ICO Enforcement

October 2017

£70,000 For Nuisance RoboCalls

Lead generation company Lead Experts allegedly made some 111,000 unsolicited robocalls. In some cases Caller ID failed to identify the caller. Lead Experts were unable to provide the ICO evidence of consent, and failed to provide any evidence of procedures in place to comply with the PECRs. Since Lead Experts disengaged during the course of the ICO investigation, a monetary penalty of £70,000 (~$93,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172522/the-lead-experts-mpn-20171010.pdf
jbho: shows the importance of documented procedures. It appears that Lead Experts has been dissolved in the wake of the ICO investigation. The ICO has stated it is committed to recovering the fines from insolvency practitioners and liquidators.

£75,000 For Spam Texts & Emails

Vanquis Bank allegedly sent some 870,000 unsolicited texts, and some 620,000 unsolicited emails, to cold contacts purchased from a list broker – who itself had purchased contact details from other third parties. The only consents obtained were indirect and non-specific, using generic wording like ‘trusted partners’ and ‘carefully selected third parties’ – with no mention of Vanquis Bank. Since Vanquis Bank should have known it had no consent, a monetary penalty of £75,000 (~$100,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172482/vanquis-bank-ltd-mpn.pdf
jbho: Consent! Consent! Consent!

 

£50,000 For Spam Emails

Media service provider Xerpla allegedly sent some 1.2 million unsolicited emails. Emails were provided by users who signed-up on websites operated by Xerpla. Privacy policies on the sites indicated users were consenting to receive emails from Xerpa and offer partners.

When providing information, users were informed:

By submitting your details, you consent to receive our email newsletters and offers from and on behalf of our offer partners and from other similar third party online discount/ deal providers, as well as to our processing of your information as outlined within our Privacy & Cookie Policy and Terms & Conditions. By submitting your details you confirm you have read, understood and consent to these in full.”

The Privacy Policy stated:

We will use this information in the following ways:
• to provide you with information that you have requested eg email newsletters and offers;
• to provide you with the latest online discounts / deals available covering travel, home improvements, automotive, finance, retail, insurance, charities, competitions, utilities, health, claims, storage and publishing.”

The ICO felt this was insufficient to provide consent for the emails in question. As such, a monetary penalty of £50,000 (~$67,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172483/xerpla-ltd-mpn.pdf
jbho: this one seems a little off. The consent language seems reasonable – at least for emails sent by Xerpa. And for Xerpa emails, I would think the ‘Soft Opt-In’ would apply.

Granted, examples of the emails were not included in the MPN, so there may something amiss in the actual marketing copy. A press release indicated a wide range of products and services were being advertised, including dog food, wine, competitions, and boilers. I would expect that from an eCommerce site. There must be something more to this story. Both websites mentioned in the MNP appear to be offline.

As an aside, I wouldn’t rely on the above language for third party consent. Per the MPN, “Consent will not be valid if individuals are asked to agree to receive marketing from ‘similar organisations’, ‘partners’, ‘selected third parties’ or other similar generic description. Further, consent will not be valid where an individual is presented with a long, seemingly exhaustive list of general categories of organisations.”

Something to keep in mind before you purchase from list brokers.

 

September 2017

£260,000 For ~16 Million Robocalls

Telemarketer Easyleads allegedly made unsolicited prerecorded telemarketing calls. The scripts read:

Hi. If your boiler is oil or LPG you may be entitled to a grant to replace it totally free of charge. Does anyone in your property receive benefits or tax credits? If they do, press 5 for more information or 9 to opt out.

The calls were allegedly made outside normal business hours, and contained a misleading offer of a free boiler. Additionally, the calls did not identify the caller. Finally, although automated, interactive opt-out instructions were included in the calls, those opt-outs were not honored. When Easyleads failed to sufficiently reply to the ICO, ICO contacted Easylead’s dialing system providers who confirmed some 16.7 million automated calls were made.

In addition to the above, given that:
• the owner of Easyleads was previously investigated by the ICO and should have been well familiar with the PECRs;
• Easyleads was the most complained about number for automated calls for four consecutive months;
• Easyleads failed to satisfactorily engage with the ICO; and
• Easyleads continued to make (illegal) calls during the investigation,
a monetary penalty of £260,000 (~$350,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014851/20170921easyleadsmpn.pdf
jbho: another reminder that Robocalls require opt-in consent. And make sure to brush up on the PECRs before making any calls. You can start here.

