ICO Enforcement Updates (PECR) - October 2023

Written By

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

elizabeth upton module
Elizabeth Upton

Legal Director
UK

I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.

The ICO has recently been cracking down on companies making unsolicited direct marketing calls to Telephone Preference Service (TPS) registered numbers, issuing five companies with enforcement notices and fines totalling £590,000. The enforcement notices order the companies to stop making calls to individuals registered on the TPS and to individuals who had previously objected to such calls. These companies were targeting elderly or vulnerable individuals and using pressurised sales techniques to sell white goods insurance.

The five companies which received fines are as follows:

  • SGS Home Protect Ltd (“SGS”)
  • Cover Appliance Ltd (“CAL”)
  • F12 Management Ltd (“F12M”)
  • House Hold Appliance 247 Ltd (“HHA247”)
  • RHAP Ltd (“RHAP”)

All of those listed above were found to be in breach of Regulation 21 of PECR, and CAL, F12M and RHAP were found to also be in breach of Regulation 24 of PECR.

Although generally an organisation does not need consent under PECR to make most types of live marketing calls to consumers, consent is needed if the recipient has objected or their number is listed on the TPS. The TPS is a statutory register, provided for by regulation 26 of PECR, and acts as a general objection to receiving live direct marketing calls for consumers (including sole traders and partnerships). Any phone number can be added to the list free of charge, and will take effect once the number has appeared on the register for 28 days. The organisations who wish to make live marketing calls must check phone numbers against the TPS before making the calls.

According to Regulation 21 of PECR if a number appears on the TPS, then an organisation should not call that individual unless such individual has specifically informed the organisation that they want to receive that organisation’s marketing calls, thereby overriding their general objection. PECR does not use UK GDPR consent requirements in relation to this; however, there is still a standard that needs to be met in order to override a TPS registration. In practice, this means obtaining a consent where the individual has clearly and proactively notified the caller about their willingness to receive marketing calls from that specific caller. Callers cannot rely on individuals opting into marketing communications generally (unless it is clear that it includes telephone calls) or individuals agreeing to receive marketing calls from “similar organisations”, “partners” or “selected third parties. For further ICO guidance on how to carry out direct marketing using live calls, please see here.

Regulation 24 PECR requires that organisations making live marketing calls must display their number (or a valid alternative number) to the call recipient and the number must not be withheld. In addition, the organisation must say who is calling (name of the organisation) and provide contact details or a freephone number of the organisation if requested.
Further details on the fines and enforcement notices for individual companies can be found below.

SGS Home Protect Ltd - £70k fine and enforcement notice

On 2 August 2023, the ICO issued an enforcement notice and fined SGS £70,000 for making 24,241 unsolicited marketing calls to TPS registered numbers between 1 January 2021 and 30 June 2021 in breach of Regulation 21 of PECR. The company did not present any evidence to show that any of the individuals whose numbers were registered on the TPS had informed them that they did not object to such calls being made to their numbers.

SGS were previously called Finesta Limited between 3 July 2019 and 5 October 2021, when the company name was changed.

Two complaints made in February 2021 and August 2021 named Finesta as the caller and related to attempts to set up insurance by the company via unsolicited calls. The complaints were made by relatives of the individuals, and one complaint made it clear that the call had been made to an elderly and vulnerable individual.

The Commissioner in this instance considered that SGS had deliberately contravened Regulation 21 of PECR, as they had not engaged in the investigation and therefore the absence of any evidence from the company was consistent with the fact that the contravention was deliberate. Aggravating factors considered by the Commissioner were the fact that the purpose of the marketing was to increase turnover and generate profit for the company, the high proportion of calls made to individuals whose numbers were on the TPS and the fact that the company was not registered with the Commissioner during part of the contravention period.

Cover Appliance Limited – £200k fine and enforcement notice

On 2 August 2023, the ICO issued an enforcement notice and fined CAL £200,000 for making 511,499 unsolicited direct marketing calls to individuals registered on the TPS between 1 January and 31 December 2021. This led to 9 complaints being made in total to the TPS and the Commissioner. The Commissioner found CAL in contravention of Regulations 21 and 24 of PECR.

CAL is a company that provides home appliance cover and came to the attention of the Commissioner due to an investigation that was being carried out into organisations making unsolicited calls to vulnerable individuals about white goods maintenance and warranty products.

