Site icon In JB's Humble Opinion

ICO Enforcement

February 2018

£300,000 for 8,792,907 Nuisance Robocalls

Holmes Financial Solutions (HFSL) – £300,000 for making some 8.7 Million unsolicited prerecorded telemarketing calls to numbers on the TPS. The ICO claimed HFSL failed identify itself or provide its contact information on the calls. The ICO further alleged continued calls were made to numbers that previously asked to be opted-out. Consent was obtained by list brokers, who relied on consent obtained through generically worded privacy policies. Since HFSL should have known it did not have consent to make the calls, failed to provide contact details, and failed to provide a functioning opt-out mechanism, a monetary penalty of £300,000 (~$420,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2173104/mpn-holmes-financial-solutions-20180129.pdf
jbho: yet another reminder to perform due diligence on your list brokers. And don’t forget the technical and procedural requirements.

 

January 2018

One Million Spam Texts, 44 Million Spam Emails, And 90 Million Nuisance Calls Lead To $1.3 Million In Fines

jbho: as always: consent! consent! consent! And make sure to vet you list providers.

November 2017

£45,000 For Spam Texts

Hamilton Digital Solutions, through its agents, allegedly sent some 150,000 unsolicited text messages. Hamilton relied on consent obtained by its agents, who in turn relied on consents obtained through discount and prize promotion websites. The ICO ruled despite Hamilton’s claims it hat vetted its agents, there was no evidence of an opt-in process, thus no valid consents had been obtained. Had Hamilton performed a proper due diligence, it would have known it had no consent to send the texts. Thus a monetary penalty of £45,000 (~$60,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2172759/hamilton-digital-solutions-ltd-mpn-20171116.pdf
jbho: fyi – this brings ICO marketing fines to £2 Million YTD.

October 2017

£80,000 For Unfairly Collecting Personal Data

Lead Gen/Data Broker Verso allegedly collected/purchased personal data from multiple companies, websites, and through its own telemarketing campaigns. The ICO felt the terms/privacy policies of the companies & websites were too generic to allow Verso to use any data collected. Similarly, Verso’s telemarketing scripts failed to disclose its intent to sell/share data for marketing purposes. The ICO further ruled no ‘Legitimate Interest’ applied, since data subjects were not properly informed of how their data would be used.

Since Verso’s contraventions were deliberate, systematic, repeated over several years, involved large volumes of personal data, and large numbers of data subjects, as well as the fact Verso was unhelpful and obstructive during the investigation, a monetary penalty of £80,000 (~$105,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172671/verso-group-uk-limited-mpn-20171017.pdf
jbho: a reminder of the risks of relying on a data broker. This is the first time the ICO went directly after the broker (AFAIK). However, if a company using a suspect broker failed to do due diligence, that company could just as easily be on the hook. In the notice, the ICO cited an action taken against Verso by the Direct Marketing Association in 2016 for an SMS campaign, where Verso allegedly failed to ensure data had been properly sourced and necessary consent obtained. A red flag that should be learned through the due diligence process – and may be enough for the ICO to consider a company to be on notice.

Note also that ICO had previously fined at least two companies that sourced data from Verso in their (non-complaint) marketing activities:
• Prodial (2016) – £350,000 for making some 40 million robocalls to numbers on the TPS without consent, failing to honor opt-out requests, and failing to identify itself as the caller
• EMC Advisory Services (2014) – £70,000 for making hundreds of nuisance calls without scrubbing against the TPS or in-house suppression lists

£70,000 For Nuisance RoboCalls

Lead generation company Lead Experts allegedly made some 111,000 unsolicited robocalls. In some cases Caller ID failed to identify the caller. Lead Experts were unable to provide the ICO evidence of consent, and failed to provide any evidence of procedures in place to comply with the PECRs. Since Lead Experts disengaged during the course of the ICO investigation, a monetary penalty of £70,000 (~$93,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172522/the-lead-experts-mpn-20171010.pdf
jbho: shows the importance of documented procedures. It appears that Lead Experts has been dissolved in the wake of the ICO investigation. The ICO has stated it is committed to recovering the fines from insolvency practitioners and liquidators.