£350,000 For ~150 Million Nuisance Calls

Payment insurance assistance provider Your Money Rights (YMR) allegedly made some 146,020,773 unsolicited robocalls. Calls were made to numbers purchased from a data broker, and YMR was unable to provide any evidence of prior consent. Additionally, YMR failed to identify itself as the caller. Since YMR should have known the calls were being made in violation of the PECRs, a monetary penalty of £350,000 (~$390,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014803/20170911yourmoneyrightsmpn.pdf
jbho: a reminder that Robocalls require opt-in consent in the UK (as well as in the EU).

 

£85,000 For Nuisance Calls

True Telecom allegedly made unsolicited telemarketing calls to numbers it scraped from internet pages, many numbers which were also on the TPS. True Telecom claimed it scrubbed these scraped numbers against the TPS, but due to changes in management, some lists were not properly scrubbed. Since True Telecom failed to ensure it called only those who had consented, a monetary penalty of £85,000 (~$94,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014783/mpn-true-telecom-20170906.pdf
jbho: interestingly, the ICO didn’t seem to focus on the fact the numbers were scraped (a no-no in Canada), but rather the breakdown in the scrubbing process. The ICO did call out that it had previously contacted True Telecom in relation to complaints to provide guidance on compliance with the PECRs. The failure to comply with that previous guidance was cited as an aggravating feature in issuing the fine.

 

£45,000 For Spam Texts

Cab Guru allegedly sent some 700,000 unsolicited texts promoting its price comparison app. Cab Guru claimed the numbers were provided by its taxi / mini-cab partners, who obtained consent for the Cab Guru texts. On review, Cab Guru had no formal agreements in place with the cab companies, and the cab companies relied on terms embedded in their user agreements, which did not constitute a valid, freely given consent. Since Cab Guru failed to take steps to ensure texts were sent only to those who consented, a monetary penalty of £45,000 (~$50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014786/mpn-cab-guru-20170906.pdf
jbho: two reminders:
• make sure to do your due diligence if you are relying on third parties for consent
• you can’t bundle marketing consent with larger terms

 

August 2017

£50,000 For Failing To Get Consent, Scrub Against TPS

Home energy service provider Home Logic allegedly made some 1.5 million unsolicited telemarketing calls to numbers on the TPS. Home Logic stated it used third parties to make the calls, who used only ‘opted-in’ numbers. However, contracts reviewed placed responsibility for TPS scrubbing on Home Logic. Additionally, it was determined that not only did Home Logic lack evidence of consent, technical errors prevented it from successfully scrubbing numbers against the TPS. Since calls were made in violation of the PECRs, a monetary penalty of £50,000 (~$65,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014674/home_logic_uk_ltd_mpn.pdf
jbho: another example of why you need to make sure you know what’s in your contracts, and who is responsible for what.

£80,000 For Calling Numbers On The TPS

Home improvement company Virgo allegedly made unsolicited telemarketing calls to numbers on the TPS, and continued calling after being asked to stop. Virgo claimed the numbers were purchased from list providers who assured the numbers were scrubbed against the TPS. No contracts were in place, and Virgo did not have its own subscription to the TPS. Since Virgo should have known it did not have valid consent to make the calls, a monetary penalty of £80,000 (~$90,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014586/mpn-virgo-home-improvements-20170803.pdf
jbho: same old story – firm fails to exercise due diligence over its list providers.

£70,000 For Calling Numbers On The TPS

Home improvement company Safestyle (HPAS) allegedly made unsolicited telemarketing calls to numbers on the TPS, and continued calling after being asked to stop. HPAS claimed it only contacted numbers of existing customers, so it need not screen against the TPS, although it did maintain an internal DNC list. HPAS committed to updating its processes, but monitoring showed HPAS failed to make any discernible improvement in its marketing practices. Therefore, a monetary penalty of £70,000 (~$78,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014585/mpn-hpas-20170803.pdf
jbho: if you’re given a second chance, you got get it right!

 

July 2017

£80,000 For Ignoring Marketing Email Opt-Outs

Price comparison website & financial service provider Moneysupermarket allegedly sent some 7 million emails notifying users of changes to Terms & Conditions (& Privacy Policy). ICO alleged the operational emails were really marketing, since they included language encouraging people to opt-in to marketing. The disputed content contained the following message:

We hold an e-mail address for you which means we could be sending your personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”

The text was followed by a ‘Go To Preferences’ link.

