Who: Information Commissioner’s Office and First Financial (UK) Ltd
When: December 2013
Law stated as at: 6 January 2013
The Information Commissioner’s Office issued a £175,000 Monetary Penalty Notice against payday loan business First Financial (UK) Ltd (“FFU”).
FFU sent out high numbers of unsolicited text messages promoting low value, short term loans. The recipients had not consented to receiving them as required by Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRegs”).
One complainant was disturbed at 11.25 pm on a Sunday evening by the message: “You have been preapproved for up to £1,000 cash today. Apply now at [url] and receive your cash within 15 minutes. To opt out reply STOP +[number to call].”
This led to 4031 recipients complaining to the relevant mobile networks and 323 of these complaining also to ICO. To avoid detection, FFU used unregistered SIM cards.
The messages were sent over a three month period in early 2013. ICO postulates that given this relatively short period of activity, to give rise to this level of complaints, millions of texts must have been sent.
Apart from the unsocial hours, aggravating factors included:
- recipients texting “STOP” received the same message minutes later;
- some texts were designed to appear as if they were from a friend; and
- particularly when sent at unsocial times, the texts caused unnecessary alarm and fears for the welfare of relatives when the number used was used only for contact with a sick, elderly or otherwise vulnerable relative or close friend.
Why this matters:
This penalty follows the very first imposition of substantial fines for spam messaging just over a year earlier in November 2012.
Penalties of £300,000 and £140,000 were imposed on respectively a Mr Niebel and a Mr Neish of Tetrus Telecoms for unsolicited texts promoting PPI mis-selling claim handling services.
However, Mr Niebel has since successfully appealed against his fine to the First Tier Tribunal.
The FTT was not persuaded that the evidence against Niebel satisfied the requirement under s.55A (1) (b) of the Data Protection Act 1998 that the conduct in question was “likely to cause substantial damage or substantial distress.” This and other conditions laid down by s.55 A must be satisfied to enable ICO to impose fines of up to £500,000 for breaches of the PECRegs.
In the Monetary Penalty Notice served on FFU, ICO is careful to set out in detail its case under s. 55A. It stresses that the use of unregistered SIM cards indicated the activity was “deliberate” as required by s.55 (A) (2).
The Notice also asserts that given the wide publicity given to cases of this kind and its apparent awareness of other regulatory requirements imposed on it based on the privacy notice on its site and its reference to holding a consumer credit licence, FFU “knew or ought to have known” ( as required by s55A (3) (a) (i) and (ii) ) that there was a risk of the contravention occurring and being of a kind likely to cause substantial damage or distress.
Time will tell whether these arguments are sufficient to place ICO strongly should FFU chance its hand with an appeal.