£75,000 For Spam Texts & Emails

Vanquis Bank allegedly sent some 870,000 unsolicited texts, and some 620,000 unsolicited emails, to cold contacts purchased from a list broker – who itself had purchased contact details from other third parties. The only consents obtained were indirect and non-specific, using generic wording like ‘trusted partners’ and ‘carefully selected third parties’ – with no mention of Vanquis Bank. Since Vanquis Bank should have known it had no consent, a monetary penalty of £75,000 (~$100,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172482/vanquis-bank-ltd-mpn.pdf
jbho: Consent! Consent! Consent!

£50,000 For Spam Emails

Media service provider Xerpla allegedly sent some 1.2 million unsolicited emails. Emails were provided by users who signed-up on websites operated by Xerpla. Privacy policies on the sites indicated users were consenting to receive emails from Xerpa and offer partners.

When providing information, users were informed:

By submitting your details, you consent to receive our email newsletters and offers from and on behalf of our offer partners and from other similar third party online discount/ deal providers, as well as to our processing of your information as outlined within our Privacy & Cookie Policy and Terms & Conditions. By submitting your details you confirm you have read, understood and consent to these in full.”

The Privacy Policy stated:

We will use this information in the following ways:
• to provide you with information that you have requested eg email newsletters and offers;
• to provide you with the latest online discounts / deals available covering travel, home improvements, automotive, finance, retail, insurance, charities, competitions, utilities, health, claims, storage and publishing.”

The ICO felt this was insufficient to provide consent for the emails in question. As such, a monetary penalty of £50,000 (~$67,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2172483/xerpla-ltd-mpn.pdf
jbho: this one seems a little off. The consent language seems reasonable – at least for emails sent by Xerpa. And for Xerpa emails, I would think the ‘Soft Opt-In’ would apply.

Granted, examples of the emails were not included in the MPN, so there may something amiss in the actual marketing copy. A press release indicated a wide range of products and services were being advertised, including dog food, wine, competitions, and boilers. I would expect that from an eCommerce site. There must be something more to this story. Both websites mentioned in the MNP appear to be offline.

As an aside, I wouldn’t rely on the above language for third party consent. Per the MPN, “Consent will not be valid if individuals are asked to agree to receive marketing from ‘similar organisations’, ‘partners’, ‘selected third parties’ or other similar generic description. Further, consent will not be valid where an individual is presented with a long, seemingly exhaustive list of general categories of organisations.”

Something to keep in mind before you purchase from list brokers.

September 2017

£260,000 For ~16 Million Robocalls

Telemarketer Easyleads allegedly made unsolicited prerecorded telemarketing calls. The scripts read:

Hi. If your boiler is oil or LPG you may be entitled to a grant to replace it totally free of charge. Does anyone in your property receive benefits or tax credits? If they do, press 5 for more information or 9 to opt out.

The calls were allegedly made outside normal business hours, and contained a misleading offer of a free boiler. Additionally, the calls did not identify the caller. Finally, although automated, interactive opt-out instructions were included in the calls, those opt-outs were not honored. When Easyleads failed to sufficiently reply to the ICO, ICO contacted Easylead’s dialing system providers who confirmed some 16.7 million automated calls were made.

In addition to the above, given that:
• the owner of Easyleads was previously investigated by the ICO and should have been well familiar with the PECRs;
• Easyleads was the most complained about number for automated calls for four consecutive months;
• Easyleads failed to satisfactorily engage with the ICO; and
• Easyleads continued to make (illegal) calls during the investigation,
a monetary penalty of £260,000 (~$350,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014851/20170921easyleadsmpn.pdf
jbho: another reminder that Robocalls require opt-in consent. And make sure to brush up on the PECRs before making any calls. You can start here.

£350,000 For ~150 Million Nuisance Calls

Payment insurance assistance provider Your Money Rights (YMR) allegedly made some 146,020,773 unsolicited robocalls. Calls were made to numbers purchased from a data broker, and YMR was unable to provide any evidence of prior consent. Additionally, YMR failed to identify itself as the caller. Since YMR should have known the calls were being made in violation of the PECRs, a monetary penalty of £350,000 (~$390,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014803/20170911yourmoneyrightsmpn.pdf
jbho: a reminder that Robocalls require opt-in consent in the UK (as well as in the EU).