The ICO ruled that since the marketing mails were sent to individuals Moneysupermarket knew had opted-out, a monetary penalty of £80,000 (~$90,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014482/mpn-moneysupermarket-ltd-20170720.pdf
jbho: perhaps one mistake was the fact the mail was clearly targeted to individuals who had previously opted out. I wonder if the mail simply invited users to update their contact information and communication preferences – targeted to ALL users – if the ICO would have expressed the same level of concern.

In this case, another reminder not to overload operational messages with marketing content, and that a message asking for consent to market is itself marketing.

£80,000 For One Million Nuisance Texts

Subprime lender Provident Personal Credit (PPC), through its agents, allegedly sent nearly one million unsolicited text messages promoting its short term loan services. The sending parties relied on consents obtained through terms and privacy polices of affiliated websites – none of which explicitly mentioned PPC (only generically referred to goods or services of selected partners). Since PPC should have known this indirect and unverified consent was not valid, a monetary penalty of £80,000 (~$90,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014450/provident-personal-credit-mpn-20170717.pdf
jbho: same old story, a company relying on third party consent again fails to adequately vet and enforce compliance on its vendors (see US v. Dish for an extreme example). 

Also yet another reminder not to rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

June 2017

£10,500 For Failing To Honor Opt-Outs

Supermarket chain Morrisons ran an email campaign that informed users they had opted-out of rewards program promotional emails. The emails included instructions for opting back into marketing. The ICO determined the 130,000+ emails were marketing, and were sent without consent. Since Morrisons should have known it did not have consent, a monetary penalty of £10,500 (~$14,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014261/mpn-wm-morrisons-20170616.pdf
jbho: don’t overload operational messages with marketing. And if you ask for consent to market, that makes the message marketing (i.e., you can’t send a message asking for consent without consent).

£50,000 For Nuisance Calls (~$65,000)

Alarm company MyHome allegedly made unsolicited calls to numbers on the TPS, and calls continued despite MyHome’s knowledge of consumer complaints. MyHome claimed it purchased data from third parties who vetted consent and scrubbed call lists. When pressed, MyHome could offer no evidence consent. Since MyHome should have known it had no consent to make the calls, a monetary penalty of £50,000 (~$65,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014297/mpn-myhome-installations-limited.pdf
jbho: a common theme, numbers purchased from list brokers not being vetted.

FYI: it appears MyHome is no stranger to negative publicity:
https://youtu.be/QaOYI7XfkCE

May 2017

£400,000 For Unsolicited Robocalls

Keurboom – made nearly 100,000,000 unsolicited prerecorded message calls. The calls did not identify the caller, and the automated, interactive opt-out failed to work on many occasions. Calls were made at off-hours and in some cases were disguised as emergency calls. As Keurboom did not cooperate with the ICO, a monetary penalty of £400,000 (~$515,000) was issued.
https://ico.org.uk/media/action-weve-taken/enforcement-notices/2014013/mpn-keurboom-ltd-20170503.pdf
jbho: sounds like a south Florida type telemarketing operation. £400,000 is the biggest fine for PECR violations to date.

And remember, prerecorded calls in the UK require prior (i.e. opt-in) consent.

£100,000 For Millions Of Mobile Upgrade Texts

Telco provider Onecom allegedly sent some 3 million unsolicited texts encouraging individuals to upgrade their service plans. The texts were sent to numbers Onecom acquired itself directly from its customers, through acquisition of other businesses, and from third party list brokers. Onecom stated it relied on the “Soft Opt-In” for consent, but was unable to produce evidence to verify.

Onecom amended its practices to text only direct customers, and took other remedial steps to ensure future compliance. Since Onecom should have known of the violation, a monetary penalty of £100,000 (~$130,000) was issued. However, the ICO did consider Onecom’s cooperation and effort in issuing the (lower) penalty.
https://ico.org.uk/media/action-weve-taken/mpns/2014050/onecom-monetary-penalty.pdf
jbho: a reminder of the importance of keeping accurate records of consent.

