ICO Enforcement

August 2017

£80,000 For Calling Numbers On The TPS

Home improvement company Virgo allegedly made unsolicited telemarketing calls to numbers on the TPS, and continued calling after being asked to stop. Virgo claimed the numbers were purchased from list providers who assured the numbers were scrubbed against the TPS. No contracts were in place, and Virgo did not have its own subscription to the TPS. Since Virgo should have known it did not have valid consent to make the calls, a monetary penalty of £80,000 (~$90,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014586/mpn-virgo-home-improvements-20170803.pdf
jbho: same old story – firm fails to exercise due diligence over its list providers.

£70,000 For Calling Numbers On The TPS

Home improvement company Safestyle (HPAS) allegedly made unsolicited telemarketing calls to numbers on the TPS, and continued calling after being asked to stop. HPAS claimed it only contacted numbers of existing customers, so it need not screen against the TPS, although it did maintain an internal DNC list. HPAS committed to updating its processes, but monitoring showed HPAS failed to make any discernible improvement in its marketing practices. Therefore, a monetary penalty of £70,000 (~$78,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014585/mpn-hpas-20170803.pdf
jbho: if you’re given a second chance, you got get it right!

 

July 2017

£80,000 For Ignoring Marketing Email Opt-Outs

Price comparison website & financial service provider Moneysupermarket allegedly sent some 7 million emails notifying users of changes to Terms & Conditions (& Privacy Policy). ICO alleged the operational emails were really marketing, since they included language encouraging people to opt-in to marketing. The disputed content contained the following message:

We hold an e-mail address for you which means we could be sending your personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”

The text was followed by a ‘Go To Preferences’ link.

The ICO ruled that since the marketing mails were sent to individuals Moneysupermarket knew had opted-out, a monetary penalty of £80,000 (~$90,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014482/mpn-moneysupermarket-ltd-20170720.pdf
jbho: perhaps one mistake was the fact the mail was clearly targeted to individuals who had previously opted out. I wonder if the mail simply invited users to update their contact information and communication preferences – targeted to ALL users – if the ICO would have expressed the same level of concern.

In this case, another reminder not to overload operational messages with marketing content, and that a message asking for consent to market is itself marketing.

£80,000 For One Million Nuisance Texts

Subprime lender Provident Personal Credit (PPC), through its agents, allegedly sent nearly one million unsolicited text messages promoting its short term loan services. The sending parties relied on consents obtained through terms and privacy polices of affiliated websites – none of which explicitly mentioned PPC (only generically referred to goods or services of selected partners). Since PPC should have known this indirect and unverified consent was not valid, a monetary penalty of £80,000 (~$90,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014450/provident-personal-credit-mpn-20170717.pdf
jbho: same old story, a company relying on third party consent again fails to adequately vet and enforce compliance on its vendors (see US v. Dish for an extreme example). 

Also yet another reminder not to rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

June 2017

£10,500 For Failing To Honor Opt-Outs

Supermarket chain Morrisons ran an email campaign that informed users they had opted-out of rewards program promotional emails. The emails included instructions for opting back into marketing. The ICO determined the 130,000+ emails were marketing, and were sent without consent. Since Morrisons should have known it did not have consent, a monetary penalty of £10,500 (~$14,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014261/mpn-wm-morrisons-20170616.pdf
jbho: don’t overload operational messages with marketing. And if you ask for consent to market, that makes the message marketing (i.e., you can’t send a message asking for consent without consent).

£50,000 For Nuisance Calls (~$65,000)

Alarm company MyHome allegedly made unsolicited calls to numbers on the TPS, and calls continued despite MyHome’s knowledge of consumer complaints. MyHome claimed it purchased data from third parties who vetted consent and scrubbed call lists. When pressed, MyHome could offer no evidence consent. Since MyHome should have known it had no consent to make the calls, a monetary penalty of £50,000 (~$65,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014297/mpn-myhome-installations-limited.pdf
jbho: a common theme, numbers purchased from list brokers not being vetted.

FYI: it appears MyHome is no stranger to negative publicity:
https://youtu.be/QaOYI7XfkCE

May 2017

£400,000 For Unsolicited Robocalls

Keurboom – made nearly 100,000,000 unsolicited prerecorded message calls. The calls did not identify the caller, and the automated, interactive opt-out failed to work on many occasions. Calls were made at off-hours and in some cases were disguised as emergency calls. As Keurboom did not cooperate with the ICO, a monetary penalty of £400,000 (~$515,000) was issued.
https://ico.org.uk/media/action-weve-taken/enforcement-notices/2014013/mpn-keurboom-ltd-20170503.pdf
jbho: sounds like a south Florida type telemarketing operation. £400,000 is the biggest fine for PECR violations to date.