£85,000 For Nuisance Calls

True Telecom allegedly made unsolicited telemarketing calls to numbers it scraped from internet pages, many numbers which were also on the TPS. True Telecom claimed it scrubbed these scraped numbers against the TPS, but due to changes in management, some lists were not properly scrubbed. Since True Telecom failed to ensure it called only those who had consented, a monetary penalty of £85,000 (~$94,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014783/mpn-true-telecom-20170906.pdf
jbho: interestingly, the ICO didn’t seem to focus on the fact the numbers were scraped (a no-no in Canada), but rather the breakdown in the scrubbing process. The ICO did call out that it had previously contacted True Telecom in relation to complaints to provide guidance on compliance with the PECRs. The failure to comply with that previous guidance was cited as an aggravating feature in issuing the fine.

£45,000 For Spam Texts

Cab Guru allegedly sent some 700,000 unsolicited texts promoting its price comparison app. Cab Guru claimed the numbers were provided by its taxi / mini-cab partners, who obtained consent for the Cab Guru texts. On review, Cab Guru had no formal agreements in place with the cab companies, and the cab companies relied on terms embedded in their user agreements, which did not constitute a valid, freely given consent. Since Cab Guru failed to take steps to ensure texts were sent only to those who consented, a monetary penalty of £45,000 (~$50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014786/mpn-cab-guru-20170906.pdf
jbho: two reminders:
• make sure to do your due diligence if you are relying on third parties for consent
• you can’t bundle marketing consent with larger terms

August 2017

£50,000 For Failing To Get Consent, Scrub Against TPS

Home energy service provider Home Logic allegedly made some 1.5 million unsolicited telemarketing calls to numbers on the TPS. Home Logic stated it used third parties to make the calls, who used only ‘opted-in’ numbers. However, contracts reviewed placed responsibility for TPS scrubbing on Home Logic. Additionally, it was determined that not only did Home Logic lack evidence of consent, technical errors prevented it from successfully scrubbing numbers against the TPS. Since calls were made in violation of the PECRs, a monetary penalty of £50,000 (~$65,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014674/home_logic_uk_ltd_mpn.pdf
jbho: another example of why you need to make sure you know what’s in your contracts, and who is responsible for what.

£80,000 For Calling Numbers On The TPS

Home improvement company Virgo allegedly made unsolicited telemarketing calls to numbers on the TPS, and continued calling after being asked to stop. Virgo claimed the numbers were purchased from list providers who assured the numbers were scrubbed against the TPS. No contracts were in place, and Virgo did not have its own subscription to the TPS. Since Virgo should have known it did not have valid consent to make the calls, a monetary penalty of £80,000 (~$90,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014586/mpn-virgo-home-improvements-20170803.pdf
jbho: same old story – firm fails to exercise due diligence over its list providers.

£70,000 For Calling Numbers On The TPS

Home improvement company Safestyle (HPAS) allegedly made unsolicited telemarketing calls to numbers on the TPS, and continued calling after being asked to stop. HPAS claimed it only contacted numbers of existing customers, so it need not screen against the TPS, although it did maintain an internal DNC list. HPAS committed to updating its processes, but monitoring showed HPAS failed to make any discernible improvement in its marketing practices. Therefore, a monetary penalty of £70,000 (~$78,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014585/mpn-hpas-20170803.pdf
jbho: if you’re given a second chance, you got get it right!

July 2017

£80,000 For Ignoring Marketing Email Opt-Outs

Price comparison website & financial service provider Moneysupermarket allegedly sent some 7 million emails notifying users of changes to Terms & Conditions (& Privacy Policy). ICO alleged the operational emails were really marketing, since they included language encouraging people to opt-in to marketing. The disputed content contained the following message:

We hold an e-mail address for you which means we could be sending your personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”

The text was followed by a ‘Go To Preferences’ link.

