The UK Information Commissioner (ICO) has this week announced that it is issuing monetary penalty notices amounting to a total of £495,000 to various well-recognised companies which, between them, have sent hundreds of millions of unsolicited messages.
A monetary penalty of £200,000 was issued to We Buy Any Car Limited (WBAC), which had sent over 191 million unsolicited marketing emails and 3.6 million marketing SMS messages to individuals without either obtaining valid consent to send such messages, or fully complying with the requirements of the “soft opt-in”.
This had led to 42 complaints to the ICO during the course of a year. Saga Services Ltd (SSL) was also fined £150,000 and Saga Personal Finance (SPF) was fined £75,000 for collectively initiating over 157 million emails, while Sports Direct (SD) was fined £70,000 for sending 2.5 million emails.
Valid consent from the relevant recipients of the relevant marketing emails and texts had not been obtained by any of these organisations, which was held to have breached the requirements regarding electronic marketing set out in the UK Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), (PECR).
WBAC, which received the largest fine, was found to have transmitted unsolicited communications by means of electronic mail to individual subscribers for direct marketing purposes in breach of regulation 22 of PECR. Regulation 22 provides that, subject to certain exceptions, persons may not transmit/instigate the transmission of unsolicited communications for direct marketing purposes by means of electronic mail, unless the recipient has previously confirmed to the sender that he consents for the time being to such communications.
This consent requirement is subject to the “soft opt-in”. This provides that persons may send/instigate the sending of electronic mail for direct marketing purposes where:
- That person has obtained the recipient’s contact details in the course of the sale/negotiations for the sale of a product/service to that recipient.
- The direct marketing relates to that person’s similar products and services only
- The recipient has been given a simple (and free) way of refusing the use of his contact details for such direct marketing purposes, both when his details were originally collected and at the time of each subsequent communication.
SSL and SPF were responsible for the sending of emails using partner companies and their affiliates, which used contact details of individuals who had not consented to be contacted. SSL and SPF argued that they could rely on indirect consent, but generally it is difficult to rely upon indirect consent in the context of electronic marketing messages. In addition to the monetary penalties, both of these organisations were also issued with enforcement notices by the ICO.
Similarly, SD, which sent emails pursuant to a re-engagement campaign to individuals they had not been in contact with for some time, could not demonstrate that it had obtained valid consent to contact the relevant individuals.
These monetary penalties demonstrate that the ICO continues to take seriously the issue of nuisance marketing communications sent in the form of electronic messages, which the ICO regards as a matter of significant public concern.
Organisations engaging in electronic direct marketing should take note of this and of the fact that the ICO can issue fines under PECR of up to a maximum of £500,000.
As the ICO Head of Investigations noted: “These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected.”
“Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”