ICO Enforcement Updates (PECR) – September 2023

Written By

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

elizabeth upton module
Elizabeth Upton

Legal Director
UK

I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.

This Is The Big Deal Limited - Unsolicited Emails and Text Messages - £30,000 fine

On 3 August, the ICO fined This is the Big Deal Limited (“TBDL”) £30,000 for sending or instigating the sending of around 40 million unsolicited marketing emails and 1.5 million unsolicited marketing text messages in breach of Regulation 22 and 23 of PECR respectively. TBDL provides energy switching services to consumers under the trading name “Look after my bills”.

Regulation 22 of PECR requires that organisations do not transmit or instigate the transmission of unsolicited marketing emails or texts to individuals unless they have provided their prior consent or they are an existing customer who bought (or negotiated to buy) a similar product or service from the organisation previously and the organisation gave them a simple way to opt out both at the time their details were initially collected and in every message sent (i.e. the soft opt in exemption).

Regulation 23 of PECR requires that organisations do not transmit or instigate the transmission of unsolicited marketing emails or texts to individuals where (a) the identity of the organisation on whose behalf the message has been sent has been disguised or concealed; (b) a valid opt out address has not been provided (c) where the message would breach regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002 or (d) where the message encourages recipients to visit websites which contravene that regulation.

Mobile users can report the receipt of unsolicited marketing texts to Mobile UK’s Spam Reporting Service and the ICO is provided access to this data which is used to identify organisations in breach of PECR.

In this case, TBDL came to the attention of the ICO as a result of this complaints data from Mobile UK where over 1000 complaints had been received in respect of “Look after my bills” texts between June 2020 and March 2021. The ICO’s reporting line had also received 3 complaints about “Look after my bills” text messages. The ICO conducted a separate search for email complaints and found that 30 complaints had been received about unsolicited emails apparently sent by or at the instigation of TBDL between 24 June 2020 and 27 March 2021 – a number of these complaints related to emails sent on TBDL’s behalf by an affiliate marketing company called Opportunity Online Group Ltd (“OOG”).

The ICO sent an initial investigation letter to TBDL on 27 April 2021 and in response, TBDL confirmed that it had sent all the text messages itself along with 13 of the 30 emails complained about. The remaining emails were sent by a German affiliate called Audience Serv GmbH (“ASG”) and/or by affiliates of ASG. TBDL understood that OOG was an affiliate of ASG.

Firstly, TBDL confirmed that where it had sent the emails and texts itself, it had collected the data directly from the customers on its own website. The website invited customers to provide their email address and postcode to receive a quote and also to provide their consent to be sent “occasional emails with incredibly helpful money saving tips.” However, there was no request to provide telephone numbers at this step and no mention of text marketing (either in the consent wording or in the linked privacy policy). If the customer clicked to receive a quote, then additional personal details (including a telephone number) were then requested but no further mention was made of any unsolicited marketing by text.

TBDL further confirmed that customers could opt out of (i) marketing emails either by clicking the unsubscribe link in the email or contacting customer services; and (ii) marketing texts either by replying STOP or contacting customer services. However, TBDL acknowledged that 2 text marketing campaigns had failed to include any opt out mechanisms due to human error and incorrectly designating the messages as service messages. Following the ICO’s investigation TBDL stopped sending unsolicited direct marketing messages by text and implemented various improvements to its processes to bring them in line with the law.

The ICO found TBDL to be in breach of Regulation 22 in respect of the unsolicited text messages because the individuals providing consent were unable to specify the method by which they might wish to receive marketing and specifically, the TBDL website only referred to email marketing – as such the consent was not valid. Moreover some of these text messages also contravened Regulation 23 because a valid opt out had not been provided.

Secondly, TBDL confirmed that where the affiliates had sent the marketing emails, they had either obtained data directly from individuals or from other third parties and that ASG acted at arms length to TBDL, exercising its own judgement and discretion when determining to whom marketing messages are sent. As such, TBDL argued that it was not responsible for ASG or its affiliates’ marketing activities and was unable to provide evidence of consent for the emails as this information was held by the affiliates. TBDL did however provide the creative content for the emails (and also paid ASG for each approved sale).

The ICO disagreed with TBDL’s arguments on this point and found that the arrangement that TBDL had in place with ASG did constitute “positive encouragement” and “something more than the mere facilitation of the action concerned” and that as such, TBDL was the instigator of the messages and was therefore responsible for ensuring that valid consents for sending the messages had been obtained.

In this case, the consents were indirect as TBDL was relying on its affiliates to obtain the contact details to use for sending direct marketing related to TBDL. ICO guidance states that “indirect consents will not be sufficient for emails, texts or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.” However indirect consent may be valid if it is specific and clear enough. When evidence of the consents being relied upon was finally provided to the ICO as part of the investigation, the ICO found that they were invalid for a number of reasons including the fact that ASG was not named on any of the websites operated by third parties, TBDL was not specifically named on any of the websites including the website operated by ASG, the consent was not granular enough, the data was old and users were required to agree to marketing from companies operating in numerous different sectors. The ICO also criticised TBDL for failing to carry out rigorous checks on its affiliates as to how the consents were obtained. As such, the ICO took the view that TBDL was in breach of Regulation 22 in respect of the email marketing carried out by ASG and its affiliates.

It is worth noting that the ICO’s original proposed fine for these breaches was £150,000 but mitigating factors (such as the fact that it updated its notices and opt outs, provided staff refresher training, ended its SMS marketing campaigns and its relationship with ASG) and the weak financial status of TBDL led to the penalty being reduced to £30,000 (which could be reduced further to £24,000 if paid by 4 September).

To read more please see the enforcement notice published on the ICO's website.

Latest insights

More Insights
Curiosity line yellow background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line blue background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More