The ICO ruled that since the marketing mails were sent to individuals Moneysupermarket knew had opted-out, a monetary penalty of £80,000 (~$90,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2014482/mpn-moneysupermarket-ltd-20170720.pdf
jbho: perhaps one mistake was the fact the mail was clearly targeted to individuals who had previously opted out. I wonder if the mail simply invited users to update their contact information and communication preferences – targeted to ALL users – if the ICO would have expressed the same level of concern.

In this case, another reminder not to overload operational messages with marketing content, and that a message asking for consent to market is itself marketing.

£80,000 For One Million Nuisance Texts

Subprime lender Provident Personal Credit (PPC), through its agents, allegedly sent nearly one million unsolicited text messages promoting its short term loan services. The sending parties relied on consents obtained through terms and privacy polices of affiliated websites – none of which explicitly mentioned PPC (only generically referred to goods or services of selected partners). Since PPC should have known this indirect and unverified consent was not valid, a monetary penalty of £80,000 (~$90,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014450/provident-personal-credit-mpn-20170717.pdf
jbho: same old story, a company relying on third party consent again fails to adequately vet and enforce compliance on its vendors (see US v. Dish for an extreme example). 

Also yet another reminder not to rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

June 2017

£10,500 For Failing To Honor Opt-Outs

Supermarket chain Morrisons ran an email campaign that informed users they had opted-out of rewards program promotional emails. The emails included instructions for opting back into marketing. The ICO determined the 130,000+ emails were marketing, and were sent without consent. Since Morrisons should have known it did not have consent, a monetary penalty of £10,500 (~$14,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014261/mpn-wm-morrisons-20170616.pdf
jbho: don’t overload operational messages with marketing. And if you ask for consent to market, that makes the message marketing (i.e., you can’t send a message asking for consent without consent).

£50,000 For Nuisance Calls (~$65,000)

Alarm company MyHome allegedly made unsolicited calls to numbers on the TPS, and calls continued despite MyHome’s knowledge of consumer complaints. MyHome claimed it purchased data from third parties who vetted consent and scrubbed call lists. When pressed, MyHome could offer no evidence consent. Since MyHome should have known it had no consent to make the calls, a monetary penalty of £50,000 (~$65,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2014297/mpn-myhome-installations-limited.pdf
jbho: a common theme, numbers purchased from list brokers not being vetted.

FYI: it appears MyHome is no stranger to negative publicity:
https://youtu.be/QaOYI7XfkCE

May 2017

£400,000 For Unsolicited Robocalls

Keurboom – made nearly 100,000,000 unsolicited prerecorded message calls. The calls did not identify the caller, and the automated, interactive opt-out failed to work on many occasions. Calls were made at off-hours and in some cases were disguised as emergency calls. As Keurboom did not cooperate with the ICO, a monetary penalty of £400,000 (~$515,000) was issued.
https://ico.org.uk/media/action-weve-taken/enforcement-notices/2014013/mpn-keurboom-ltd-20170503.pdf
jbho: sounds like a south Florida type telemarketing operation. £400,000 is the biggest fine for PECR violations to date.

And remember, prerecorded calls in the UK require prior (i.e. opt-in) consent.

£100,000 For Millions Of Mobile Upgrade Texts

Telco provider Onecom allegedly sent some 3 million unsolicited texts encouraging individuals to upgrade their service plans. The texts were sent to numbers Onecom acquired itself directly from its customers, through acquisition of other businesses, and from third party list brokers. Onecom stated it relied on the “Soft Opt-In” for consent, but was unable to produce evidence to verify.

Onecom amended its practices to text only direct customers, and took other remedial steps to ensure future compliance. Since Onecom should have known of the violation, a monetary penalty of £100,000 (~$130,000) was issued. However, the ICO did consider Onecom’s cooperation and effort in issuing the (lower) penalty.
https://ico.org.uk/media/action-weve-taken/mpns/2014050/onecom-monetary-penalty.pdf
jbho: a reminder of the importance of keeping accurate records of consent.

Fyi: a “Soft Opt-In” is where the following conditions are met:
• Personal information is collected in conjunction with a sale/inquiry
• No ‘sensitive information’ is used
• Marketing is restricted to similar products/services (i.e., 1st party marketing)
• Individuals have an opportunity to decline to be contacted when first collecting contact details, and offered an opt-out in every message sent
Note that a pre-checked tick box, in and of itself, does not constitute a “Soft Opt-In.” All the above conditions must be met.

