This is the second of three reports reviewing the Information Commissioners regulatory activity for 2017. This report will deal with breaches of the Privacy and Electronic (EC Directive) Regulations 2003 (PECR).
The purpose of the reports is to provide an in depth review of ICO regulatory activity in a specific area. This allows for in depth reading of the subject or as a reference.
The PECR deals with unsolicited marketing by telephone also known as nuisance calls and marketing by facsimile, emails and texts (also known as spam emails and texts).
The ICO has set up a bespoke team of investigators to deal with unsolicited marketing complaints from members of the public. There were 29 monetary penalties issued by the ICO in 2017 for breaches of the PECR. The total amount of fines was over £4 million and the highest fine was £400,000.
Many organisations use direct marketing by voice text and email to advertise their products and services. It is important that they do so within the law. The ICO has produced guidance to assist organisations to ensure that their marketing campaigns are lawful.
To understand what is and isn’t permitted it is necessary to be aware of what the PECR says and some of the key definitions.
The regulations cover automated marketing calls, marketing by facsimile, calls and electronic mail ( text, voice, sound or image message). Following an outline of the regulations there will be a review of some of the ICO’s regulatory action for breaches of the regulations.
In most cases organisations will need to have prior consent to send people marketing information by calls email and text messages. Organisations will need to be able to demonstrate that consent was knowingly and freely given and that it was clear and specific. Records should be kept of how consent was obtained. The ICO recommends the use of opt in boxes.
The short case studies of PECR breaches are not surprisingly all to do with unsolicited marketing where organisations have not taken the consent requirement of electronic marketing seriously.
Direct marketing is defined as ˜the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
Section 55A (1) of the DPA (as amended by PECR 2011 and the Privacy and Electronic Communication (Amendment) Regs 2015) gives the Information Commissioner the power to serve a money penalty where there has been a serious contravention of the PECR and the contravention was deliberate or the person knew or ought to have known that there was a risk the contravention would occur and he failed to take reasonable steps to prevent the contravention.
The maximum fine is the same as that for breaches of the DPA, £500,000. The Commissioner does not have to show that substantial distress was caused to individuals.
Regulation 19 PECR Use of automated calling systems.
1) A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except:
2) Where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent, or at the instigation of the caller on that line.
3) A subscriber shall not permit his line to be used in contravention of paragraph (1).
4) An automated calling system is a system which is capable of:
a) Automatically initiating a series of calls to more than one destination in accordance with instructions stored in that system; and
b) Transmitting sounds which are not live speech for reception by persons at some or all the destinations so called.
Regulation 20 PECR – Use of facsimile machines for direct marketing purposes.
1) A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line if that of:
a) an individual subscriber (except where he consents)
b) a corporate subscriber notified that communications should not be sent
c) or subscriber and number listed in the register (reg 25).
Regulation 25 refers to a requirement that OFCOM shall maintain a register of numbers allocated to subscribers who have notified them that they do not wish to receive unsolicited calls for direct marketing purposes by facsimile machines. The Facsimile Preference Service (FPS) is a company set up by OFCOM to carry out this role.
Regulation 21 PECR Unsolicited calls for direct marketing purposes.
1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purpose of making unsolicited calls for direct marketing purpose where:
a) the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line: or
b) the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.
Regulation 26 refers to a requirement that OFCOM maintains a register of number allocated to subscribers who have notified them that they do not wish to receive unsolicited calls for direct marketing purposes. The Telephone Preference Service (TPS) is a company set up by OFCOM to carry out this role.
Regulation 22 PECR – Use of electronic mail for direct marketing purposes.
This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
2) A person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
3) A person may send or instigate the sending of electronic mail where:
a) That person has obtained the contract details of the recipient in the course of the sale or negotiations for the sale of a product or service.
b) The direct marketing is in respect of that person’s similar products and services only AND
c) The recipient has been given a simple means of refusing the use of his contact details for direct marketing.
Electronic mail is defined in regulation 2(1) PECR as ˜any text, voice, sound or image message sent over a public telecommunications network which can be stored in the network or in the recipient’s terminal equipment and includes messages sent using a short message service.
Regulation 23 PECR Use of electronic mail for direct marketing purposes where the identity or address of the sender is concealed.
1) A person shall neither transmit, nor instigate the transmission of, a communication for the purpose of direct marketing by means of electronic mail:
a. Where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; or
b. Where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided.
Regulation 24 PECR Information to be provided for the purposes of regulations 19, 20 and 21.
1) Where a public electronic communications service is used for the transmission of a communication for direct marketing purposes the person using or instigating the use of, the service shall ensure the following information is provided (automated calling and facsimile 2(a) and (b) and telephone calls 2(a) and if the recipient so requests 2(b).
2) a. The name of the person
b. Either the address of the person or a telephone number on which he can be reached free of charge.
