direct marketing emails were sent to subscribers on behalf of the companies by the companies’ partner and affiliates. The ICO found the companies had “instigated the transmission of the direct marketing messages” for which they did not have valid consent and therefore they had failed to comply with Regulation 22 of PECR. While the partner and affiliates “sent” the offending communications, the communications included content drafted by the companies and therefore the ICO found that “without [the companies’] involvement and positive encouragement, those communications would not have been sent.”
It is also worth noting that signing a contract using language to indicate that partners are “instigators of the marketing” does not get you off the hook with PECR. If you take this approach, and do minimal due diligence, you increase the risk that your partner could send unsolicited marketing communications resulting in complaints, which ultimately could result in regulatory action and a fine. The ICO is quite clear in these notices that this is the case.
Although the companies in question will argue differently, these decisions do provide welcome clarity on the ICO’s view of certain common issues such as service v marketing communication and what constitutes “instigator” of a marketing communication for the purpose of PECR. Organisations should be reviewing their marketing comms and capture wording in light of these decisions (as well as ensuring appropriate records are kept of the relevant consents). To the extent organisations are relying on affiliate marketing strategies, appropriate due diligence needs to be carried out on those affiliate partners to ensure appropriate consents are obtained (simply having a warranty to such effect will not keep the regulator away).
These enforcement notices also bring the total number of fines to 18 so far this year, with a monetary total of £1.7 million. Bearing in mind maximum fines for PECR breaches are still capped at £500,000, this figure demonstrates that the ICO is keen to show its enforcement muscle, and marketers who sail close the wind in terms of compliance should be reassessing their risk appetite in light of these decisions.
“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.”