ICO Enforcement Updates (PECR) - December 2023

Written By

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

elizabeth upton module
Elizabeth Upton

Legal Director
UK

I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.

Three companies which offer financial services have recently been fined and issued with enforcement notices by the ICO for illegal direct marketing under PECR. The fines collectively total £170,000 and relate to contraventions of Regulations 21-24 of PECR. The overall focus of these enforcement actions highlights a number of areas such as failure to show consent (where it is required), disregard for checking the Telephone Preference Service (“TPS”) and failure to engage with the investigation. In terms of ensuring compliance, they provide a reminder of the need to include opt-outs when relying on the soft opt-in exemption; and also to specify channels for direct marketing if the consent is to be “specific”.

The three companies which received fines are as follows:

  • MCP Online Ltd
  • Argentum Data Solutions Ltd
  • Digivo Media Limited

MCP Online Ltd was found to be in contravention of Regulations 21-24 of PECR, Argentum was found to be in contravention of Regulations 22 and 23 and Digivo Media was found to be in contravention of Regulation 22.

Rules relating to unsolicited marketing phone calls

Although generally an organisation does not need consent under PECR to make most types of live marketing calls to consumers, consent is needed if the recipient has objected or their number is listed on the TPS. The TPS is a statutory register, provided for by regulation 26 of PECR, and acts as a general objection to receiving live direct marketing calls for consumers (including sole traders and partnerships). Any phone number can be added to the list free of charge, and will take effect once the number has appeared on the register for 28 days. The organisations who wish to make live marketing calls must check phone numbers against the TPS before making the calls. A similar register existing for corporate subscribers, the CTPS.

According to Regulation 21 of PECR if a number appears on the TPS, then an organisation should not call that individual unless such individual has specifically informed the organisation that they want to receive that organisation’s marketing calls, thereby overriding their general objection. PECR does not use UK GDPR consent requirements in relation to this; however, there is still a standard that needs to be met in order to override a TPS registration. In practice, this means obtaining a consent where the individual has clearly and proactively notified the caller about their willingness to receive marketing calls from that specific caller. Callers cannot rely on individuals opting in to marketing communications generally (unless it is clear that it includes telephone calls) or individuals agreeing to receive marketing calls from “similar organisations”, “partners” or “selected third parties”. For further ICO guidance on how to carry out direct marketing using live calls, please see here.

Regulation 24 PECR requires that organisations making live marketing calls must display their number (or a valid alternative number) to the call recipient and the number must not be withheld. In addition, the organisation must say who is calling (name of the organisation) and provide contact details or a freephone number of the organisation if requested.

Rules relating to unsolicited marketing emails or texts

Regulation 22 of PECR requires that organisations do not transmit or instigate the transmission of unsolicited marketing emails or texts to individuals unless they have provided their prior consent or they are an existing customer who bought (or negotiated to buy) a similar product or service from the organisation previously and the organisation gave them a simple way to opt out both at the time their details were initially collected and in every message sent (i.e. the soft opt in exemption).

Regulation 23 of PECR requires that organisations do not transmit or instigate the transmission of unsolicited marketing emails or texts to individuals where (a) the identity of the organisation on whose behalf the message has been sent has been disguised or concealed; (b) a valid opt out address has not been provided (c) where the message would breach regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002 or (d) where the message encourages recipients to visit websites which contravene that regulation.

Further details on the fines and enforcement notices for the individual companies can be found below.

MCP Online Ltd (“MCP”)– Unsolicited phone calls and text messages - £ 55,000 fine and enforcement notice

On 28 September 2023, the ICO issued an enforcement notice and fined MCP Online Ltd £55,000 for contravening Regulations 21-24 of PECR as a result of making 20,939 financial services calls about pensions to CTPS or TPS registered numbers and sending 92,265 direct marketing SMS messages without satisfying the requirement of prior consent or soft opt in between 1 January 2022 and 28 September 2022.

The company came to the attention of the ICO as a result of the complaints made to the TPS in relation to unsolicited marketing calls relating to pensions in November 2021.
MCP did not provide any evidence to the ICO that it had received notifications from subscribers registered with the TPS or CTPS that they did not object to receiving such calls. It was also found that the company had failed to comply with Regulation 24 (described above) as they had not provided the relevant details to the callers.

