Who: The Information Commissioner’s Office (“ICO”), Help Direct UK Limited (“Help Direct”)
Where: UK
When: 24 February 2015
Law stated as at: 1 April 2015
What happened:
The ICO has issued an enforcement notice requiring Help Direct – a financial services call centre – to stop sending spam text messages offering recipients a review of their pension.
The enforcement notice cited a total of 659 complaints received by the ICO and the ‘7726’ reporting service. Complainants had received the following unsolicited marketing text message from Help Direct:
“As you have over 10k in your pension, your pension has lost £3219.43 over the last few years, to get back & find out your payout reply REVIEW”.
The resulting ICO investigation revealed that a total of 187,960 texts had been sent by Help Direct over the course of nine months, relating to subjects such as payday loans, PPI, debt management and (as in this case) pension reviews.
What does the law say (for now…)?
It is a breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PCRs”) to send text messages or other electronic communications for marketing purposes without the prior consent of the intended recipient.
Regulation 22(2) of the PCRs applies to the transmission of unsolicited electronic communications to individuals and provides that:
“… a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender …”
Regulation 23 further provides that:
“A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail –
(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed …”
In the opinion of the ICO, Help Direct had contravened Regulation 22(2) of the PCRs by sending communications for direct marketing purposes without the recipient’s prior consent. Help Direct had also breached Regulation 23 because the text messages had concealed the identity of the person on whose behalf they were sent (i.e. the messages did not identify Help Direct as the originator of the communication).
Caught in the nick of time?
Failure to comply with an enforcement notice is a criminal offence, but Help Direct arguably got off lightly in this case. From 6 April 2015, a change in the law will make it easier for the ICO to impose (potentially significant) monetary penalties for serious breaches of the PCRs.
Up until now, the ICO has only been able to impose a monetary penalty if satisfied that:
- there had been a serious breach of the PCRs that is likely to cause substantial damage or substantial distress; and
- that breach was either: (a) deliberate; or (b) the person knew, or ought to have known, that there was a substantial risk that the breach would occur and that it would be likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent it.
Importantly in this case, the enforcement notice indicates that the ICO had considered whether Help Direct’s contravention was likely to cause any person damage but that “the Commissioner has decided that it is unlikely that actual damage has been caused in this instance”. This perhaps explains why Help Direct avoided a fine.
The ICO has the power to impose penalties of up to £500,000, but many of the larger fines the ICO has sought to impose in recent years have been reduced or even overturned. The abiding rationale for this has been that spam texts and nuisance calls are more likely to cause inconvenience and irritation than substantial damage or distress (e.g. Christopher Niebel v The Information Commissioner EA/2012/2060).
However, as a result of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 (SI 2015/355) which have effect from 6 April 2015, the ICO will be able to issue fines without needing to be satisfied that the breach was likely to cause “substantial damage or substantial distress”.
Why this matters:
The action taken by the ICO in this case is indicative of the watchdog’s focus on the issue of nuisance calls and text messages. This focus is largely driven by the high number of complaints received in relation to these types of spam. Given the removal of the “substantial damage and substantial distress” threshold, this trend is likely to continue. In the words of the ICO’s Enforcement Group Manager:
“This enforcement notice should send out a strong message to all companies who use unsolicited marketing text messages to stop and think about what they are doing. Once the law changes on 6 April it will be much easier for our office to take action against companies sending spam texts and making nuisance calls.”
Organisations that are engaged in direct marketing should review their current practices to assess compliance with the direct marketing rules and consider how to address any compliance issues that arise. Companies should also be aware that, despite the apparent focus on nuisance calls and texts, the changes that apply from 6 April 2015 affect all forms of electronic direct marketing, including e-mail and automated calling systems.
The ICO has published detailed guidance for companies carrying out direct marketing, explaining their legal obligations under the Data Protection Act 1998 and the PCRs.