The Information Commissioner (ICO) has recently published an enforcement decision which resulted in a fine of £77,000 being imposed on BT (British Telecommunications plc) for sending unsolicited marketing emails.
This decision relates to a complaint made before the GDPR came into force, but highlights the seriousness with which the ICO considers this type of infringement. The contravention by BT was of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which has been in force for some time and continues to be after the introduction of the GDPR.
Regulation 22 of the PECR prohibits unsolicited communications for the purposes of direct marketing by email, unless the recipient has given consent. There is a provision known as a ‘soft opt-in’, which effectively only applies where an individual is an existing customer and the business is marketing its own similar services or products to that customer. The customer must also be given the option to opt-out on each communication.
BT were investigated by the ICO following a complaint from an individual who had received a marketing email from BT despite having previously opted out. The investigation found that three email marketing campaigns had been launched by BT which related to charitable causes. The investigation found that BT had included in its list of those who had opted in those who had explicitly consented to marketing emails, but also those who had not specifically opted out (therefore relying on a ‘soft opt-in’.) It also found BT had sent over 1 million marketing emails to subscribers who had specifically opted out of receiving direct marketing.
The ICO concluded that BT had sent over 4.9 million emails in contravention of the PECR.
The decision to impose a monetary penalty for a breach of PECR requires the ICO to consider whether there has been a serious contravention of the PECR, and if so whether it was deliberate, or the organisation knew or ought to have known a contravention was likely to occur and failed to take reasonable steps to prevent it.
The ICO considered there was a serious contravention and that it was not deliberate on BT’s part, but that they ought to have known that a contravention was likely and did not take reasonable steps to prevent it, such as ensuring they had the consent of those on their database to send direct marketing communications. It was therefore considered that a fine should be imposed.
The ICO has in fact imposed 12 fines in 2018 so far for breaches relating to unsolicited marketing communications, whether these are by email, text or phone call. The highest of these was £350,000 against Miss-sold Products Ltd, which made almost 75 million automated calls to individuals relating to PPI refunds and could not demonstrate that they had consent to do so.
These statistics indicate a willingness on the part of the ICO to impose fines for this type of breach. Nuisance calls and messages are stated to be a ‘key action’ for the ICO, which, according to its website, currently has 132 cases under investigation. The ICO does appear to take into account the circumstances and factors such as the size of the organisation and number of individuals affected by the breach in making their enforcement decisions, but this does not absolve smaller organisations of responsibility.
The rules under PECR are not new, and with increased focus on enforcement for personal data breaches, it is advisable to be on top of marketing databases and ensuring that consent is clearly obtained, and that anyone who has not consented is removed. The GDPR gives individuals the right to object to their personal data being used for direct marketing purposes at any time. This right is absolute and processing for marketing purposes must stop: there are no exemptions.
The £77,000 fine imposed in this case is a great deal less than the £500,000 maximum which the ICO had the power to impose under the Data Protection Act 1998. Under the GDPR, their powers are much greater. It remains to be seen if fines will remain at previous levels, or whether they may increase to incentivise GDPR compliance.
Miller Samuel Hill Brown can assist with advice on GDPR and offer a fixed price for GDPR policies to ensure businesses are compliant with their legal obligations. For further information, please feel free to get in touch.