£50,000 For Unsolicited Calls To Numbers on the TPS

Home improvement company Brighter Homes allegedly made some 450,000 unsolicited telemarketing calls to numbers on the TPS. Brighter Homes also allegedly displayed a false Caller ID to trick people into answering calls. Finally, Brighter Homes allegedly had not accessed the TPS in the previous 4 months, and failed to respond to the TPS about complaints filed.

Brighter Homes claimed the numbers were purchased as ‘opt-in data’ from third parties. ICO determined Brighter Homes failed to do due diligence on the consent being obtained, and should have known it didn’t have consent. So a monetary penalty of £50,000 (~$60,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014059/brighter-home-solutions-ltd-monetary-penalty-notice.pdf
jbho: yet another tale of a marketing firm failing to exercise due diligence over its list providers.

£40,000 For Spam Texts

Used car dealer Concept Car allegedly sent some 300,000 unsolicited texts. The texts were sent to numbers acquired from a third party, through disclosures in the terms & conditions on the third party’s website. ICO determined the disclosures were insufficient (referred to generic third parties) and Concept Car did not have consent to text. Since Concept Car should have known of the violation, had it done due diligence on the consent being obtained by its third parties, a monetary penalty of £40,000 (~$47,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2014061/concept-car-credit-monetary-penalty-notice.pdf
jbho: once again, a company relying on third party consent again fails to adequately vet its data providers. And a reminder you can’t rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Per the notice: “It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:
• How and when was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Where the consent was for disclosure to a third party were there clearly described precise and defined categories of organisations and did the organisation wanting to use the consent clearly fall within that description?”

April 2017

£40,000 For Spam Texts

Monevo, through its agent, allegedly sent some 44,000 unsolicited texts, to numbers obtained through third parties. None of the third party notices indicated that data would be used by Monevo to send marketing texts. As Monevo should have known it lacked valid consent, a monetary penalty of £40,000 ($50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013941/mpn-monevo-20170413.pdf
jbho: a common theme, a company relying on third party consent again fails to adequately vet its data providers.

March 2017

£140,000 For Compulsory SMS Marketing

PRS Media allegedly sent some 4.4m marketing texts. PRS alleged it had consent through signups at its prize draw website. The ICO determined the consent was invalid since:
(i) receipt of marketing was a condition of entry,
(ii) the web site privacy policy / terms were generic about 3rd-party sharing, and
(iii) PRS did not provide users with any communication preferences.
Since PRS should have known it did not have consent, and failed to respond to two separate ICO requests, a monetary penalty of £140,000 (~$175,000) was warranted.
https://ico.org.uk/media/action-weve-taken/mpns/2013829/mpn-prs-media-20170327.pdf
jbho: another reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

You Can’t Send A Message Asking For Consent – Part 1

Regional airline carrier Flybe allegedly ran a ‘data quality’ campaign, and sent over 3 million emails asking recipients – many of whom had previously opted-out – to update their contact information. The email offered recipients inclusion in a prize draw if they would opt-in to future marketing. The ICO ruled contrary to Flybe’s assertion the mails were informational, the mails were really for the purpose of marketing to opted-out individuals. As Flybe did not have consent to send the 3 Million + emails, a monetary penalty of £70,000 (~$81,000) was assessed.
https://ico.org.uk/media/action-weve-taken/mpns/2013731/mpn-flybe-limited-20170320.pdf
jbho: a reminder that a message asking for consent to market, is itself a marketing message – i.e., you can’t send a message asking for consent to market if you don’t have consent in the first place.

Per the notice: “The Commissioner’s direct marketing guidance is clear that organisations cannot e-mail or text an individual to ask for consent to future marketing messages. That e-mail or text is itself sent for the purpose of direct marketing and will be subject to the same rules as other marketing texts and e-mail. The guidance also stresses that organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.”