Fyi: a “Soft Opt-In” is where the following conditions are met:
• Personal information is collected in conjunction with a sale/inquiry
• No ‘sensitive information’ is used
• Marketing is restricted to similar products/services (i.e., 1st party marketing)
• Individuals have an opportunity to decline to be contacted when first collecting contact details, and offered an opt-out in every message sent
Note that a pre-checked tick box, in and of itself, does not constitute a “Soft Opt-In.” All the above conditions must be met.

£50,000 For Unsolicited Calls To Numbers on the TPS

Home improvement company Brighter Homes allegedly made some 450,000 unsolicited telemarketing calls to numbers on the TPS. Brighter Homes also allegedly displayed a false Caller ID to trick people into answering calls. Finally, Brighter Homes allegedly had not accessed the TPS in the previous 4 months, and failed to respond to the TPS about complaints filed.

Brighter Homes claimed the numbers were purchased as ‘opt-in data’ from third parties. ICO determined Brighter Homes failed to do due diligence on the consent being obtained, and should have known it didn’t have consent. So a monetary penalty of £50,000 (~$60,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014059/brighter-home-solutions-ltd-monetary-penalty-notice.pdf
jbho: yet another tale of a marketing firm failing to exercise due diligence over its list providers.

£40,000 For Spam Texts

Used car dealer Concept Car allegedly sent some 300,000 unsolicited texts. The texts were sent to numbers acquired from a third party, through disclosures in the terms & conditions on the third party’s website. ICO determined the disclosures were insufficient (referred to generic third parties) and Concept Car did not have consent to text. Since Concept Car should have known of the violation, had it done due diligence on the consent being obtained by its third parties, a monetary penalty of £40,000 (~$47,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014061/concept-car-credit-monetary-penalty-notice.pdf
jbho: once again, a company relying on third party consent again fails to adequately vet its data providers. And a reminder you can’t rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Per the notice: “It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:
• How and when was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Where the consent was for disclosure to a third party were there clearly described precise and defined categories of organisations and did the organisation wanting to use the consent clearly fall within that description?”

April 2017

£40,000 For Spam Texts

Monevo, through its agent, allegedly sent some 44,000 unsolicited texts, to numbers obtained through third parties. None of the third party notices indicated that data would be used by Monevo to send marketing texts. As Monevo should have known it lacked valid consent, a monetary penalty of £40,000 ($50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013941/mpn-monevo-20170413.pdf
jbho: a common theme, a company relying on third party consent again fails to adequately vet its data providers.

March 2017

£140,000 For Compulsory SMS Marketing

PRS Media allegedly sent some 4.4m marketing texts. PRS alleged it had consent through signups at its prize draw website. The ICO determined the consent was invalid since:
(i) receipt of marketing was a condition of entry,
(ii) the web site privacy policy / terms were generic about 3rd-party sharing, and
(iii) PRS did not provide users with any communication preferences.
Since PRS should have known it did not have consent, and failed to respond to two separate ICO requests, a monetary penalty of £140,000 (~$175,000) was warranted.
https://ico.org.uk/media/action-weve-taken/mpns/2013829/mpn-prs-media-20170327.pdf
jbho: another reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

You Can’t Send A Message Asking For Consent – Part 1

Regional airline carrier Flybe allegedly ran a ‘data quality’ campaign, and sent over 3 million emails asking recipients – many of whom had previously opted-out – to update their contact information. The email offered recipients inclusion in a prize draw if they would opt-in to future marketing. The ICO ruled contrary to Flybe’s assertion the mails were informational, the mails were really for the purpose of marketing to opted-out individuals. As Flybe did not have consent to send the 3 Million + emails, a monetary penalty of £70,000 (~$81,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2013731/mpn-flybe-limited-20170320.pdf
jbho: a reminder that a message asking for consent to market, is itself a marketing message – i.e., you can’t send a message asking for consent to market if you don’t have consent in the first place.

Per the notice: “The Commissioner’s direct marketing guidance is clear that organisations cannot e-mail or text an individual to ask for consent to future marketing messages. That e-mail or text is itself sent for the purpose of direct marketing and will be subject to the same rules as other marketing texts and e-mail. The guidance also stresses that organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.”

