Who: Information Commissioner’s Office (ICO), We Buy Any Car Limited (WBAC), SportsDirect.com, Retail Limited (SportsDirect) and Saga Services Limited and Saga Personal Finance Limited (Saga)
Where: United Kingdom
When: 15 September 2021
Law stated as at: 24 September 2021
What happened:
Four well-known companies who between them sent over 354 million “nuisance” messages were fined a total of £495,000 by the ICO in September 2021. Each company failed to obtain valid consent before sending out marketing emails and texts, in breach of the law.
Under Regulation 22(2) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), organisations cannot send direct marketing emails and texts unless the recipient has informed the sender that they consent to receiving such communications. The only exception to this is where the organisation has obtained the recipient’s contact details in the course of the sale (or negotiations for the sale) of a product or device to that recipient; the marketing is only in respect of the organisation’s similar products and services; and the recipient was given a simple means to opt out of such direct marketing at the time their details were initially collected (and did not opt out). This is set out in Regulation 22(3) of the PECR.
The General Data Protection Regulation (GDPR) requires consent to be “freely given, specific, informed and unambiguous”.
We Buy Any Car Limited
WBAC, a nationwide vehicle purchasing and wholesale company, was fined £200,000 for sending 191.4 million marketing emails and 3.6 million marketing SMS messages to customers between April 2019 and April 2020, resulting in around 7,700 complaints.
The ICO’s main grounds for imposing the fine were that WBAC did not have valid consent under Regulation 22(2) of the PECR. They also did not meet the requirements of the “soft opt-in” under Regulation 22(3) because the website gave individuals no opportunity to refuse marketing when initially putting in their details.
SportsDirect.com Retail Limited
SportsDirect, a sports retailer, was fined £70,000 for sending 2.5 million emails to customers as part of a “re-engagement campaign” between December 2019 and February 2020, resulting in 12 complaints.
The ICO’s grounds for imposing penalties on SportsDirect were similar to those relating to WBAC, although with an aggravating factor resulting in an increased fine:
- SportsDirect contravened Regulation 22(2) of the PECR as it could not provide evidence of having obtained valid consent for the direct marketing emails.
- The ICO was concerned about SportsDirect’s failure to maintain satisfactory internal consent records. SportsDirect stated during the investigation that it would be unable to “retrieve the distribution list used in the Christmas 2019 Email Campaign” and was, therefore, unable to evidence how or when details were purportedly obtained.
Saga Services Limited and Saga Personal Finance Limited
Saga Services Limited and Saga Personal Finance Limited, both subsidiaries of Saga Group Limited, an insurance and lifestyle services company, were fined £150,000 and £75,000 respectively. Both had enforcement notices issued against them for sending 128 million and 28 million emails respectively over the period between November 2018 and May 2019.
The ICO’s grounds for imposing penalties on the Saga companies were as follows:
- Both companies failed to obtain valid consent for sending the emails, in contravention of regulation 22(2) PECR. Each relied on consent obtained by another organisation (that is, “indirect consent”) which, as stated in the ICO’s direct marketing guidance, is not sufficient for direct marketing via text, email or automated phone calls due to the stricter rules on electronic marketing.
- The consent obtained by each company’s affiliates did not refer to either company explicitly when securing the consent of users, and occasionally simply referred to a long list of potential sectors from which users might be contacted. This was deemed insufficient. The ICO highlighted that consent will not be valid if individuals are asked to agree to receive marketing from “similar organisations”, partners”, “selected third parties”, or other similarly generic descriptions.
Why this matters:
The ICO have issued fines totalling more than £1.7 million so far this year for breaches of direct marketing laws, including those mentioned above. These fines show a continuation of the ICO’s approach to unsolicited marketing. Businesses should remain aware that, without informed consent, sending these types of marketing emails or texts is against the law. This is especially important now, as the consultation launched by the UK Government Department for Digital, Culture, Media and Sport on 10 September 2021 proposed a very significant increase in the fines capable of being imposed in cases such as these from the current maximum fine available of £500,000 to a potential £17.5 million or 4% of global turnover (in line with the UK General Data Protection Regulation).