You Can’t Send A Message Asking For Consent – Part 2

Honda allegedly sent some 300,000 emails asking recipients to clarify their marketing preferences. Honda claimed the list was compiled of email address acquired from Honda’s website, dealer sales, and promotional events. No clear records of consent were attached (due design flaws in data collection), thus the ‘service mail’ was needed to ensure Honda was not keeping unneeded data. The ICO ruled since the purpose of the ‘clarification’ mails was to get consent to market, they were marketing, and it was Honda’s responsibility to ensure it had consent before sending the messages. Since Honda continued to send the emails after being warned by the ICO, and only stopped after being expressly advised to cease, a monetary penalty of £13,000 (~$15,000) was issued.
https://ico.org.uk/media/action-weve-taken/mpns/2013732/mpn-honda-europe-20170320.pdf
jbho: if you have to guess whether or not you have consent, you might want to default to opted-out if the regime, or the channel (e.g., SMS, Robocall, etc.) requires opt-in consent.

And if you’re being investigated for a violation, it might not be a bad idea to stop doing what you’re being investigated for.

In case you forgot, the PECRs are the Privacy and Electronic Communications Regulations – the rules for direct marketing in the UK.
https://ico.org.uk/for-organisations/guide-to-pecr/introduction/what-are-pecr/

£270,000 For 22 Million Robocalls

Media Tactics allegedly made some 22,065,627 unsolicited robocalls, and failed to identify itself as the caller. Media Tactics claimed it relied on contractual assurances its list brokers were obtaining consent. The ICO determined the company failed to exercise adequate due diligence over its data providers, and a monetary penalty of £270,000 (~$330,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013606/mpn-road-accident-consult-20170308.pdf
jbho: for the umpteenth time, if you are going to source data from third parties, make sure to perform your own due diligence to ensure the data is collected in a fair and lawful manner.

And a reminder you can’t rely on generic statements in other people’s terms and conditions for consent. Any third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

£80,000 For Cold Calls

Xternal made some 100,000 unsolicited telemarketing calls to numbers registered with the TPS. Calls allegedly did not identify the caller, and deliberately misled subscribers by using generic company names. Since Xternal failed to fully cooperate with the ICO, and failed to register with or scrub against the TPS before the ICO began its investigation, a monetary penalty of £80,000 (~$100,000) was assessed. Xternal has also been ordered to cease future illegal calls.
https://ico.org.uk/media/action-weve-taken/mpns/2013827/mpn-xternal-property-renovations-ltd-20170328.pdf
jbho: maybe better to skip the cold calling, and just get consent?

£20,000 For 64,000 Spam Texts

Lead gen company Munee Hut allegedly sent some 64,000 unsolicited texts promoting loan services of its Belize based affiliate. ICO investigated after receiving some 885 complaints. The ICO investigation determined that the phone numbers in question were acquired from third party sites that provided generic notices, and did not indicate contact by third parties. Thus Munee Hut should have known it did not have consent to contact the numbers, and a monetary penalty of £20,000 (~$25,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013618/mpn-munee-hut.pdf
jbho: yet another tale of a marketing firm failing to exercise due diligence over its list providers.

February 2017

£120,000 For 5 Million Spam Texts

Credit broker Digitonomy allegedly sent 5,238,653 unsolicited texts promoting quick loan services. Digitonomy allegedly relied on terms and conditions on affiliate sites for consent. ICO determined the terms were too generic to indicate consent for Digitonomy to rely on, and it should have known it did not have consent to send the texts. A monetary penalty of £120,000 (~$150,000) was therefore in order.
https://ico.org.uk/media/action-weve-taken/mpns/2013425/mpn-digitonomy-20170215.pdf
jbho: Consent! Consent! Consent!

ICO Eliminates The Middle Man

Data Supply allegedly sold contact info of some 580,302 individuals to companies who ultimately used the details in (unsolicited) marketing campaigns. The ICO determined Data Supply failed to keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told. Therefore, a monetary penalty of £20,000 (~$25,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625862/mpn-data-supply-company-20170130.pdf
jbho: this is the first ICO action I’ve seen against a list broker, rather than the poor sap who ends up buying a list. Nonetheless, you still need to do your own due diligence to make sure any list broker is on the up-and-up.

In the notice, Data Supply indicates it is no longer trading in consumer data.