GSMA Spam reporting service
Mobile telephone users can report the receipt of unsolicited marketing text messages to GSMA by forwarding the message to 7726 (this spells SPAM on the dial pad).
The monetary penalties issued by the ICO in 2017 are a combination of breaches of regulation 19, 21 and 22 of PECR.
Below is a summary of some of the penalties issued with a comments section.
Monetary Penalties issued by the ICO in 2017 under PECR 2003.
1 Regulation 19 Breaches automated calls.
1 Road Accident Consult Ltd trading as Media Tactics £270,000.
The company generates leads relative to PPI refund claims. The Information Commissioner received 182 complaints about unsolicited automatic calls made from the company telephone numbers. The ICO found that between 13th November 2014 and 9th June 2015 the company had made over 22 million automated direct marketing calls. The company told the ICO that it had purchased data which had been screened against the TPS. When the ICO looked at those companies that had supplied the telephone numbers of the complainants the ICO discovered that they had come from pay day loan and insurance brokers. Many of the privacy notices on the identified websites were unspecific. For example, ˜We may share your details with third parties whose offers we think might interest you.’ The ICO found that most of the privacy notices did not refer to the data being used for automated direct marketing calls.
This was clearly not a case of consent having been freely given, specific and informed. There was no evidence of a positive indication signifying the individual’s agreement. The ICO has said many times that informing individuals that their details will be shared with unspecified third parties will never amount to freely given consent. Indirect consent of this nature will probably always lead to regulatory action. This company was also criticised for failing to undertake proper due diligence. This resulted in a very serious fine.
2 Keurboom Communications Ltd (KCL) £400,000
KCL provides telephony services to companies to generate sales leads. Between April 2015 and June 2016 the ICO received 1,036 complaints about automated marketing calls . The calls had been made in relation to road traffic accidents and PPI claims. Some of the complainants had received repeat calls. The ICO investigation discovered that some 99,535,654 outbound calls had been made using lines allocated to KCL without the prior consent of the subscribers. The ICO concluded that KCL deliberately sent or instigated automated marketing calls to subscribers on a massive scale. This was the biggest monetary penalty ever issued by the ICO.
KCL did not appear to have obtained prior consent before sending the automatic calls. Nor were they able to demonstrate that consent had been knowingly and freely given and was clear and specific.
Also some calls were repeated and some calls were made in what the ICO terms anti-social hours. The level of the fine reflects how seriously the ICO viewed this breach.
2 Regulation 21 Breaches nuisance calls.
1 Myhome Installations Ltd. £50,000
Myhome provides home security and electrical installation products and services to the public. Many complaints had been made by subscribers registered with the TPS about unsolicited direct marketing telephone calls. The ICO investigation revealed that Myhome had made 169 unsolicited calls for direct marketing purposes to subscribers whose number was listed with TPS. The ICO was satisfied that Myhome had not carried out thorough due diligence checks by screening the data against the TPS register.
An interesting aspect to this case is the ICO assertion ˜it is reasonable to suppose that considerably more calls were made by the company because those who went to the trouble to complain are likely to represent only a proportion of those who actually received calls.’
The other interesting aspect to this case is the ICO view that because Myhome relied on direct marketing as part of its core business it should have been more aware of its responsibilities in this area. They had failed to keep clear records to demonstrate consent and their due diligence was poor especially screening against the TPS register.
2 H.P.A.S. Ltd t/a Safestyle UK. (HPAS) £70,000
HPAS business involves making marketing calls to subscribers to sell its product and services which includes windows and doors. Between May 2015 and December 2016 the ICO received 264 complaints about unsolicited marketing calls. All the complaints were made by subscribers who were registered with the TPS. Many had received repeat calls.
HPAS told the ICO that it did not screen against the TPS and said that it operated a suppression list. HPAS said that screening against TPS would prevent it from contacting customers who had invited contact for quotation and sales purposes. The ICO commenced a monitoring program with HPAS to ascertain if there was a reduction in complaints recorded. Even so complaints continued to be received by the ICO. The ICO was satisfied that HPAS did not take reasonable steps to prevent the contravention.
Organisations must screen their marketing lists against the TPS database and this should be recorded. Subscribers who register with TPS have to wait 28 days before their registration is effective. In other words there is a 28 day grace period. It is possible that a subscriber may be called for marketing purposes within this period. The ICO was satisfied that the 264 complainants were subscribers who had registered with the TPS at least 28 days prior to receiving the calls.
In this case the ICO once again made the assertion ˜it is reasonable to suppose that considerably more calls were made by the company because those who went to the trouble to complain are likely to represent only a proportion of those who actually received calls.’
