The Information Commissioner’s Office (“ICO”) has taken enforcement action against fourteen companies for sending unsolicited marketing communications whether through unsolicited calls, text messages, or emails this year. This equates to almost 93% of the ICO’s enforcement action this year with the fines totaling £972,000. The list includes a number of high-profile names such as The Money Hive Limited and Royal Mail Group.
These enforcement actions follow on from the ICO’s thirty-three enforcement actions taken last year for similar acts of non-compliance. As such, there is a clear priority for the ICO to tackle the issue of unsolicited direct marketing and organisations must ensure they carry out direct marketing in a compliant manner to avoid joining the long list of companies which have been fined.
Examples from 2022:
As noted, the ICO has already taken enforcement action against fourteen companies for sending unsolicited marketing communications. Some examples include:
- Home2sense Limited: this company has received the largest fine this year to date at £200,000. The Welsh home improvement company was fined for making over half a million (675,478) unsolicited marketing calls (also referred to as ‘nuisance calls’) between June 2020 and March 2021 to individuals who were registered on the Telephone Preference Service (TPS).
- UK Platinum Home Care Service Ltd: this company was fined £11,000 for making over 400,000 unsolicited calls for marketing purposes targeted at elderly individuals. This is one of a series of fines against companies who target older, vulnerable individuals with unsolicited direct marketing calls and messages. The other companies include: Domestic Support Ltd (fined £80,000), Home Sure Solutions Ltd (fined £100,000), Seaview Brokers Ltd (fined £15,000), and UK Appliance Cover Ltd (fined £100,000).
- Royal Mail Group Limited: the multinational postal service was fined £20,000 for sending more than 300,000 nuisance emails to individuals who had already opted out of receiving direct marketing.
- The Money Hive Limited: this company was fined £50,000 for sending over 750,000 unsolicited marketing text messages to subscribers without their consent which resulted in over 1,300 complaints to the ICO.
What were these are businesses doing wrong?
The main law in the UK dealing with electronic direct marketing is the Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Importantly, PECR rules only apply to ‘unsolicited’ electronic marketing messages to individuals and will not prevent a business providing information which someone has asked for.
Unsolicited direct marketing calls - PECR does, however, prohibit making unsolicited calls for direct marketing purposes where the person called has previously notified the organisation that it does not want to receive calls and or has added their telephone number to the telephone preference register.
Direct marketing by e-mail - PECR also prohibits the use of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the following applies:
- the recipient of the electronic mail has previously notified the sender that they consent to such communications being sent by the sender; or where
- a business has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
- the direct marketing is in respect of that person’s similar products and services only; and
- the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of such direct marketing.
If either of the above instances apply, this will not be considered unsolicited direct marketing.
The two key areas in which businesses fail to comply with is:
- making unsolicited calls to those who have added their number to the telephone preference register, and
- failing to provide a means of refusal which is part of the second justification for sending marketing emails.
In relation to the former, PECR is clear in that a business should not make unsolicited communications to those recipients who have notified the business that they do not want such communications. The ICO confirms that this includes individuals who are registered on the TPS. The TPS is a central register of individuals who have opted out of receiving direct marketing calls and such individuals must not be contacted unless they have notified a business that they do not object to receiving such calls. As highlighted in the Home2sense Limited fine, failing to cross-check the TPS database before direct marketing could have significant consequences.
In relation to the latter, businesses must remember that whilst consent may be given at a specific time, the recipient should always have the right to withdraw their consent. For email, this often comes in the form of unsubscribe boxes. However, it is not only important that businesses provide a means of refusal, but it is equally important for businesses to monitor and comply with such refusals. This was highlighted in 2021 when American Express was fined £90,000 for sending out over four million marketing emails despite customer’s opting out. Therefore, not monitoring opt-out mechanisms can be just as costly as direct marketing without consent in the first place.
Some key things that businesses should keep in mind:
- Be aware of PECR and data protection rules in relation to direct marketing campaigns.
- Only make marketing calls where a recipient has not notified the business that it does not wish to receive such calls and only send marketing emails where the business has consent (or the business already holds contact details from a previous sale or negotiations, it relates to a similar product/service and a means of refusal is available).
- Ensure an opt-out mechanism which is monitored is in place and any opt-out requests are complied with.
- Cross-check the TPS database prior to carrying out direct marketing calls and ensure any numbers on the database are not contacted.
- Seek legal advice if you are unsure.
How can we help?
For further information on telemarketing campaigns including how to ensure you comply with data protection legislation, please get in touch with a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Haris Saleem, Trainee Solicitor.