January 2017

£50,000 For Spam Texts

Lead gen company LAD Media allegedly sent unsolicited texts advertising debt relief services. The company claimed to have purchased numbers from a third party, who obtained consent through (generic) terms and conditions. The ICO found the terms insufficient to indicate consent for the texts sent by Lab Media, and a monetary penalty of £50,000 (~$60,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625739/mpn-lad-media-ltd-20170118.pdf
jbho: another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

In this actions, ICO added a couple bullets to its due diligence guidance on consent:
• How and when was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Is the seller a member of a professional body or accredited in some way? 

£40,000 For Call Blocker Calls

IT Protect allegedly made unsolicited telemarketing calls to numbers on the TPS in efforts to sell call blocking services. After several attempts, IT Protect finally responded to inquiries, and claimed it purchased opt-in data from a third party. The ICO determined IT Protect should have known it did not have consent to contact numbers, and failed to produce evidence it or its vendor ever obtained consent. Given IT Protect failed to respond to preliminary requests, a monetary penalty of £40,000 (~$50,000) was in order.
https://ico.org.uk/media/action-weve-taken/mpns/1625689/mpn-it-protect-20170111.pdf
jbho: hmmm. The ‘I got the numbers from someone else’ excuse seems to be a recurring theme. Are companies not picking up on what’s being enforced, or is it just a go-to defense when they get caught?

November 2016

£230,000 In Fines Against Four Firms For Failing To Verify Consent

In the next three cases, the parties relied on consent obtained by their list brokers, which in turn relied on clauses embedded in terms & conditions of third party service offerings. ICO ruled this did not constitute valid consent, and as all failed to take reasonable steps to verify consent, the monetary penalties were in order. The penalties were:

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Oh, and if you are being investigated for a violation, it’s probably best to cease that activity.

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

And finally, with respect to consent, ICO recommends:

October 2016

Another List Buyer Fails To Verify Consent

Lead Generation company Rainbow allegedly sent texts advertising payday loan services to lists of individuals who had recently been denied loans. Rainbow claimed it purchased lists from a broker who had obtained consent. ICO found that Rainbow’s reliance on terms & conditions in third party agreements did not constitute valid consent. Rainbow’s failure to do due diligence resulted in the violations and a fine of £20,000 (~$25,000) was warranted.

The investigation began after noting 162 complaints sent to the GSMA spam service and 12 complaints sent directly to the ICO.
https://ico.org.uk/media/action-weve-taken/mpns/1625218/r-mpn-rainbow-uk-limited-20161010.pdf

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

September 2016

ICO Racks Up Nearly $350,000 in Tele-Spam Fines

jbho: a reminder that many international jurisdictions do not permit bundling of consent. And that third-party marketing requires a qualified opt-in consent (i.e., say who will be doing the marketing).

Also, another reminder that if you are going to source data from third parties, make sure to perform due diligence to ensure the data is collected in a fair and lawful manner. Additionally, get representations and warranties that you have consent to use that data for the desired purposes, and make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.

July 2016

ICO Issued Nearly £2 Million In Fines For PECR Violations Last Year

The ICO released its annual report for 2015-2016, detailing how it has dealt with data protection concerns. The report indicates ICO managed some 16,388 complaints. Particularly noteworthy is the rise in Privacy and Electronic Communications Regulation (PECR) enforcements: 17 monetary penalties totaling £1,985,000 (~$2,600,000).
https://ico.org.uk/media/about-the-ico/documents/1624517/annual-report-2015-16.pdf
jbho: the ICO has not been shy about using its recently enhanced fining power under the PECRs.

ICO Orders Survey Upsells To Cease

Legal aid firm Change and Save allegedly called numbers on the TPS without consent. The calls were made under the guise of a lifestyle survey, but were really meant to promote will-writing, funeral, & legal services. ICO ordered the firm to cease the deceptive, telemarketing ‘survey’ calls.
https://ico.org.uk/media/action-weve-taken/enforcement-notices/1624601/en-change-and-save-ltd-20160708.pdf
jbho: make sure to vet any survey calls to make sure they are really surveys, and do not contain any incidental marketing or upsell content.

Exit mobile version