Who: Pharmacy2U Ltd
Where: the Information Commissioner’s Office, Wilmslow, Cheshire
When: 14 October 2015
Law stated as at: 16 November 2015
What happened: Pharmacy2U Ltd (“P2U”) is the UK’s largest NHS-approved online pharmacy. In October 2015 the Information Commissioner’s Office (“ICO”) issued a Monetary Penalty Notice (“MPN”) against P2U in the sum of £130,000.
The penalty was imposed in respect of P2U’s sale of details of 21,500 of its customers to third party marketing companies.
It was the first time that an MPN had been issued for breach of the first data protection principle under the powers given ICO by s.55 of the Data Protection Act 1998 (“DPA”) to impose penalties of up to £500,000 for serious breaches of the DPA.
The customer data in question had been collected on P2U’s website. To access P2U’s services, it was necessary to provide name, gender, date of birth, postal address, phone number and email address.
The sign-up included a pre-ticked box that users could untick if they did not want to receive marketing emails from P2U. To submit the registration form, users had to click a button marked “Continue.” Above the “Continue” button, under the heading “Terms and Conditions” it was stated: “By clicking continue you agree to our terms and conditions.”
Paragraph 15 of the Terms and Conditions said
“Occasionally we make details available to companies whose products or services we think may interest our customers. If you do not wish to receive such offers please login to your account and change the setting to indicate “No” for “Selected company data sharing.”
Pharmacy2U arranges to offer its customer lists for rental
In October 2014 P2U entered into an agreement with Alchemy Direct Media (UK) Ltd (“Alchemy”). Alchemy was to provide services to P2U including promoting P2U’s specified database lists for list rental. The agreement stated that P2U was the data controller as regards the relevant lists.
Alchemy’s website then advertised P2U’s database lists and in November and December 2014, Alchemy supplied a total of 21,500 names and addresses of P2U’s customers’ to three third party organisations including an Australian lottery company.
The latter applied to P2U for approval of a proposed mailer to go to the rented P2U customers. This suggested recipients had been “specially selected” to “win millions of dollars” and asked mailees to send in sums of money to qualify for their winnings.
A senior executive of P2U responded as follows:
“OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately.”
The National Trading Standards Scams Team subsequently informed the ICO that if it had been sent by a UK business the mailing would likely breach the Consumer Protection from Unfair Trading Regulations 2003.
The sale of the customer data to another of the third party purchasers, Griffin Media Solutions, led to its use by Griffin customer Woods Supplements to promote its health supplement products. Advertising for these products had recently led to the ASA upholding a complaint on grounds of misleading claims.
The third customer, Camphill Village Trust, used subsets of the data relating to “active donors” to send mailings soliciting donations.
The Daily Mail refers the matter to the ICO
Following a Daily Mail investigation the ICO investigated and determined that P2U had breached the DPA by processing its customers’ personal data unfairly and without having met a Schedule 2 condition of processing, thus contravening the first data protection principle at Part 1 of Schedule 1 to the DPA.
The ICO found as follows:
- it would not be within customers’ reasonable expectation that this sharing with third parties would occur, even if they were willing to agree to the receipt of P2U marketing material; and
- if a customer wished to take up P2U’s offer to opt out of “Selected company data sharing” they also had to go to the trouble of logging into their account and changing the setting;
- in the circumstances, P2U’s customers did not give their informed consent to the sale of their data to third party organisations, so there was no lawful basis for that processing under Part 1 of Schedule 2 to the DPA.
Was substantial damage of substantial distress likely?
Before issuing the MPN the ICO also had to follow the requirements of s.55A of the DPA. These were that the contravention had to be serious, was deliberate or negligent and was of a kind likely to cause substantial damage or substantial distress.
This latter requirement has recently been scrapped for certain breaches of the Privacy and Electronic Communications Regulations 2003, but remains in place for breaches of the DPA.
The ICO decided that these requirements were satisfied here.
The data purchased by the three customers of Alchemy related to male customers of P2U aged over 70 who had used the P2U prescription service in the last 6 months. The data rented did not specify which customer had ordered which medication and for what ailment, but it did include an age breakdown and a list of conditions that customers in age bands were likely to suffer from, such as erectile dysfunction, Parkinson’s Disease and hair loss in the case of over 70s.
In the circumstances, there was a “significant and weighty chance”, the ICO determined, that the contraventions would have the following consequences:
- disclosure of personal data relating to customers of an online pharmacy is likely to cause distress to individuals who have a reasonable expectation of confidentiality;
- some P2U customers who received marketing material from Woods Supplements may as a result have stopped taking their prescribed medication and spent money on products that had been subject to an adverse ASA adjudication;
- in such cases the distress suffered by P2U’s customers was “considered to extend beyond mere irritation;”
- P2U customers were also likely to have suffered financially from receiving mailings from the Australian lottery company, who appeared to have deliberately targeted elderly and vulnerable individuals;
- having regard to the circumstances in which the data in question was obtained, the number of people affected and the purposes for which the data was used, the above damage and/or distress was likely to be substantial on aggregate and in the case of a small proportion of more vulnerable individuals, substantial in each case.
Were the breaches deliberate or negligent?
Finally the ICO had to decide whether the breaches were deliberate or negligent. Although satisfied that there was no deliberate intention to breach the DPA, the ICO felt that due to three factors, P2U ought to have known that there was a risk of the contraventions occurring:
- .P2U should have appreciated that its customers would have a reasonable expectation of confidentiality when using an online pharmacy, especially as their own website described the service as “discreet and confidential”. Also the above quoted P2U executive commenting on the proposed Australian lottery company clearly appreciated that there was a risk of customers objecting to the sale of their data in this way;
- P2U should have known there was a risk of substantial damage or distress given the nature of P2U’s business and that they were used to holding a substantial amount of customer data;
- P2U had failed to take reasonable steps to prevent the breach, such as displaying a fair processing notice in a prominent position on their website which provided customers with a simple way to opt out of the sale of their personal data to third parties.
When deciding on the amount of the MPN. In deciding on £130,000, the ICO took into account various mitigating factors such as P2U now having taken substantial remedial action, having co-operated with the ICO and the significant impact of this case on their reputation. Not appealing against the MPN and early payment of the penalty would also mean a 20% discount, reducing it to £104,000.
P2U has since announced that it does not intend to appeal.
Why this matters:
The case underlines the importance of clear and prominent disclosures as to the likely uses of customer data and providing easy to access and use methods of indicating preferences.
This first imposition of an MPN under s.55 of the DPA for breach of the first data protection principle also underlines for marketers that in taking care to observe controls over digital/telephone marketing in the Privacy and Electronic Communications Regulations 2003 they should not lose sight of the underlying obligations governing the use of customer data in the DPA. These are of course marketing channel neutral.
Also now of course, there is the additional threat of damages claims by data subjects for breaches of the DPA. This has become much more real now that the need to prove pecuniary loss suggested by s.13 of the DPA appears to have fallen away following the March 2015 ruling of the Court of Appeal in the case of Vidal Hall & Ors vs Google, Inc.
The ICO Penalty Notice and blog post are here.