3 True Telecom Ltd. (TT) £85,000
TT’s business involves the provision of telephony services to business and residential customers. These include broadband, line rental and calls and mobile sim only plans. Between April 2015 and April 2017 the ICO received 201 complaints through the TPS about unsolicited direct marketing calls. All the complainants were registered with the TPS. Some calls had been made from a withheld number and the calls were misleading because they gave the impression that they were made by BT Openreach. The ICO investigation revealed that TT was unable to provide any evidence of consent for the calls made to the customers who had complained. TT told the ICO that it used TPS screening software but some data had been made available to the sales team that had not been subject to TPS screening. The ICO were of the view that TT had failed to take reasonable steps to prevent the contravention.
This was clearly a significant fine which involved 201 complaints. Although once more the ICO stated that it was likely that considerably more calls had been made because the complainers are likely to represent only a proportion of those who actually received calls. Again with voice calls organisations must take note of the ICO guidance and must ensure that they have screened against the TPS and that they can evidence consent.
2 Regulation 22 breaches electronic mail.
1 Lad Media Ltd. £50,000.
The Company is a lead generation and data brokerage business. It operates in the financial services, debt management and consumer claims sector.
Between 6th January 2016 and 10th March 2016 complaints were made to the GSMA and the ICO about the transmission of unsolicited communications by electronic mail to individual subscribers. The ICO investigation discovered that the company had instigated the transmission of 393,872 text messages. The ICO was also satisfied that the company did not have the consent (within the meaning of regulation 22(2)) of the subscribers to whom it sent the messages.
Lad Media instigated the sending of the messages. The ICO said that it was not acceptable for Lad Media or any other company to reply on assurances of consent from third party organisations. The ICO view is that the company instigating the marketing must undertake proper due diligence. Had Lad Media made proper enquiries it would have been clear that third party company had not obtained the proper consent.
Organisations involved in direct marketing must make reasonable enquiries to ensure that consent had been legitimately obtained prior to a direct marketing campaign.
2 Honda Motor Europe Ltd £13,000
Between the 1st May 2016 and 22nd August 2016 Honda sent a large number of emails to individuals. The purpose of the email was to clarify the marketing preference of individuals they were uncertain of the Honda database did not have any information of opt in or opt out in relation to the individuals. Following a complaint, the ICO contacted Honda who said that the emails were not for the purpose of marketing but were ˜service’ emails. The ICO formed the view that the emails were in fact marketing emails. Honda was unable to show that the individuals had consented to the emails. An aggravating factor was that after the ICO had contacted them about the possible breach Honda continued to send the emails.
This breach was a technical breach in some sense and the size of the fine suggests that the ICO did not think it was very serious. It is included because it highlights the importance of obtaining clear and unambiguous consent before commencing a marketing campaign.
3 Flybe Limited £70,000
In August 2016 Flybe sent an email to individuals asking them if their details were correct. The email advised the individual to amend any out of date information and to update their marketing preferences. The email also informed them that by updating their preferences they may be entered into a prize draw.
A complaint was made to the ICO. The ICO informed Flybe that organisations cannot email an individual to consent to future marketing messages. Such an email would be considered a marketing email. Flybe told the ICO that it had sent 3,662,973 emails asking individuals if their details were correct. Flybe had requested a third-party agent to send the emails and had requested that the agent send the email to individuals who had opted out of marketing. The ICO considered that the emails amounted to an unsolicited communication for the purposes of direct marketing.
This monetary penalty again highlights the importance of consent. The ICO is clearly saying that sending emails inquiring about consent to individuals who have previously opted out is not allowed and will be considered a breach of regulation 22.
4 PRS Media Ltd trading as Purus Digital £140,000.
The ICO also discovered that PRS had sent a total of 4,357,453 text messages between 1st January and 17th May 2016.
The ICO was satisfied that PRS did not have the consent of those to whom it sent the marketing texts.
This was again a case of an organisation not ensuring that it had obtained freely given specific and informed consent. Individuals were required to agree to marketing in this case and were told that their personal information would be shared with unspecified third parties. This can never be considered to amount to a positive indication of consent
Regulations 19 ( automated calls), 20 ( facsimile ), 21 ( voice calls) and 22 ( electronic mail) prevent organisations from marketing individuals who have not previously consented to receive marketing information. It is very important that organisations are able to show how they obtained consent and that is was specific and freely given.
There are around 18.5 million landline numbers registered with the Telephone Preference Service and some 3 million mobile telephone numbers. The landline registrations refer to almost 85% of all landlines. This suggests that the public do not welcome unsolicited marketing calls and makes it very important that organisations screen against the TPS registrations prior to commencing a marketing campaign.
Prior to commencing a marketing campaign by whatever means organisations would be well advised to read the ICO guidance on marketing and also ICO previous regulatory activity to enable them to campaign within the law. A privacy impact assessment is always a wise investment.