In relation to the SMS direct marketing messages, the ICO found no evidence that MCP had obtained prior consent or could satisfy the soft opt in criteria. There were 386 spam text complaints generated via the spam text reporting tool.

In the ICO’s decision to issue the penalty, there were a number of aggravating factors such as the fact that the company had not engaged with the ICO’s investigation, the fact that MCP appeared to take steps to deliberately mask its activity (i.e. the lack of any identified operational premises) and the fact they failed to file accounts, yet set up under a slightly different name of MCP Online Group Limited which appeared to be an attempt to evade regulatory action. In addition, MCP filed a termination of appointment for an individual as a director on 23 September 2022 but backdated it to 4 January 2022 (which is contrary to the Companies Act). Unsolicited marketing activity even continued after the first investigation letter was sent.

Argentum Data Solutions (“ADS”) – Unsolicited text messages - £65,000 fine and enforcement notice

On 26 October 2023, the ICO issued an enforcement notice and fined ADS £65,000 for contravening Regulations 22 and 23 of PECR as a result of sending or allowing its lines to be used by others to send in total 2,330,423 direct marketing SMS messages between 1 January 2021 and 31 January 2022. ADS is a data processing and hosting provider that claims to be a platform that other organisations can use to send marketing messages via SMS.

The company came to the attention of the ICO after 10,242 complaints were received through the Mobile UK’s Spam Reporting Service between 1 January 2021 and 31 January 2022.
ADS did not provide any evidence of consents obtained from individuals prior to sending the direct marketing SMS messages or allowing other companies to send direct marketing SMS messages from their account. ADS referred to “legitimate interest” as the lawful basis for its actions, but this does not meet the express requirement for consent under Reg 22 PECR. As none of the SMS messages which ADS sent identified the sender of the communication, they were also found to be in contravention of Reg 23 PECR.

During the course of the investigation by the ICO, it was found that ADS had deliberately sent direct marketing SMS messages without evidencing that valid consent was received from the recipients. It was also shown that ADS allowed clients to send such communications through its account and permitted a disqualified director access to the account. Although they admitted to sending 24,309 of the messages, they denied responsibility for sending the remaining 2,306,114 messages sent by their clients which the ICO saw as a deliberate attempt to downplay the volume of SMS messages it was responsible for sending. Moreover, they purposefully failed to respond to some requests for information and in some instances provided incorrect information. All of these factors fed into the ICO decision that the breach was deliberate.

The poor cooperation in the investigation also was considered as an aggravating factor of the case, along with the fact that some of the SMS messages sent falsely claimed to act on behalf of the government.

Digivo Media Limited (“DML”) – unsolicited text messages - £50,000 fine and enforcement notice

On 3 October 2023, the ICO issued an enforcement notice and fined DML £50,000 for contravening Reg 22 PECR in transmitting and instigating the transmission of 479,017 direct marketing messages between 24 March 2021 and 7 September 2021.

DML trades as “Rid my Debt” and their website is used to help individuals find debt solutions. They came to the attention of the ICO as a result of complaints received via the SPAM reporting tool which indicated that 942 spam reports about DML had been submitted.

In a response to the initial investigation letter, both consent and legitimate interests were referenced and so it was not clear what justification DML were relying on to send these marketing messages. From an examination of the company’s privacy policy, it was clear that their intention was to rely on consent. However, it became apparent that the data collection form which asked individuals to consent to being contacted by a “trusted debt solution provider” could not be submitted without ticking the box. Therefore, customers were given no choice but to consent so any consent obtained in this way was invalid.

In addition, the statement did not give individuals an option to pick between communication channels and so consent was not “specific” and nor was it “informed” as the statement did not reference marketing at all and stated that individuals would be contacted by third party debt solution providers, not that they would receive further contact from DML. DML could not rely on the soft opt-in exemption as they did not provide individuals with the chance to opt out of future marketing at the point of collecting their personal data. The ICO found that DML did not have valid consent for 415,041 direct marketing messages which were received by subscribers.

Given the nature of DML’s business, the only aggravating factor considered was that a proportion of the individuals in receipt of marketing texts would have been financially vulnerable and that some debt management options are not always in the best interests of those suffering financial hardship.

Latest insights

More Insights
Curiosity line yellow background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line teal background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More