And remember, prerecorded calls in the UK require prior (i.e. opt-in) consent.

£100,000 For Millions Of Mobile Upgrade Texts

Telco provider Onecom allegedly sent some 3 million unsolicited texts encouraging individuals to upgrade their service plans. The texts were sent to numbers Onecom acquired itself directly from its customers, through acquisition of other businesses, and from third party list brokers. Onecom stated it relied on the “Soft Opt-In” for consent, but was unable to produce evidence to verify.

Onecom amended its practices to text only direct customers, and took other remedial steps to ensure future compliance. Since Onecom should have known of the violation, a monetary penalty of £100,000 (~$130,000) was issued. However, the ICO did consider Onecom’s cooperation and effort in issuing the (lower) penalty.
https://ico.org.uk/media/action-weve-taken/mpns/2014050/onecom-monetary-penalty.pdf
jbho: a reminder of the importance of keeping accurate records of consent.

Fyi: a “Soft Opt-In” is where the following conditions are met:
• Personal information is collected in conjunction with a sale/inquiry
• No ‘sensitive information’ is used
• Marketing is restricted to similar products/services (i.e., 1st party marketing)
• Individuals have an opportunity to decline to be contacted when first collecting contact details, and offered an opt-out in every message sent
Note that a pre-checked tick box, in and of itself, does not constitute a “Soft Opt-In.” All the above conditions must be met.

£50,000 For Unsolicited Calls To Numbers on the TPS

Home improvement company Brighter Homes allegedly made some 450,000 unsolicited telemarketing calls to numbers on the TPS. Brighter Homes also allegedly displayed a false Caller ID to trick people into answering calls. Finally, Brighter Homes allegedly had not accessed the TPS in the previous 4 months, and failed to respond to the TPS about complaints filed.

Brighter Homes claimed the numbers were purchased as ‘opt-in data’ from third parties. ICO determined Brighter Homes failed to do due diligence on the consent being obtained, and should have known it didn’t have consent. So a monetary penalty of £50,000 (~$60,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014059/brighter-home-solutions-ltd-monetary-penalty-notice.pdf
jbho: yet another tale of a marketing firm failing to exercise due diligence over its list providers.

£40,000 For Spam Texts

Used car dealer Concept Car allegedly sent some 300,000 unsolicited texts. The texts were sent to numbers acquired from a third party, through disclosures in the terms & conditions on the third party’s website. ICO determined the disclosures were insufficient (referred to generic third parties) and Concept Car did not have consent to text. Since Concept Car should have known of the violation, had it done due diligence on the consent being obtained by its third parties, a monetary penalty of £40,000 (~$47,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014061/concept-car-credit-monetary-penalty-notice.pdf
jbho: once again, a company relying on third party consent again fails to adequately vet its data providers. And a reminder you can’t rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Per the notice: “It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:
• How and when was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Where the consent was for disclosure to a third party were there clearly described precise and defined categories of organisations and did the organisation wanting to use the consent clearly fall within that description?”

April 2017

£40,000 For Spam Texts

Monevo, through its agent, allegedly sent some 44,000 unsolicited texts, to numbers obtained through third parties. None of the third party notices indicated that data would be used by Monevo to send marketing texts. As Monevo should have known it lacked valid consent, a monetary penalty of £40,000 ($50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013941/mpn-monevo-20170413.pdf
jbho: a common theme, a company relying on third party consent again fails to adequately vet its data providers.

March 2017

£140,000 For Compulsory SMS Marketing

PRS Media allegedly sent some 4.4m marketing texts. PRS alleged it had consent through signups at its prize draw website. The ICO determined the consent was invalid since:
(i) receipt of marketing was a condition of entry,
(ii) the web site privacy policy / terms were generic about 3rd-party sharing, and
(iii) PRS did not provide users with any communication preferences.
Since PRS should have known it did not have consent, and failed to respond to two separate ICO requests, a monetary penalty of £140,000 (~$175,000) was warranted.
https://ico.org.uk/media/action-weve-taken/mpns/2013829/mpn-prs-media-20170327.pdf
jbho: another reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

You Can’t Send A Message Asking For Consent – Part 1

Regional airline carrier Flybe allegedly ran a ‘data quality’ campaign, and sent over 3 million emails asking recipients – many of whom had previously opted-out – to update their contact information. The email offered recipients inclusion in a prize draw if they would opt-in to future marketing. The ICO ruled contrary to Flybe’s assertion the mails were informational, the mails were really for the purpose of marketing to opted-out individuals. As Flybe did not have consent to send the 3 Million + emails, a monetary penalty of £70,000 (~$81,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2013731/mpn-flybe-limited-20170320.pdf
jbho: a reminder that a message asking for consent to market, is itself a marketing message – i.e., you can’t send a message asking for consent to market if you don’t have consent in the first place.

