Over the last 3 months, England & Wales has witnessed several occurrences of organisations receiving regulatory enforcement action from the data protection supervisory authority, the Information Commissioner’s Office (“ICO”), for violations of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The ICO enforces PECR which covers the rules for organisations wishing to make direct marketing calls, texts or emails. The ICO has issued more than £2.5 million in fines against companies responsible for nuisance calls, texts and emails since April 2023. In this blog, we have pulled together a brief note outlining some of the ICO’s recent enforcement action.
March 2024 – Pinnacle Life Limited
• On 7 March 2024, the ICO issued Pinnacle Life Limited (“PLL”) with an enforcement notice as well as a monetary penalty in relation to a serious contravention of PECR.
• Between 5 May 2021 and 5 May 2022, PLL instigated the use of a public telecommunications service for the purpose of making a minimum of 47,998 unsolicited calls for direct marketing purposes to individuals registered on the Telephone Preference Service (“TPS”) attempting to sell life insurance. The TPS is a central register of individuals who have opted-out of receiving live marketing calls.
• Individuals informed the ICO that PLL employees frequently resorted to insulting or aggressive behaviour during such calls and persisted in harassing individuals even after being asked not to contact them further.
• An investigation by the ICO found evidence to suggest attempts by PLL to continue to operate under another name and not comply with orders to cease contacting individuals.
• The ICO has instructed PLL to refrain from using or causing the use of a public electronic communications service for unsolicited direct marketing calls to subscribers who have previously indicated they do not want such calls or to those who have registered with the TPS at least 28 days prior unless they have consented to receive such calls.
• The ICO decided that a penalty of £80,000 is reasonable and proportionate given the particular facts of the case.
March 2024 – Penny Appeal
• On 1 March 2024, the ICO issued an enforcement notice to Penny Appeal for sending 461,650 spam text messages over a ten-day period. These messages were sent to a database of individuals who had never agreed to receive marketing communication from Penny Appeal.
• Penny Appeal could not provide details of the exact message volumes, therefore this figure is an estimate based on one text message being sent each day for ten days to a database of 52,179 customers who had never provided consent.
• The ICO instructed Penny Appeal to refrain from conducting marketing activities to existing contacts where valid consent cannot be demonstrated.
• Additionally, Penny Appeal is required to comply with regulation 22 of PECR, which prohibits the transmission of unsolicited electronic mail for direct marketing purposes, unless recipients have clearly and specifically consented to receive such communications.
January 2024 – L.A.D.H Limited
• On 19 January 2024, the ICO issued L.A.D.H Limited with a £50,000 fine for sending 31,329 direct marketing text messages to individuals in breach of regulation 22 and 23 of PECR. L.A.D.H Limited was also issued with an enforcement notice.
• Over a six-week period between March to April 2022, L.A.D.H Limited sent 31,329 text messages to individuals without consent. Most of the text messages did not offer an opportunity for recipients to opt-out of receiving marketing text messages.
• The Mobile UK’s Spam Reporting Service received 106 complaints from individuals who had received unwanted text messages from L.A.D.H Limited.
• During the ICO investigation, L.A.D.H Limited claimed it had received verbal assurance that the data it had received from a third party contained details of individuals who had consented to being contacted.
• The Head of Investigations at the ICO has said, “All organisations using direct marketing messages are responsible for ensuring they have valid consent to contact every recipient. Relying on third-party claims of consent, without undertaking checks, leaves organisations open to our enforcement action if it turns out that people have, in actual fact, not given valid consent to be contacted.”.
• The ICO instructed L.A.D.H Limited to refrain from sending unsolicited messages for direct marketing purposes unless recipients have clearly and specifically consented to receiving such communications.
January 2024 – Poxell Ltd
• On 16 January 2024, the ICO issued Poxell Ltd with a fine of £150,000 for making over 2.6 million unlawful marketing calls between March and July 2022 to people who had registered with the TPS.
• This resulted in 413 complaints to the ICO and TPS.
• The complaints indicated that Poxell Ltd, which claimed to specialise in energy saving products such as double glazing and resin driveways, made calls to individuals with dementia and other serious illnesses. Complainants also stated that they had been called repeatedly by a “very aggressive” salesperson.
• The ICO’s investigation found that Poxell Ltd had purchased several telephone lines to avoid detection. Poxell Ltd did not engage with the ICO’s investigation and continued to make unlawful marketing calls until their account was finally terminated by their communications service provider.
• Poxell Ltd also failed to identify themselves, allow their number to be displayed to the person receiving the call or provide a contact address or freephone number if asked.
• As well as the £150,000 fine, the ICO issued Poxell Ltd with an enforcement notice to refrain from using a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where the called line is an individual who has previously notified Poxell Ltd that such calls should not be made on that line or an individual who has registered with the TPS.
January 2024 – Skean Homes Ltd
• On 16 January 2024, the ICO issued Skean Homes Ltd with a fine of £100,000 for instigating 614,342 unsolicited direct marketing calls in breach of regulations 21 and 24 of PECR.
• Between March and May 2022, Skean Homes Ltd made 614,324 calls to individuals registered with the TPS. This resulted in 31 complaints.
• Skean Homes Ltd refused to take any responsibility for the unlawful marketing calls and claimed that they had allowed their lead generation provider to temporarily use their caller identities and that TPS checks failed due to a technical error.
• The ICO’s investigation found no evidence that a third party was using the caller identities when the unsolicited calls were made.
• The Head of Investigations at the ICO said, “These fines should send a clear message that companies cannot use third parties or multiple phone numbers to avoid detection and taking responsibility for illegal calls. We will take decisive action to ensure the public are protected from nuisance marketing.”.
January 2024 – Grocery Delivery E-Services UK Ltd trading as HelloFresh
• On 12 January 2024, the ICO fined Grocery Delivery E-Services UK Ltd trading as HelloFresh £140,000 for a campaign of 79 million spam emails and 1 million spam texts over a seven-month period.
• The marketing messages were sent based on an opt-in statement which did not make any reference to the sending of marketing via text and which was also bundled with an age confirmation statement. The statement said, “Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old.”. This statement was likely to unfairly incentivise customers to agree.
• Customers were also not given sufficient information regarding the length of time their data would be used for marketing purposes and specific channels to be used.
• The ICO determined that HelloFresh’s direct marketing statement failed to meet the requirement that it be “specific” and “informed”, did not mention text messaging, was unclear and tied to other aspects of the subscription services.
Aria Grace Law CIC
The recent ICO enforcement actions highlight the significant consequences of PECR violations, emphasising the importance for businesses to prioritise compliance with direct marketing laws.
At Aria Grace Law CIC, our dedicated data privacy and marketing team possesses the knowledge and expertise to guide businesses through the complexities of compliance, ensuring adherence to PECR in the UK and in several other jurisdictions in the world. If you’re seeking comprehensive assistance in safeguarding your operations from potential penalties, please don’t hesitate to reach out to us at privacy@aria-grace.com.
Article by Puja Modha (Partner) and Sarah Davies (Trainee Solicitor) – 2 April 2024