Skip to main content
May 14, 2024

The Information Commissioner’s Office, the UK’s Data Protection Authority also known as the “ICO”, has recently taken strict action against three financial services companies. The cumulative sum of these three fines amounts to £170,000 for the infringement of direct marketing rules under the Privacy and Electronic Communications Regulations 2003 (PECR). In this article, we will delve into the details of these fines, analysing both the rationale behind the penalties and exploring the potential impact on both businesses and individuals.

Case 1: Digivo Media Ltd (Rid My Debt)

  • Fined: £50,000
  • Offense: Sending over 415,000 unsolicited text messages between March 24, 2021, and September 7, 2021.
  • Breach: Marketing text messages offering “free advice” or a “free pack” without valid consent, a clear violation of PECR.

Digivo Media Limited, trading as Rid My Debt, was levied with a hefty fine of £50,000 due to a serious violation of Regulation 22 from the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The ICO took action under section 55A of the Data Protection Act 1998, emphasizing the importance of compliance with PECR. Between March 24, 2021, and September 7, 2021, Digivo inundated consumers with 415,041 unsolicited marketing text messages, in direct contravention of PECR.

The ICO, in their evaluation, emphasised that the main issue was the absence of the proper consent to send marketing text messages. Digivo could not use the soft opt-in exemption (giving a possibility to object to marketing communications rather than agreeing to it)  because they did not provide individuals with the ability to opt-out when collecting their personal data.

Digivo also failed to secure freely given, specific and informed consent for the messages. The persons who have received the messages were users of Digivo’s website, they were requested to tick a mandatory box to agree to being contacted when submitting an application form for a services request. Consent was then made as a pre-condition for a service to be performed and, therefore, not freely given. In addition, the tick-box and website Privacy Notice were not clear on the marketing nature of the communications to be received, rendering the consent non-informed. Therefore, the marketing communications were then made in violation of PECR.

The seriousness of this violation is highlighted and aggravated by the large number of complaints received, the financial vulnerability of subscribers, and the enormous quantity of messages sent. The ICO found that Digivo deliberately and negligently breached the rules. They knew or should have known about the risks involved but did not do enough to prevent (further) violations. In response, the ICO imposed a fine of £50,000 to emphasise the importance of following PECR and to discourage unwanted direct marketing.

Case 2: MCP Online Ltd (MCP)

  • Fined: £55,000
  • Offense: Placing 20,939 unsolicited financial services calls about pensions to individuals registered with the Telephone Preference Service (TPS).
  • Breach: Live marketing calls to TPS-registered individuals without said individuals having proactively informed the company they do not object to their communications, contravening established legal provisions.

The ICO is required per the PECR to maintain a register of the Telephone Preference Service (TPS) listed phone numbers of individuals who have indicated they do not want to receive marketing calls. Regulation 21 of PECR prohibits calls to TPS-registered individuals unless they have notified the caller, that they do not object to receiving marketing calls for the time being. Regulation 24 of PECR mandates the submission of specific information (such as the person’s name) when making direct marketing calls.

The company MCP Online Ltd (MCP) was fined £55,000 for violating regulations 21 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). MCP’s breach was identified by the ICO as a contravention of section 55A of the Data Protection Act 1998, which involved making 20,939 calls to registered users of the Telephone Preference Service (TPS) about pensions without their authorisation.

MCP was investigated for various activities from January 1, 2022, to September 28, 20, where it was uncovered that there were deliberate attempts to conceal its marketing activities, there was non-participation in the investigation, and there was a failure to then take appropriate steps or prevent the contravention.

ICO finally determined that MCP made marketing calls to TPS-registered individuals, without any clear and positive notification from these individuals that they would agree to override their TPS registration and receive calls from MCP. MCP also failed to provide information to individuals as required per Regulation 24 PECR.

The seriousness of the infringement was exacerbated by MCP’s disregard for the TPS or CTPS registration status, the numerous violations, and the aggressive behaviour against complainants. The fact that MCP did not respond to warnings or attempts to contact them suggested that the breach was deliberate.

The ICO issued a financial penalty of £55,000 taking into account aggravating features like deliberate masking and a serious violation of Regulation 21 and 24 PECR, this levy can be seen as a means to encourage compliance with PECR and to deter similar non-compliance. The penalty was issued in light of the deliberate nature and severity of the contravention by MCP.

Case 3: Argentum Data Solutions Ltd

  • Fined: £65,000
  • Offense: Sending and permitting third parties to send over 2.3 million direct marketing text messages without valid consent.
  • Breach: Failure to identify the sender, provide opt-out options, and promote various services, violating PECR guidelines.