Per the notice: “The Commissioner’s direct marketing guidance is clear that organisations cannot e-mail or text an individual to ask for consent to future marketing messages. That e-mail or text is itself sent for the purpose of direct marketing and will be subject to the same rules as other marketing texts and e-mail. The guidance also stresses that organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.”

You Can’t Send A Message Asking For Consent – Part 2

Honda allegedly sent some 300,000 emails asking recipients to clarify their marketing preferences. Honda claimed the list was compiled of email address acquired from Honda’s website, dealer sales, and promotional events. No clear records of consent were attached (due design flaws in data collection), thus the ‘service mail’ was needed to ensure Honda was not keeping unneeded data. The ICO ruled since the purpose of the ‘clarification’ mails was to get consent to market, they were marketing, and it was Honda’s responsibility to ensure it had consent before sending the messages. Since Honda continued to send the emails after being warned by the ICO, and only stopped after being expressly advised to cease, a monetary penalty of £13,000 (~$15,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda-europe-20170320.pdf
jbho: if you have to guess whether or not you have consent, you might want to default to opted-out if the regime, or the channel (e.g., SMS, Robocall, etc.) requires opt-in consent.

And if you’re being investigated for a violation, it might not be a bad idea to stop doing what you’re being investigated for.

In case you forgot, the PECRs are the Privacy and Electronic Communications Regulations – the rules for direct marketing in the UK.
https://ico.org.uk/for-organisations/guide-to-pecr/introduction/what-are-pecr/

£270,000 For 22 Million Robocalls

Media Tactics allegedly made some 22,065,627 unsolicited robocalls, and failed to identify itself as the caller. Media Tactics claimed it relied on contractual assurances its list brokers were obtaining consent. The ICO determined the company failed to exercise adequate due diligence over its data providers, and a monetary penalty of £270,000 (~$330,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013606/mpn-road-accident-consult-20170308.pdf
jbho: for the umpteenth time, if you are going to source data from third parties, make sure to perform your own due diligence to ensure the data is collected in a fair and lawful manner.

And a reminder you can’t rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

£80,000 For Cold Calls

Xternal made some 100,000 unsolicited telemarketing calls to numbers registered with the TPS. Calls allegedly did not identify the caller, and deliberately misled subscribers by using generic company names. Since Xternal failed to fully cooperate with the ICO, and failed to register with or scrub against the TPS before the ICO began its investigation, a monetary penalty of £80,000 (~$100,000) was assessed. Xternal has also been ordered to cease future illegal calls.
https://ico.org.uk/media/action-weve-taken/mpns/2013827/mpn-xternal-property-renovations-ltd-20170328.pdf
jbho: maybe better to skip the cold calling, and just get consent?

£20,000 For 64,000 Spam Texts

Lead gen company Munee Hut allegedly sent some 64,000 unsolicited texts promoting loan services of its Belize based affiliate. ICO investigated after receiving some 885 complaints. The ICO investigation determined that the phone numbers in question were acquired from third party sites that provided generic notices, and did not indicate contact by third parties. Thus Munee Hut should have known it did not have consent to contact the numbers, and a monetary penalty of £20,000 (~$25,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013618/mpn-munee-hut.pdf
jbho: yet another tale of a marketing firm failing to exercise due diligence over its list providers.

February 2017

£120,000 For 5 Million Spam Texts

Credit broker Digitonomy allegedly sent 5,238,653 unsolicited texts promoting quick loan services. Digitonomy allegedly relied on terms and conditions on affiliate sites for consent. ICO determined the terms were too generic to indicate consent for Digitonomy to rely on, and it should have known it did not have consent to send the texts. A monetary penalty of £120,000 (~$150,000) was therefore in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013425/mpn-digitonomy-20170215.pdf
jbho: Consent! Consent! Consent!

ICO Eliminates The Middle Man

Data Supply allegedly sold contact info of some 580,302 individuals to companies who ultimately used the details in (unsolicited) marketing campaigns. The ICO determined Data Supply failed to keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told. Therefore, a monetary penalty of £20,000 (~$25,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625862/mpn-data-supply-company-20170130.pdf
jbho: this is the first ICO action I’ve seen against a list broker, rather than the poor sap who ends up buying a list. Nonetheless, you still need to do your own due diligence to make sure any list broker is on the up-and-up.

In the notice, Data Supply indicates it is no longer trading in consumer data.

