ICO issues record £400k fine for breach of direct marketing laws
Keurboom Communications Limited has been fined £400,000 by the Information Commissioner’s Office (ICO) for engaging in illegal direct marketing using automated calling systems.
Keurboom employed an automated calling system to make pre-recorded direct marketing telephone calls, inviting recipients to make claims for road traffic accidents or to seek compensation for being mis-sold PPI. The 99.5 million calls, made over the course of 18 months, were often made repeatedly (sometimes on the same day) and during unsocial hours and did not identify the sender. Recipients also experienced difficulties in opting out of receiving future calls.
The ICO received 1,036 complaints about Keurboom’s calls and issued a monetary penalty notice of £400,000, which is the highest ever imposed for illegal direct marketing. The ICO considered that the level of penalty was merited by the fact that Keurboom caused distress and upset to those who had received its calls, the scale of Keurboom’s marketing campaign and its failure to co-operate with the ICO during the latter’s investigation (indeed, both Keurboom and its director were prosecuted and fined in April 2016 for failure to comply with 7 ICO Information Notices).
Keurboom has placed itself in voluntary liquidation, and the ICO is working with the liquidator and insolvency practitioners to recover the penalty. This is a common occurrence during ICO enforcement proceedings involving the issue of monetary penalty notices, and it has been estimated that only 20% of ICO monetary penalties are paid in full. In October last year, the UK Government announced that it would extend the scope of direct marketing laws in Spring 2017 to give the ICO the power to issue penalties of up to £500,000 against directors of organisations that had engaged in illegal direct marketing. Proposals have yet to be introduced.
What does the law say?
The law on direct marketing by automated calling systems is contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). PECR provides that an organisation cannot make automated direct marketing telephone calls unless the recipient of the call has previously agreed to receive them. An organisation making use of automated calling systems for these purposes must also identify itself or provide its contact details by which it can be contacted free of charge.
What does this mean for our direct marketing strategy?
While few organisations make use of automated calling systems for their direct marketing calls, it is important that those that do review and revise their direct marketing / fundraising strategies to comply with legal requirements. This can be done by:
undertaking a PECR compliance audit;
using only reputable third party list suppliers when acquiring telephone numbers from third parties and checking to ensure that recipients’ consents have been obtained to direct marketing by automated calling systems and that consents are specific to your organisation or organisations of the same description or operating within your sector; and
training staff on PECR to make them aware of legal requirements; and
providing a clear and easy means of opting out of future communications and respecting the wishes of recipients who do by adding their details to your organisation’s suppression lists.
These steps should be taken immediately, as the law will only get stricter with the coming into force of the new EU General Data Protection Regulation in May 2018.