The multinational telecommunications company Vodafone was recently fined $12.25 million by the Italian data protection authority (DPA) for telemarketing breaches. Vodafone follows the footsteps of many companies in the EU who have been fined for their breaches of telemarketing laws.
To protect businesses embarking on telemarketing campaigns, we have set out some dos and don’ts when it comes to telemarketing campaigns to prevent businesses making the same mistakes.
How not to do it
After receiving hundreds of complaints and notifications from users regarding unsolicited calls made by Vodafone to promote their telephone and internet services, the DPA investigated matters, and found several shortcomings which breached data protection rules and contravened certain principles contained within the General Data Protection Regulation (GDPR).
The actions by Vodafone which resulted in the severe fine being imposed included:
- making unsolicited calls without the consent of the user;
- transferring contact lists obtained by Vodafone business partners (purchased from other companies) without the user’s free, informed and specific consent; and
- using fake numbers that were not registered with the National Consolidated Registry of Communication Operators (“RCO”) – suggesting the potential use of unauthorised call centres overseas.
The severity of these actions resulted in the DPA not only imposing a severe fine on Vodafone but also ordering them to implement measures to ensure the above actions are not repeated.
Vodafone is not the only company in recent times to receive monetary sanctions for a failure to comply with marketing law and GDPR. Turning to the UK – to date, of the 14 monetary sanctions imposed by the ICO in 2020, nine relate to telemarketing campaigns – totaling £1,421,000 in fines. Some of the offences included sending unsolicited emails (Studios MG Limited fined £40,000), sending unsolicited texts (Digital Growth Experts Limited fined £60,000) and making unsolicited marketing calls (Black Lion Marketing Ltd fined £171,000).
The largest fine this year imposed by the ICO in relation to telemarketing campaigns was on a Scottish company, CRDNN Limited. Over a period of four months, the company made more than 193 million automated nuisance calls, approximately 1.6 million calls per day, regarding various services which ultimately led to a fine of £500,000.
It is important to note that fines are not the only form of sanction which can be taken against a company for failures to comply with telemarketing and data protection rules. This was shown recently when the director of a marketing company was banned by the Insolvency Service for a period of six years for making over 75,500 unsolicited marketing calls. As such, not only can the company be fined but officers can also be held personally liable, thereby highlighting the seriousness of the offences.
So what should you do?
Whether you are considering carrying out or already carrying out telemarketing campaigns, it is important to be aware of the relevant data protection rules to ensure compliance. The main pieces of legislation to be aware of are the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the GDPR.
Whether you are contemplating telemarketing campaigns or currently in the process of carrying them out, it is important to keep in mind the following points to ensure you stay compliant with data protection rules and avoid sanctions similar to Vodafone and others.
How can we help?
If you have queries in relation to telemarketing campaigns and potential liabilities under UK data protection law, please get in touch with a member of our specialist GDPR & Cyber Security team.
This article was co-written by Haris Saleem, Trainee Solicitor.