The Information Commissioner’s Office (the “ICO”) has issued £100,000 fines against organisations engaged in illegal direct telephone call and text marketing activity. As the ICO averages fines of almost £10,000 per day in 2016 and receives around 13,000 complaints per month, organisations must now review their direct marketing strategies and push legal compliance higher up their corporate agendas before it is too late.
What does the law say?
Direct marketing laws are contained within the Data Protection Act 1998 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
Organisations cannot send unsolicited electronic direct marketing communications (e-mail, text, fax or automated calls) to an individual, unless that individual has agreed to receive them or there is a pre-existing customer relationship between the organisation and the individual. The organisation must also provide the individual with an opportunity to opt out of receiving future electronic communications and maintain suppression lists so that opted out individuals do not continue to receive communications.
Unsolicited direct marketing calls may be made to an individual, unless the individual has either notified the organisation that s/he does not wish to receive calls or the individual’s telephone number is listed on the TPS or Telephone Preference Service (although the individual recipient may agree to receive calls from specific organisations, even if the individual is on the TPS). The TPS is a statutory “do not call” register maintained by OFCOM. An organisation wishing to make direct marketing calls can purchase a list of TPS numbers from OFCOM. When the TPS receives a complaint from an individual, it makes contact with the organisation and asks for an explanation why the call was made.
The ICO may issue a fine of up to £500,000 against an organisation that does not comply with direct marketing laws. In deciding whether to issue a fine and how much it should be, the ICO takes account of the distress suffered by the individual recipient. If the individual has a medical condition or disability or other personal circumstances exist, such as s/he has a seriously ill relative and suspected the worst case scenario upon receiving the direct marketing call or text at an irregular time of day, then these will likely sway the balance towards a larger fine. Other relevant circumstances include victimisation and harassment of individuals through organisations adopting aggressive practices by forcing individuals to buy before ceasing direct marketing communications.
What about the two latest ICO fines?
In the first case, a Glasgow-based organisation made 1.6 million direct marketing calls to TPS listed telephone numbers without individuals’ consent. The organisation had been aggressive towards individuals, ignored opt out requests and distressed individuals who were experiencing health and other personal circumstances.
In issuing the £60,000 fine, the ICO took into account the: volume of calls and complaints; organisation’s negligence in continuing to make calls when it should have known of the PECR breach, particularly given the TPS contact each time the TPS received a complaint; fact that the organisation did not identify itself during the marketing calls or provide a free-of-charge contact address or telephone number; and organisation’s failure to cross-check the numbers against the TPS and provide telesales staff with PECR training.
In the second case, a London-based organisation sent over 300,000 texts to individuals who had not agreed to receive them. The organisation had purchased the telephone numbers from a third party but the ICO was not satisfied that the individuals had consented to receiving the texts.
In issuing the £40,000 fine, the ICO took into account the volume of texts sent and the fact that the organisation should have known that a PECR breach was likely, as it did not perform the necessary due diligence into the third party supplier’s telephone numbers to verify compliance with DPA and PECR requirements.
What can our organisation do to avoid an ICO fine?
Revisit your direct marketing strategy by:
undertaking a PECR and DPA compliance audit;
using only reputable third party list suppliers if acquiring contact lists from third parties;
undertaking checks to ensure individual recipients’ consents have been validly obtained to direct marketing and are specific to your organisation or organisations of the same description or operating within your industry, even if the list supplier assures you that consents have been obtained;
training your staff in the law;
only sending communications to individuals who are interested in hearing from you, and if they opt out, respecting this by adding them to your suppression lists; and
cross-checking against the TPS before making direct marketing telephone calls.
Now is the time to do this, as the law is only set to get stricter with an ongoing review of the EU law on which PECR is based and the coming into force of the EU General Data Protection Regulation in May 2018 and its higher standards of consent.