ICO is clamping down on illegal unsolicited marketing

The ICO is clamping down on illegal unsolicited marketing calls/e-mails and messages (or 'spam').  The ICO has fined the owners of a company which unlawfully sent millions of unwanted text messages in breach of the Privacy and Electronic Communications Regulations ("PECR") nearly half a million pounds.  These are the key points:

  • PECR requires that before an individual receives unsolicited text messages (or e-mails) which are designed to market products/services, the individual must have consented to receiving the text messages (or e-mails).

  • PECR also requires that the sender doesn't seek to conceal its identity and also doesn't send messages which fail to include an address to which the recipient can request further communications from the sender to stop.

  • The owners of Tetrus Telecoms arranged for millions of unsolicited text messages to be sent to individuals encouraging recipients to claim compensation for injuries/financial services misselling - they had not received the consent of the individuals to send the marketing messages by text.

  • The texts also didn't reveal the identity of the sender or provide an address for individuals to object to receiving further messages.

  • People received multiple texts over a short space of time even after having texted 'STOP' back to the sender's number and some had paid international charge rates to receive text messages whilst abroad.

  • Over 400 complaints were made to the ICO which were found to have been texts sent by Tetrus.

  • The ICO searched Tetrus' premises and seized various records including accounting records confirming that Tetrus was earning revenue of almost £8k per day from its illegal activities and various commercial agreements under which Tetrus was being paid substantial fees to generate leads for compensation claims companies (primarily for road traffic accidents and payment protection insurance misselling).

  • The ICO has fined the two owners of Tetrus almost half a million pounds (in total) and due to the indisciminate nature of the texting activity and the volume of texts sent (which could be anywhere upto 840,000 per day), the ICO has determined that the breach was 'substantial' and likely to cause damage and distress to individuals (e.g. texts relating to potential claims regarding previous accidents/injuries and compensation claims for potential misselling could be extremely disturbing to the recipient).

  • In short, the messages were a nuisance and a clear invasion of privacy - hence the substantial fines imposed on Tetrus' two owners due to the aggravated nature of the breach.

  • Further, the actions of the owners following the ICO's intervention demonstrated a lack of respect for the law and ongoing behaviour which was deliberately intended to ignore the ICO's advice and break the law (e.g. records confirming how detection of the illegal activities could be avoided, initial denials of involvement in the illegal activities, deliberately attempting to conceal the identity of the sender from the regulator and affected individuals by sending texts from unregistered pay as you go SIM cards and continuing the activity even after the ICO's investigation had begun).

What Does This Case Tell Us?

  • The case demonstrates the scale of some 'spam' operations and the lengths to which some operators will go to in order to make a profit at the expense of individuals' privacy.

  • Sadly, it also highlights the lack of power which the ICO has to deter similar future conduct - as the ICO press release confirms, the owners of Tetrus have made millions of pounds through their operations and the fines represent a very small proportion of the money they have made through their illegal activities (particulaly if the owners elect to pay the fine early to qualify for a 20% discount)!

  • However, the owners also failed to register their data processing activities which may lead to a fine of upto £5,000 in the magistrates court or an unlimited fine in the County this space!

What You Should Take Away From This Case (Beyond The Obvious)!

  • If you rely on third party lists of data for marketing purposes, be vigiliant in checking the provenance of the list and that the individuals have consented to receiving marketing by e-mail/text.

  • If you're involved in marketing activity, make sure your staff fully understand the requirements of PECR (over and above your DPA obligations) including your obligations to de-dupe your phone marketing database against the Telephone Preference Service register.

  • If you're operating in this way, be aware that this is an area of sustained focus for the ICO - it is continuing to run a survey which enables individuals to report unwanted spam calls/e-mails/texts to the ICO, and as in this case, the ICO will take action and will impose fines in relation to serious breaches of PECR, particularly in relation to those organisations that cannot demonstrate that they are aware of their obligations under PECR or the way in which they have designed their business processes and policies to ensure compliance.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.