A £65,000 financial penalty was imposed on data processing and hosting company Argentum Data Solutions Limited (ADS) for a major violation of Regulations 22 and 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The breach at ADS, which involved sending and allowing third parties to send more than 2.3 million direct marketing text messages without valid consent, was investigated by the ICO under section 55A of the Data Protection Act 1998.

Without the recipient’s prior authorization, it is expressly forbidden by Regulation 22 of PECR to transmit unsolicited communications for direct marketing objectives. In contravention of the PECR, ADS sent 24,309 SMS messages between January 1, 2021, and January 31, 2022, and permitted the use of its platform for the sending of an additional 2,306,114 messages, for a total of 2,330,423 SMS messages for direct marketing.

Despite ADS referring to its legitimate interest as the legal basis for the use of recipient contact details to send them such communications, the ICO considered that the legal basis should have been based on the recipient’s consent. ADS was not able to provide any evidence that such consent had been given. Furthermore, ADS failed to comply with Regulation 23 of PECR, which requires unambiguous sender identification in direct marketing communications.

The ICO determined that ADS’s conduct was deliberate as they purposefully sent direct marketing SMS messages without evidence of any consent and enabled similar practices by their clients, ADS also claimed to the ICO that they carried out due diligence checks on their clients that used their messaging services without specifying what checks were performed. The ICO noted that one client was listed on the Company’s House as being a disqualified director and that ADS were unable or unwilling to provide their supporting documents for their Due Diligence obligations. The seriousness of the infraction was identified by the ICO and further exacerbated by ADS’s lack of cooperation throughout the investigation, its inability to take appropriate action to stop violations, and the deceptiveness of the messages. Due to the egregious behaviour of ADS and to encourage adherence to PECR and deter non-compliance with rules controlling unsolicited electronic marketing communications by the market, the ICO fined ADS £65,000.

Rational behind the penalties: key takeaways

1

Importance of consent:

Digivo and ADS were fined for participating in direct marketing without obtaining or being able to prove the recipients’ consent to the marketing activities, which is a serious violation of the PECR. Of primary concern was the absence of valid consent, and the ICO stressed how crucial it is to protect people's right to privacy and to obtain the expressed consent from the individual prior to sending marketing communications.

2

The absence of an opt-out mechanism:

The ICO rationalised that Digivo could not rely on their legitimate interest as they failed to provide individuals with the ability to opt-out. Therefore, companies that want to rely on their legitimate interest instead of consent for direct marketing messages (in cases where legally possible) should ensure that there is the ability for the individual to opt out of such communication.

3

TPS Registration and Marketing Calls:
MCP's offense brings attention to the TPS violations, whereby MCP demonstrated a lack of consideration for people's choices when it came to unsolicited calls. The penalties highlight the need to obtain a clear and positive notification from the individuals on the TPS register that they consent to communication which will override their TPS registration, before any live marketing calls to TPS listed numbers can occur.
4

The absence of Sender Identification:
ADS Ltd was also penalised for failing to identify the message senders. MCP also failed to provide information to individuals as requested per Regulation 24 PECR. The ICO's emphasis on consumer choice and sender transparency demonstrates the ICO’s dedication to ensuring ethical marketing techniques are adhered to.

Impact on businesses and individuals

 

The substantial fines serve as a powerful deterrent, they signal the ICO’s commitment to penalising companies that flout privacy regulations. The penalties serve as a clear message for businesses to revaluate their marketing strategies, to ensuring alignment with PECR guidelines to avoid reputational damage and to maintain customer trust.

Companies found in violation face not just financial penalties but also potential reputational damage, which could affect consumer confidence and brand image. Businesses are advised to emphasise compliance with privacy standards in order to minimise negative consequences, as upholding these standards is essential to preserving a positive corporate image.

The fines reinforce consumers’ rights to privacy and protection from unsolicited marketing communications. Stricter enforcement encourages consumers to trust that regulatory bodies are actively safeguarding their interests, which helps create a more reliable and safer digital environment.

The emphasis on the provision of consent gives consumers more power over their personal data and guarantees their control over the communications they receive. The sanctions highlight how important it is that businesses value and respect customer choices in order to create a digital environment where privacy is given top priority.

Author: Xiao Liu

Data Protection Officer

Reviewer #1: Hélène Gillard

Data Protection Lawyer

Reviewer #2: Edward Sheehan

Data Protection Manager Associate

We are supporting our clients in this privacy compliance process. If you are interested, feel free to reach out our team for support.

Contact us