UK data protection regulator fines pensions business for sending spam mail

Posted on Tuesday April 2, 2019

We recently reported news that the UK Information Commissioner’s Office (ICO) reached a milestone in its clampdown on nuisance marketing, with investigations leading to 16 company directors being banned from running a company for a total of 107.5 years.

The ICO has since reported that it has fined a pensions company £40,000 for sending almost two million direct marketing emails without consent to do so. The Privacy and Electronic Communications Regulations (PECR) set out various rules in relation to electronic communications and marketing. The actions carried out by the pensions company (Grove Pension Solutions Limited) were found to be in breach of regulation 22 of PECR.

It is understood that the pensions company had instructed a marketing agent to use third-party email providers to carry out hosted marketing campaigns that advertised the company’s services. According to the ICO investigation, the company was found to have sent 1,924,010 unsolicited direct marketing emails which promoted its services. The ICO reported that the company had obtained independent legal advice about the use of its hosted marketing, which turned out to be inaccurate and breach of the rules surrounding direct marketing.

However, it is interesting to note that the ICO took various “mitigating factors” into account when considering the appropriate monetary penalty, for example, the fact that the company cooperated with the ICO throughout the investigation.

Andy White, Director of Investigations and Intelligence at the ICO, commented on the issue, stating “Spam email uses people’s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want. We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.  The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine.”

Businesses should always consider specific rules relating to their marketing campaigns, as PECR sets out various different rules for matters including marketing calls, emails, texts and faxes. The UK ICO has the power under PECR to impose monetary penalties of up to £500,000, meaning companies need to be very cautious and always consider rules which apply to their marketing campaigns. They should also carefully review the practices of third-party marketing agents and ascertain whether valid marketing consents have been obtained in accordance with PECR.

Businesses should also remember the importance of the Privacy and Electronic Communications (Amendment) Regulations 2018, which came into force in December last year. These further regulations give the ICO the power to fine officers of a body corporate up to £500,000 for breach of the rules relating to using automated calling systems and regarding unsolicited direct marketing. As such it is all the more important for directors and other company officers to take note, as the ICO is able to hold them personally liable for fines resulting from unlawful marketing activities.

There is often confusion amongst businesses regarding rules surrounding direct marketing and the General Data Protection Regulation (GDPR) and data protection law considerations. We regularly advise clients to consider both areas of laws prior to carrying out any marketing campaign.

For advice on how to comply with direct marketing laws and the GDPR generally, please contact Sehaj Lamba.