You Can’t Send A Message Asking For Consent – Part 2

Honda allegedly sent some 300,000 emails asking recipients to clarify their marketing preferences. Honda claimed the list was compiled of email address acquired from Honda’s website, dealer sales, and promotional events. No clear records of consent were attached (due design flaws in data collection), thus the ‘service mail’ was needed to ensure Honda was not keeping unneeded data. The ICO ruled since the purpose of the ‘clarification’ mails was to get consent to market, they were marketing, and it was Honda’s responsibility to ensure it had consent before sending the messages. Since Honda continued to send the emails after being warned by the ICO, and only stopped after being expressly advised to cease, a monetary penalty of £13,000 (~$15,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda-europe-20170320.pdf
jbho: if you have to guess whether or not you have consent, you might want to default to opted-out if the regime, or the channel (e.g., SMS, Robocall, etc.) requires opt-in consent.

And if you’re being investigated for a violation, it might not be a bad idea to stop doing what you’re being investigated for.

In case you forgot, the PECRs are the Privacy and Electronic Communications Regulations – the rules for direct marketing in the UK.
https://ico.org.uk/for-organisations/guide-to-pecr/introduction/what-are-pecr/

£270,000 For 22 Million Robocalls

Media Tactics allegedly made some 22,065,627 unsolicited robocalls, and failed to identify itself as the caller. Media Tactics claimed it relied on contractual assurances its list brokers were obtaining consent. The ICO determined the company failed to exercise adequate due diligence over its data providers, and a monetary penalty of £270,000 (~$330,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013606/mpn-road-accident-consult-20170308.pdf
jbho: for the umpteenth time, if you are going to source data from third parties, make sure to perform your own due diligence to ensure the data is collected in a fair and lawful manner.

And a reminder you can’t rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

£80,000 For Cold Calls

Xternal made some 100,000 unsolicited telemarketing calls to numbers registered with the TPS. Calls allegedly did not identify the caller, and deliberately misled subscribers by using generic company names. Since Xternal failed to fully cooperate with the ICO, and failed to register with or scrub against the TPS before the ICO began its investigation, a monetary penalty of £80,000 (~$100,000) was assessed. Xternal has also been ordered to cease future illegal calls.
https://ico.org.uk/media/action-weve-taken/mpns/2013827/mpn-xternal-property-renovations-ltd-20170328.pdf
jbho: maybe better to skip the cold calling, and just get consent?

£20,000 For 64,000 Spam Texts

Lead gen company Munee Hut allegedly sent some 64,000 unsolicited texts promoting loan services of its Belize based affiliate. ICO investigated after receiving some 885 complaints. The ICO investigation determined that the phone numbers in question were acquired from third party sites that provided generic notices, and did not indicate contact by third parties. Thus Munee Hut should have known it did not have consent to contact the numbers, and a monetary penalty of £20,000 (~$25,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013618/mpn-munee-hut.pdf
jbho: yet another tale of a marketing firm failing to exercise due diligence over its list providers.

February 2017

£120,000 For 5 Million Spam Texts

Credit broker Digitonomy allegedly sent 5,238,653 unsolicited texts promoting quick loan services. Digitonomy allegedly relied on terms and conditions on affiliate sites for consent. ICO determined the terms were too generic to indicate consent for Digitonomy to rely on, and it should have known it did not have consent to send the texts. A monetary penalty of £120,000 (~$150,000) was therefore in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013425/mpn-digitonomy-20170215.pdf
jbho: Consent! Consent! Consent!

ICO Eliminates The Middle Man

Data Supply allegedly sold contact info of some 580,302 individuals to companies who ultimately used the details in (unsolicited) marketing campaigns. The ICO determined Data Supply failed to keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told. Therefore, a monetary penalty of £20,000 (~$25,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625862/mpn-data-supply-company-20170130.pdf
jbho: this is the first ICO action I’ve seen against a list broker, rather than the poor sap who ends up buying a list. Nonetheless, you still need to do your own due diligence to make sure any list broker is on the up-and-up.

In the notice, Data Supply indicates it is no longer trading in consumer data.

January 2017

£50,000 For Spam Texts

Lead gen company LAD Media allegedly sent unsolicited texts advertising debt relief services. The company claimed to have purchased numbers from a third party, who obtained consent through (generic) terms and conditions. The ICO found the terms insufficient to indicate consent for the texts sent by Lab Media, and a monetary penalty of £50,000 (~$60,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625739/mpn-lad-media-ltd-20170118.pdf
jbho: another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

In this actions, ICO added a couple bullets to its due diligence guidance on consent:
• How and when was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Is the seller a member of a professional body or accredited in some way? 