January 2017

£50,000 For Spam Texts

Lead gen company LAD Media allegedly sent unsolicited texts advertising debt relief services. The company claimed to have purchased numbers from a third party, who obtained consent through (generic) terms and conditions. The ICO found the terms insufficient to indicate consent for the texts sent by Lab Media, and a monetary penalty of £50,000 (~$60,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625739/mpn-lad-media-ltd-20170118.pdf
jbho: another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

In this actions, ICO added a couple bullets to its due diligence guidance on consent:
• How and when was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Is the seller a member of a professional body or accredited in some way? 

£40,000 For Call Blocker Calls

IT Protect allegedly made unsolicited telemarketing calls to numbers on the TPS in efforts to sell call blocking services. After several attempts, IT Protect finally responded to inquiries, and claimed it purchased opt-in data from a third party. The ICO determined IT Protect should have known it did not have consent to contact numbers, and failed to produce evidence it or its vendor ever obtained consent. Given IT Protect failed to respond to preliminary requests, a monetary penalty of £40,000 (~$50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625689/mpn-it-protect-20170111.pdf
jbho: hmmm. The ‘I got the numbers from someone else’ excuse seems to be a recurring theme. Are companies not picking up on what’s being enforced, or is it just a go-to defense when they get caught?

November 2016

£230,000 In Fines Against Four Firms For Failing To Verify Consent

  • £100,000 (~$126,000) against financial service provider Silver City Tech for allegedly sending over one million unsolicited texts, and continuing to send another two million while being investigated by the ICO. Silver City relied on its texting vendor to vet consent before sending, and was unable to produce sufficient records of consent for the ICO. The ICO ruled it was not sufficient for Silver City to rely on contractual agreements and random reviews of consent, thus it failed to exercise proper due diligence over its vendor.

In the next three cases, the parties relied on consent obtained by their list brokers, which in turn relied on clauses embedded in terms & conditions of third party service offerings. ICO ruled this did not constitute valid consent, and as all failed to take reasonable steps to verify consent, the monetary penalties were in order. The penalties were:

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Oh, and if you are being investigated for a violation, it’s probably best to cease that activity.

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

And finally, with respect to consent, ICO recommends:

  • per the Assist Law Monetary Penalty Notice: “Reasonable steps in these circumstances would have included:
    • (i) asking its third party data provider for evidence that the subscribers had consented to receiving calls from the Company, and
    • (ii) screening the data against the TPS register by the Company itself regardless of any assurances that might have been given by its third party data provider.”
  • per the Per the Nouveau Finance Monetary Penalty Notice: “due diligence might, for example, include the following:
    • How and when was consent obtained?
    • Who obtained it and in what context?
    • Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
    • Did it specifically mention texts, e-mails or automated calls?
    • Did it list organizations by name, by description, or was the consent for disclosure to any third party?”

October 2016

Another List Buyer Fails To Verify Consent

Lead Generation company Rainbow allegedly sent texts advertising payday loan services to lists of individuals who had recently been denied loans. Rainbow claimed it purchased lists from a broker who had obtained consent. ICO found that Rainbow’s reliance on terms & conditions in third party agreements did not constitute valid consent. Rainbow’s failure to do due diligence resulted in the violations and a fine of £20,000 (~$25,000) was warranted.

The investigation began after noting 162 complaints sent to the GSMA spam service and 12 complaints sent directly to the ICO.
https://ico.org.uk/media/action-weve-taken/mpns/1625218/r-mpn-rainbow-uk-limited-20161010.pdf

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

September 2016

ICO Racks Up Nearly $350,000 in Tele-Spam Fines

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

July 2016

ICO Issued Nearly £2 Million In Fines For PECR Violations Last Year

The ICO released its annual report for 2015-2016, detailing how it has dealt with data protection concerns. The report indicates ICO managed some 16,388 complaints. Particularly noteworthy is the rise in Privacy and Electronic Communications Regulation (PECR) enforcements: 17 monetary penalties totaling £1,985,000 (~$2,600,000).
https://ico.org.uk/media/about-the-ico/documents/1624517/annual-report-2015-16.pdf
jbho: the ICO has not been shy about using its recently enhanced fining power under the PECRs.

ICO Orders Survey Upsells To Cease

Legal aid firm Change and Save allegedly called numbers on the TPS without consent. The calls were made under the guise of a lifestyle survey, but were really meant to promote will-writing, funeral, & legal services. ICO ordered the firm to cease the deceptive, telemarketing ‘survey’ calls.
https://ico.org.uk/media/action-weve-taken/enforcement-notices/1624601/en-change-and-save-ltd-20160708.pdf
jbho: make sure to vet any survey calls to make sure they are really surveys, and do not contain any incidental marketing or upsell content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s