Introduction
Strict direct marketing rules apply under the UK Privacy and Electronic Communications Regulations 2003 (PECR) including with regard to unsolicited calls for direct marketing purposes. In connection with this there exists in the UK a system called the Telephone Preference Service (“TPS”) which is the official central opt out register on which individuals can record their preference not to receive unsolicited sales or marketing calls.
An insurance agent and broker, Our Vault Ltd, recently lost its appeal against a decision imposing a fine issued by the ICO for breaching PECR, which included the fact that there had been persistent unsolicited direct marketing calls made to TPS subscribers. This case highlights some of the compliance risks involved in direct marketing from which some compliance lessons can be learnt.
What’s the case about?
Following complaints from individuals that started in 2015 claiming that they had received unsolicited calls from Our Vault Ltd, the ICO conducted an investigation that ended with the imposition of a fine in 2018 of £70,000 for breaching PECR. Our Vault Ltd brought an appeal before the Information Rights Tribunal raising a number of issues (many of them quite technical in nature concerning telephone calls), including a dispute concerning consent and evidence and also about the level of the fine.
What was the ruling?
The Information Rights Tribunal dismissed the appeal ruling, amongst other things, the following:
- “In all the circumstances, and on the evidence before us, the Appellant has failed to satisfy (either the [Information] Commissioner or) this Tribunal that it had secured prior consent to all or indeed any of the first calls made to TPS subscribers, and would have had very great difficultly demonstrating consent to each because of the wholesale way in which call lists are generally put together. Accordingly we find no error in the Commissioners’ Decision in that regard, and uphold the Commissioner’s decision to impose both a Penalty Notice and the Enforcement Notice”; and,
- “We are not convinced by the Appellant’s claims that the amount of the penalty was disproportionate either to the scale of the contravention or the size of the business. It is known from the data presented in this and other cases that that the public does not lodge formal complaints very often, even though they register their TPS preference in large numbers, indicating an explicit wish that they should not be ‘cold called’. The relatively low number of formal complaints cannot be taken to mean that calls on TPS numbers do not cause harm or that recipients of such calls are not distressed or angered by them, or that effective counter measures, including significant sanctions are not justified. As to the size and profitability of the business, businesses cannot prevent themselves being held to account for contraventions of PECR and DPA [the UK Data Protection Act 1998] simply by hiving off the physical acts of direct marketing into another company under their effective direct control, as appears to be the case on the evidence before us in this case, and with no other source of income. The penalty amount of £70,000 on the evidence before us was carefully considered and arrived at by [the Information Commissioner]. Her reasoning remains sound. In all the circumstances of this appeal it is in our view reasonable and justified in the circumstances.”
The full judgement can be found here: http://www.bailii.org/cgi-bin/format.cgi?doc=/uk/cases/UKFTT/GRC/2019/2018_0138.html&query=(our)+AND+(vault).
What are the takeaways?
First, this is another reminder that the ICO takes enforcement of the direct marketing rules very seriously and will impose significant sanctions accordingly – by way of a recent example of such a case, the ICO imposed a fine of £100,000 on the telecoms operator EE for sending in excess of 2.5 million direct marketing messages to customers without their consent (for more details please see here https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/06/ico-fines-telecoms-company-ee-limited-for-sending-unlawful-text-messages/).
Second, with direct marketing, ensure that you have consent and can demonstrate it this issue is of course not limited to TPS and is equally important under GDPR.
Third, people can and do complain and it doesn’t take many complainants and complaints for the ICO to act, which can result in significant financial penalties.
Fourth, clearly one corporate entity can be held liable for the direct marketing actions of another that it controls, including with regard to a fine. We expect this to become an area of contention under GDPR with regard to e.g. the liability of a parent (for a range of possible GDPR issues) for the actions of its subsidiary.
Fifth, appealing ICO fines is likely to become more and more popular, especially as larger fines are now starting to coming through under GDPR enforcement. Generally-speaking regulators can and do make mistakes when arriving at the level of a fine, but, when considering appealing the level of a fine always think it through very carefully.
In practical terms businesses can consider doing the following with regard to direct marketing issues:
- Check your existing procedures concerning direct marketing and make sure that they are up to the job – update them as need be;
- Train staff on dealing with and spotting direct marketing issues; and,
- Set up and undertake regular compliance audits or reviews in order to identify and rectify direct marketing problem issues.
For more of our reporting about data protection issues please see here http://www.corderycompliance.com/category/data-protection-privacy/.
For more information on GDPR please see details of Cordery GDPR Navigator here www.bit.ly/gdprnav.
Cordery’s Breach Navigator can help organisations respond to a breach and assess its consequences. There are more details about this here https://www.corderycompliance.com/solutions/breach-navigator/.
For more information please contact Jonathan Armstrong or André Bywater who are commercial lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
André Bywater
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Image courtesy of TPS