The Information Commissioner´s Office (ICO), the data protection authority of the United Kingdom (UK), has once again fined a company for non-compliance with the regulations governing direct marketing the UK. Tempcover Ltd was fined £ 85,000 on 9 February 2022 by the ICO and thus joins a growing list of companies: Home2sense Limited was fined £ 200,000 on 2 February 2022, Energy Suite Limited was fined £ 2,000 on 20 January 2022, Northern Gas & Power Ltd was fined £ 75,000 on 17 December 2021, and the list goes on.
The ICO is on a roll and does not shy away from handing out large fines for breaches of the direct marketing rules. This article shall illustrate the common errors leading such fines, how to avoid them and consequently how to conduct compliant direct marketing in the UK. The ICO also handily provides a guide to direct marketing.
Update, 28 March 2022: Five companies have been fined a total of £ 405,000 by the ICO for making over 750,000 unwanted marketing calls targeted at older, vulnerable people. We examine what may be learned from these latest fines by the ICO below.
Update, 8 March 2022: The ICO fined Royal Mail Group Limited (“Royal Mail”) £ 20,000 for unlawfully sending individuals emails for direct marketing purposes. In this update, we examine the implications of this latest fine by the ICO, and slot the lesson in with the considerations already gathered below.
Direct marketing regulations
Direct marketing is defined in Section 122(5) of the Data Protection Act 2018 (DPA 2018) as follows:
“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) take on this definition. Regulations 21 and 22 of the PECR apply to unsolicited direct marketing in the UK. Regulation 21 covers “unsolicited calls for direct marketing purposes”, while Regulation 22 of the PECR governs “unsolicited communications for the purposes of direct marketing by means of electronic mail”. “Electronic mail” is defined as “any text, voice, sound or image message sent over a public electronic communications network” (Regulation 2(1) of PECR), meaning SMS, MMS, WhatsApps, E-Mails, etc.
The core of the Regulations are thus that they govern unsolicited communications regarding direct marketing. The Regulations shield not only individuals, but also limited companies, public limited companies and Scottish partnerships from unsolicited direct marketing. This Article shall refer to these entities and individuals collectively as individuals.
Direct marketing calls
When individuals do not want you to call them
A company may not call an individual if that individual has previously notified the company that they do not welcome marketing calls. If a number in the UK is registered with the Telephone Preference Service Ltd (TPS) or the Corporate TPS (CTPS) no marketing calls may be made thereto, unless an individual has expressly notified a company that they do not object to its calls, or if the number has been listed less than 28 days with the TPS before the call.
Thus, numbers not registered with the TPS may be called once, and if no negative reaction is received, may be called again. Numbers registered with the TPS require express consent or recent registration before they may be called at all. In all instances data protection principles apply as personal data is being processed.
When vulnerable individuals do not want you to call them
Domestic Support Ltd (DSL), Home Sure Solutions Ltd (HSSL), Seaview Brokers Ltd, UK Appliance Cover Ltd, and UK Platinum Home Care Services Ltd were all fined by the ICO for breaches of the PECR. The nature of the breaches varied, from calling numbers registered with the TPS without consent, to being unable to prove that consent was provided, because the numbers were acquired from third parties without conducting due diligence. The common denominator for the breaches is that the calls targeted individuals over the age of 60. The ICO judged this to demonstrate “the deliberate targeting of a potentially vulnerable portion of society” which it deemed “predatory”. It thus considered such targeting as an “aggravating feature” which raised the monetary fine each company received significantly. These fines indicate that if the PECR is breached, whether deliberately or negligently, the intention behind the direct marketing campaign will have a bearing on the amount of the fine received, if any. Doubtful intentions may lead to higher fines.
When individuals may want you to call them
Energy Suite Limited was fined by the ICO for violating Regulation 21 of the PECR by calling numbers listed on the TPS without consent. Energy Suite Limited had purchased some of the numbers it called from third parties and believed these numbers had been pre-screened to assess whether they appeared on the TPS register. This was not the case and the ICO´s investigation confirmed that Energy Suite had made 1,202 calls to numbers registered with the TPS. The most recent registration was 89 days before the call in question. The ICO calculated that 36.5% of the calls made were to customers who had been registered with the TPS (and for at least 28 days by the time of the call), and Regulation 21 had thus been breached.
The first lesson to be learned here is thus: Do your due diligence on your data supplier, especially when purchasing telephone numbers from third parties. You need to ensure the numbers truly are not TPS registered; only then will the first direct marketing call be legally allowed. Whether a second call will be permissible depends on the reaction to the first.
When individuals do want you to call them – record it
Energy Suite Limited had acquired some of the numbers it called through its website, and indicated to the ICO that the individuals had notified Energy Suite Limited that they did not object to direct marketing calls. Another one of Energy Suite Limited´s fatal errors was that it was unable, when asked by the ICO, to provide any details of the direct marketing calls made via website leads. It had argued that, while the numbers it had called where listed on the TPS, some of those individuals had opted into marketing calls by Energy Suite Limited when they submitting an enquiry on Energy Suite Limited’s website. It could not however provide the details of those calls.
The second lesson here is thus: While consent, or a notification that they did not object, may have been given, that consent or notification must be recorded in detail, the details of the calls made based upon such consent or notification recorded, and the records provided to the ICO when asked.
When individuals do want you to call them – make sure they really do
Even if Energy Suite Limited could have provided the ICO with the requested records of consent or notifications, it is doubtful whether such consent or notifications would have been considered valid under Regulation 21(4) PECR. In order for a notification to be valid an individual must have taken a positive action to override their TPS registration and indicate their willingness to receive, specifically, marketing calls from that exact company. The notification should reflect the individual’s choice about whether or not they are willing to receive marketing calls. Therefore, if Energy Suite Limited´s contact or enquiry form on its website did not make it expressly clear that individuals were signing up to receive marketing calls from Energy Suite Limited, then no clear and positive notification of the individual’s willingness to receive such calls was given.