£40,000 For Call Blocker Calls

IT Protect allegedly made unsolicited telemarketing calls to numbers on the TPS in efforts to sell call blocking services. After several attempts, IT Protect finally responded to inquiries, and claimed it purchased opt-in data from a third party. The ICO determined IT Protect should have known it did not have consent to contact numbers, and failed to produce evidence it or its vendor ever obtained consent. Given IT Protect failed to respond to preliminary requests, a monetary penalty of £40,000 (~$50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625689/mpn-it-protect-20170111.pdf
jbho: hmmm. The ‘I got the numbers from someone else’ excuse seems to be a recurring theme. Are companies not picking up on what’s being enforced, or is it just a go-to defense when they get caught?

November 2016

£230,000 In Fines Against Four Firms For Failing To Verify Consent

  • £100,000 (~$126,000) against financial service provider Silver City Tech for allegedly sending over one million unsolicited texts, and continuing to send another two million while being investigated by the ICO. Silver City relied on its texting vendor to vet consent before sending, and was unable to produce sufficient records of consent for the ICO. The ICO ruled it was not sufficient for Silver City to rely on contractual agreements and random reviews of consent, thus it failed to exercise proper due diligence over its vendor.

In the next three cases, the parties relied on consent obtained by their list brokers, which in turn relied on clauses embedded in terms & conditions of third party service offerings. ICO ruled this did not constitute valid consent, and as all failed to take reasonable steps to verify consent, the monetary penalties were in order. The penalties were:

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Oh, and if you are being investigated for a violation, it’s probably best to cease that activity.

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

And finally, with respect to consent, ICO recommends:

  • per the Assist Law Monetary Penalty Notice: “Reasonable steps in these circumstances would have included:
    • (i) asking its third party data provider for evidence that the subscribers had consented to receiving calls from the Company, and
    • (ii) screening the data against the TPS register by the Company itself regardless of any assurances that might have been given by its third party data provider.”
  • per the Per the Nouveau Finance Monetary Penalty Notice: “due diligence might, for example, include the following:
    • How and when was consent obtained?
    • Who obtained it and in what context?
    • Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
    • Did it specifically mention texts, e-mails or automated calls?
    • Did it list organizations by name, by description, or was the consent for disclosure to any third party?”

October 2016

Another List Buyer Fails To Verify Consent

Lead Generation company Rainbow allegedly sent texts advertising payday loan services to lists of individuals who had recently been denied loans. Rainbow claimed it purchased lists from a broker who had obtained consent. ICO found that Rainbow’s reliance on terms & conditions in third party agreements did not constitute valid consent. Rainbow’s failure to do due diligence resulted in the violations and a fine of £20,000 (~$25,000) was warranted.

The investigation began after noting 162 complaints sent to the GSMA spam service and 12 complaints sent directly to the ICO.
https://ico.org.uk/media/action-weve-taken/mpns/1625218/r-mpn-rainbow-uk-limited-20161010.pdf

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

September 2016

ICO Racks Up Nearly $350,000 in Tele-Spam Fines

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

July 2016

ICO Issued Nearly £2 Million In Fines For PECR Violations Last Year

The ICO released its annual report for 2015-2016, detailing how it has dealt with data protection concerns. The report indicates ICO managed some 16,388 complaints. Particularly noteworthy is the rise in Privacy and Electronic Communications Regulation (PECR) enforcements: 17 monetary penalties totaling £1,985,000 (~$2,600,000).
https://ico.org.uk/media/about-the-ico/documents/1624517/annual-report-2015-16.pdf
jbho: the ICO has not been shy about using its recently enhanced fining power under the PECRs.

ICO Orders Survey Upsells To Cease

Legal aid firm Change and Save allegedly called numbers on the TPS without consent. The calls were made under the guise of a lifestyle survey, but were really meant to promote will-writing, funeral, & legal services. ICO ordered the firm to cease the deceptive, telemarketing ‘survey’ calls.
https://ico.org.uk/media/action-weve-taken/enforcement-notices/1624601/en-change-and-save-ltd-20160708.pdf
jbho: make sure to vet any survey calls to make sure they are really surveys, and do not contain any incidental marketing or upsell content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s