The Information Commissioner ("the IC") has taken a tough stance against organisations that breach direct marketing regulations. In a recent decision against Nouveau Finance Limited ("the Company"), the IC not only issued an enforcement notice (ordering the Company to take specific steps to comply with the law) but also issued an £70,000 fine to the Company. This case should be of particular interest to businesses due to the fact that it involved the use of third party marketing lists – and that the IC emphasised it is insufficient for companies to simply rely on contractual terms.
In short, the Company is a loan broker that generates leads via direct marketing. Between 1 August 2015 and 10 January 2016, the Company contracted with a third party to send 2.2 million direct marketing text messages. The Company had also contracted with a third party data provider ("the Data Provider") to obtain lists of individuals for the purpose of sending direct marketing text messages.
Between 1 August 2015 and 10 January 2016, 92 complaints were made to the GSMA Spam Reporting Service, and the IC decided to take action against the Company.
The IC found that the Company had breached the Privacy and Electronic Communications (EC Directive) Regulations 2003 (known as "PECR") in two different ways.
First, the IC found that the Company had failed to obtain the consent of the individuals in the Data Provider's direct marketing lists. For valid indirect consent (i.e. where an individual provides consent to one party for another party to contact them), that consent needs to be clear and specific. The Company had provided some example wording from the Data Provider where individuals were asked to consent to direct marketing, but the IC felt there was no evidence that the Data Provider had actually obtained consent that was clear and specific in relation to direct marketing carried out by the Company. As a consequence, the Company had breached regulation 22 of PECR.
Second, the IC found that the Company had sent direct messages without clearly identifying who the message was from - a breach of regulation 23 of PECR. The IC has taken a hard line on businesses disguising their identity (even for comedic or viral effect). Business must provide an easy way to opt out (e.g. by replying STOP to the text) and clearly identify the organisation that has commissioned the text.
It is important to note that the Company received an enforcement notice (requiring it to follow certain steps or face prosecution) and a fine. To fine the Company, the IC had to establish that the breach of PECR was serious and was either a result of deliberate or negligent behaviour by the company. The IC found that the Company was negligent in its actions for two key reasons:
Just as businesses are expected to conduct due diligence on their supply chain, they should ensure that its marketing supply chain is also rigorously checked. The inability of the Company to prove it had carried out even basic checks on the lists of individuals supplied by the Data Provider resulted not only in a breach of regulation 22 but also resulted in the IC declaring that they were negligent in their actions.
Businesses should ensure that when they acquire direct marketing lists or contract with firms to conduct direct marketing on their behalf, they ask (at least) the following questions:
Whilst contractual provisions are not by themselves sufficient, businesses should ensure that any contracts that involve direct marketing and third party lists should have reference to the IC's guidance on direct marketing and include warranties stating (at least):
Finally, businesses should keep in mind that they will be held ultimately accountable for the actions of their agents and marketing firms. A £70,000 fine may not bankrupt a blue chip company, but the damage to its reputation may be priceless.