Some complaints made it clear that calls were made to elderly and vulnerable individuals, and that some calls included the use of aggressive behaviour such as numerous unsolicited calls to the same individual in the space of a week. The ICO found that CAL did not provide evidence that the individuals did not object to being called. Rather the evidence demonstrated that CAL was making calls to elicit the consent of individuals which was contrary to Regulation 21(4).

CAL also did not provide a phone number identifying them as the caller and used different company names to prevent individuals from being able to contact the company.
The Commissioner was satisfied that this was a deliberate contravention of regulations 21 and 24 of PECR given that CAL had failed to provide a full and adequate response to the investigation.

Numerous aggravating factors were taken into account in this case including the fact that:

  • CAL targeted vulnerable individuals;
  • Calls were misleading, and in some cases, threatening; and
  • Evidence of financial gain.

F12 Management Ltd - £200k fine and enforcement notice

On 2 August 2023, the ICO issued an enforcement notice and fined F12M £200,000 for making 1,346,019 unsolicited direct marketing calls to individuals registered on the TPS between 5 August 2021 and 20 December 2021. This led to 26 complaints being made to the TPS and 41 to the Commissioner. F12M were found to be in contravention of both Regulations 21 and 24 of PECR.

F12M came to the attention of the Commissioner in the same way as CAL above. At Companies House, their Nature of Business is listed as ‘Combined office administrative service activities’.
The complaints were largely about white goods warranties, but some mentioned gutter cleaning services. Some of the complaints describe the callers as being very rude, with some of the receivers of the calls being elderly and vulnerable.

During the investigation, it became clear that prior to the initial investigation letter being sent, the company had applied to strike the company off the register. The Commissioner lodged an objection to this voluntary strike off, which was subsequently approved. This was considered in the conclusion by the Commissioner that the contravention was deliberate as, even if the company did not intend to contravene the PECR, the nature of the calls and the tactics used to avoid detection and regulatory action meant that the breach was considered deliberate. The strike off application and abusive calls were also considered to be aggravating factors in the consideration of the monetary penalty.

House Hold Appliances 247 Ltd - £55k fine and enforcement notice

On 3 August 2023, the ICO issued an enforcement notice and fined HHA247 £55,000 for making 19,069 unsolicited direct marketing calls to individuals registered on the TPS between 1 June 2021 and 30 November 2021. This led to four complaints being made.

HHA247 is described as an “appliance service and repair company, offering service plans for domestic white goods.” It also came to the attention of the Commissioner in the same way as CAL and F12M above.

Similarly to the other cases, the complaints concern calls being made to elderly and vulnerable people attempting to sell them some form of insurance.

In this case, HHL247 engaged somewhat with the investigation and claimed that it had bought call data from third party businesses that have ceased trading and assumed such data had been screened against the TPS. They admitted that they had not screened the data themselves against the TPS.

In finding that HHA247 were in contravention of Regulation 21 of PECR, the Commissioner considered that HHA247 had not deliberately set out to do this, but instead that they knew or ought reasonably to have known there was a risk that contravention would occur. Reasonable steps in the circumstances included that HH247 should have screened the data against the TPS register itself and entered into appropriate, written agreements with the third-party data providers.

An aggravating factor in this case was that HHA247 had totally failed to carry out due diligence given that the person they purchased data from claimed to represent a company that had previously been fined by the Commissioner for breaching PECR.

RHAP Ltd - £65k fine and enforcement notice

On 13 September 2023, the ICO issued an enforcement notice and fined RHAP £65,000 for making 15,288 unsolicited direct marketing calls to individuals registered on the TPS between 1 January 2021 and 31 August 2021 in contravention of Regulations 21 and 24 of PECR. This led to five complaints being made.

RHAP is a company that “provides repair, supply and support services for white goods” and also “provides service plans”.

Again, RHAP came to the attention of the Commissioner in the same way as HHA247, CAL and F12M above.

The complaints also concerned direct marketing calls being made to elderly and vulnerable people. RHAP provided two call recordings in which one of its agents names a third party as gaining permission on behalf of RHAP for the call. However, RHAP did not provide any evidence to demonstrate how that third party gained consent for RHAP to make the call.

Some of the aggravating factors considered in this case were lack of engagement and attempts to frustrate the investigation.

Latest insights

More Insights
Curiosity line yellow background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line blue background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More