The third lesson is thus: When gathering notifications of an individual’s willingness to receive direct marketing calls, ensure that the individual provides the consent through a positive action, such as ticking a box, and the consent is specifically given for marketing calls from that particular company.
When individuals do want you to call them – do not give them a fake name
Home2sense Limited was, amongst other reasons, fined for violating the information requirements imposed by Regulation 24 of the PECR. According to Regulation 24 when making a direct marketing call, the caller must provide their name, and upon request, their address or a telephone number on which they can be reached free of charge.
The fourth lesson is thus: When making direct marketing calls give them your name and have a either an address, or a free telephone number, available where you can be reached.
Direct marketing electronic mail
When individuals do not want to hear from you
Unless one of the exceptions to the prohibition applies; Regulation 22 of PECR prohibits the transmission, or instigation of a transmission of, unsolicited direct marketing by means of electronic mail. There are two exceptions to this prohibition: (1) consent by the recipient or (2) a so-called soft opt-in by the recipient. Tempcover Ltd was fined by the ICO as it neither had individual´s consent to send them text messages and emails, nor did it fulfill all three criteria for the soft opt-in. It had fulfilled only two of the three and thus could not avoid a £ 85,000 fine.
When individuals do not want to hear from you – ensure they do not
The most recent fine issued by the ICO to Royal Mail demonstrates the importance of putting in place internal processes which ensure that individuals who have not provided consent, or who have expressly opted-out, do not mistakenly receive emails for direct marketing purposes. These processes also ensure that the risks of fines and complaints are managed and mitigated. Royal Mail accidently, due to human error and lack of proper processes, sent direct marketing emails to 215,202 individuals without the required valid consent to do so. The ICO considered whether Royal Mail had sent the emails negligently and concluded that it had done so.
Royal Mail was held to have known or ought to have reasonably known that there was a risk that these contraventions would occur. The ICO concluded this, as Royal Mail stored data of all individuals, regardless of whether they had provided consent for direct marketing or not, on the same system. Given the danger of human error, the ICO determined that Royal Mail ought to have been aware of the risk of direct marketing emails being sent to individuals who had opted out of marketing communications.
The ICO also considered whether Royal Mail had failed to take reasonable steps to prevent the contraventions. It concluded that it had failed, as Royal Mail used more effective processes which mitigate the risk of human error for other campaigns, yet failed to take those same steps for this campaign.
The lesson here is thus: Companies must put in place proper processes which ensure that individuals do not mistakenly receive direct marketing messages for which no valid consent or exception exists. The ICO will not refrain from handing out fines merely due to direct marketing messages being sent accidentally, unless a company has taken all the steps it can and implemented the proper processes to prevent such an accident. Only when those processes are in place can they act as a buffer to accidental violations of the PECR.
When individuals may want to hear from you
An exception to the general prohibition against direct marketing via electronic mail is a rule regarding existing customers, known as the soft opt-in. Marketing texts or emails may be sent if:
- the contact details of the recipient have been obtained in the course of a sale (or negotiations for a sale) of a product or service to that person;
- the texts or emails are only marketing the company´s own similar products or services; and
- the recipient is given an opportunity to refuse or opt-out of the marketing, when their contact details are collected and in every received marketing text or email thereafter.
Tempcover Limited fulfilled the first two requirements, yet bungled the last. It sent text messages and emails to individuals who had entered their details on Tempcover’s website in order to obtain a quote for insurance. When filling in the request for a quote individuals had the opportunity to click on a link leading to Tempcover´s terms and conditions and privacy policy. These stated that if a request for a quote was submitted an individual automatically consented to the terms and conditions and privacy policy, and thus, to receiving direct marketing material. Information on how to opt-out was given in the terms and conditions and privacy policy, but was not included in the direct marketing sent.
The first lesson to learn from Tempcover Limited´s example is thus: When relying upon a soft opt-in provide individuals with a simple means of refusing the use of their contact details for direct marketing at the time that the details are initially collected, and every time direct marketing material is sent.
When individuals do want to hear from you
Tempcover Limited was unable to base its marketing text messages and emails on consent. An individual’s mandatory agreement to terms and conditions and privacy policies when an individual asks for a quote over a website, cannot be taken to be valid consent. The ICO confirmed such consent was neither freely given, nor specific, and thus could not meet the definition of consent, which at the time was contained in Article 4 (11) of the Regulation 2016/679 (the GDPR). This definition has been taken over word for word in the UK GDPR, and thus still applies.
The second lesson to be learned is thus: Consent must be freely given, specific, informed and an unambiguous indication through a statement or a clear affirmative action. An individual must, through a positive action, such a ticking a box, clearly indicate that they wish to receive marketing emails and/or text messages from a specific company.
Conclusion: listen and respect their choices
Any company considering direct marketing in the UK should take heed of the fines the ICO has imposed, and only begin direct marketing once the requirements outlined above are met. An individual is given a choice to receive direct marketing or not. Upon an individual having exercised that choice companies need to respect it. An important part of that is ensuring the proper internal processes are in place to avoid accidentally sending direct marketing messages.
No direct marketing may be sent to individuals who have clearly not given consent, unless an exception such as the soft opt-in applies. Having used an exception to send direct marketing material an individual’s clear wish to not receive any further material must also be respected. Any breach of the requirements may be met by fines by the ICO and reputational damage to the company.