Who: Information Commissioners Office (the “ICO”)
When: 28 January 2014
Law stated as at: 28 February 2014
The ICO have published their latest update on their enforcement action for the last quarter of 2013 and their main focus has been on Spam texts, marketing calls and cookies.
The ICO action has continued to focus on organisations who breach the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and make unsolicited marketing calls or texts to consumers.
Unsurprisingly spam texts continue to be a concern for consumers. The top three subjects for these text messages are debt management, payday loans and PPI. The ICO has issued a £175,000 monetary penalty notice against First Financial (UK) Limited for the mass sending of unsolicited SMS messages which lead to 4,031 complaints.
There have been some recent cases (such as Tetrus) where the ICO fines have been overturned due to failure by the ICO to demonstrate “substantial damage or distress” as currently required .The ICO has submitted a business case to the Department for Culture, Media and Sport which set out the reasons why the threshold for monetary penalties should be lowered from “substantial damage or substantial distressin order to create a stronger deterrent. This proposal is supported by Which? and other consumer interest groups.
The ICO also site a recently agreed Memoranda of Understanding with the GSMA, Vodafone, EE and O2 (Telefonica) to allow the sharing of information to prevent organisations and individuals from sending spam texts.
In contrast to spam texts, the ICO report that concerns about marketing calls are down to their lowest level since October 2012.
They argue that this is due to the action by regulators, consumers and industry groups. The ICO state that the fall also relates to the issuing of Civil Monetary Penalties to Tetrus (28 November 2012) and DM Design (20 March 2013). The top three subjects of live sales calls included payment protection insurance, accident claims and energy.The ICO are continuing to monitor 14 companies for compliance with the regulations.
The report also states that the ICO welcome the All-Party Parliamentary Group on Nuisance Calls (APPG) report on the unsolicited marketing industry and the ICO provided evidence and has responded to the recommendations.
The ICO report stated that, between October and December 2013, they received 53 reports of concerns about cookies via their website compared to 29,529 reports about unwanted marketing communications.
The ICO state that they are concentrating on sites which do nothing to raise awareness of cookies or to get their users’ consent.
However, they have balanced this with the low consumer threat in this area due to the low levels of concern reported by the public.
Why this matters:
This report indicates both the prevalence of spam texting and the fact that the public are increasingly concerned by the practice. There is therefore a corresponding increase in complaints and monetary penalties in this area. Any changes to the thresholds for monetary penalties in this area is likely to be welcomed by consumers but, perhaps, treated more cautiously by marketers.
It will be interesting to see how the various changes proposed by the variety of reports on nuisance calls will impact the ICO’s enforcement. The ICO appear to be actively engaged in consulting and responding to these reports. In addition very few complaints have been received about “cookies” and therefore it is likely this will not be a focus for the ICO.
This enforcement update should be interpreted in conjunction with the ICO update guidance on Direct Marketing and indicates the ICO’s continued emphasis and focus on this area.
In addition the ICO has recently published a consultation document on its approach to enforcement and the consultation ended at the end of January 2014. The ICO wants to encourage individuals to raise concerns with the organisation sending the communications directly before approaching the ICO. The ICO would retain a record of individual complaints but in many cases would not investigate itself or take further action. The ICO may offer advice but encourage the Data Controller to take ownership of the complaint.
In this way the ICO wants to focus its resources on organisations that are seen as repeat offenders.