ICO Enforcement Updates (PECR) – July 2023
Crown Glazing Ltd – Unsolicited marketing calls - £130k fine and enforcement notice
On 8 June, the ICO issued an enforcement notice and fined Crown Glazing Ltd (CGL), £130,000 for making 503,445 unsolicited direct marketing calls to Telephone Preference Service (TPS) registered numbers between January and November 2021, in breach of Regulation 21 of PECR. The calls were to consumers and were about energy products to reduce household bills and resulted in 37 complaints.
In general, organisations don’t need consent under PECR to make most types of live marketing calls to consumers provided the recipient has not objected or the number is not listed on the TPS. The TPS is a statutory register which acts as a general objection to receive live direct marketing calls for consumers (including sole traders and partnerships). It’s free to add any phone number to the list (including mobile numbers) but the numbers must appear on the register for 28 days for it to take effect. Organisations who wish to make live marketing calls must check phone numbers against these registers before making the calls.
Regulation 21 of PECR provides that if a number appears on the register, then the organisation should not call that individual unless that individual has specifically told the organisation that they want to receive that organisation’s marketing calls and this will override their general objection. Whilst PECR doesn’t use UK GDPR consent requirements here, there is still a standard that needs to be met to override a TPS registration which in practice will mean obtaining a consent where the individual has clearly and proactively notified the caller about their willingness to receive marketing calls from the named caller- callers cannot rely on individuals opting in to marketing communications generally (unless it is clear that it includes telephone calls) or individuals agreeing to receive marketing calls from “similar organisations”, “partners” or “selected third parties. For further ICO guidance on how to carry out direct marketing using live calls, please see here.
In this case, CGL had obtained the data which it wanted to use for direct marketing purposes from (i) a list broker and (ii) door to door canvassing. With respect to the list broker data, CGL was unable to provide any evidence to show how the data had originally been collected or what fair processing information was provided to individuals although it was likely obtained from lifestyle surveys, comparison websites and product registration. CGL advised the ICO that this data had been screened against the TPS by the list broker prior to purchase and CGL had also requested to upgrade their dialler system to include TPS screening (although this was not in place at the time the complaints were made). Processes were also in place to deal with suppression requests. The specific complainants’ data had allegedly been obtained via the door to door canvassing but CGL could not provide any evidence to show that the individuals agreed to be called by CGL.
Whilst the Commissioner found that CGL had not deliberately set out to contravene PECR, he was satisfied that CGL (i) knew or ought reasonably to have known that there was a risk that a contravention could occur – particularly because CGL had failed to engage with the TPS which had alerted them about the complaints and because there is clear ICO PECR guidance on carrying out live marketing calls and (ii) had failed to take reasonable steps to prevent the contravention – for example by not undertaking more rigorous checks when acquiring data from list brokers. Further aggravating factors included the fact that CGL provided misleading information in relation to their identity by incorrectly suggesting that they were representing the government. In addition to the fine, the ICO issued an enforcement notice to order CGL to stop call individuals registered on the TPS or who had previously objected to such calls.
Maxen Power Supply Limited - Unsolicited Marketing calls - £120k fine and enforcement notice
On 8 June, the ICO issued an enforcement notice and fined Maxen Power Supply Ltd (MPS), £120,000 for making unsolicited marketing calls to TPS and Company Telephone Preference Service (CTPS) registered numbers between January 2020 and December 2021 in breach of Regulation 21 and 24 of PECR. The calls were mainly to businesses and were claiming to help them save money on their energy bills by switching contracts and resulted in over 100 complaints. Some people claimed to receive multiple calls on the same day despite opt out requests and being subject to ‘aggressive’ marketing tactics. The complaints also showed that MPS was making calls from overseas call centres that purported to be from National Grid or the recipient’s existing energy supplier.
In general, organisations don’t need consent under PECR to make most types of live marketing calls to businesses provided the recipient has not objected or the number is not listed on the TPS or the Company Telephone Preference Service (CTPS). The CTPS is another statutory register which works in the same way as the TPS but is for corporate users (e.g limited companies) to register their objection to receiving unsolicited direct marketing calls. Organisations who wish to make live marketing calls must check phone numbers against these registers before making the calls.
Regulation 21 of PECR provides that if a number appears on the register, then the organisation should not call that individual unless that individual has specifically told the organisation that they want to receive that organisation’s marketing calls and this will override their general objection. Whilst PECR doesn’t use UK GDPR consent requirements here, there is still a standard that needs to be met to override a TPS registration which in practice will mean obtaining a consent where the recipient has clearly and proactively notified the caller about their willingness to receive marketing calls from the named caller- callers cannot rely on recipients opting in to marketing communications generally (unless it is clear that it includes telephone calls) or individuals agreeing to receive marketing calls from “similar organisations”, “partners” or “selected third parties. For further ICO guidance on how to carry out direct marketing using live calls, please see here.
In addition, Regulation 24 PECR states that when an organisation makes a live marketing call, it must display its number (or a valid alternative number) to the call recipient and the number must not be withheld. The organisation must also say who is calling (name of the organisation) and provide contact details or a freephone number of the organisation if asked.
MPS claimed that it worked with a number of independent contractors and third party intermediaries including Aims Tech, an overseas call centre, to make the calls and that all independent contractors working with them had protocols to ensure compliance with TPS but MPS was not able to show any evidence that these processes were actually in place in practice. The ICO concluded that they were satisfied that MPS had used overseas call centres to make unsolicited direct marketing calls to small businesses but that as MPS had used false company names and spoofed CLI numbers, it was not possible to confirm the total number of complaints or number of contraventions.
The ICO found the contraventions to be deliberate due to the persistent nature of the calls, the ignoring of suppression requests, spoofed CLI numbers and the withholding of caller name and identity. Further, the ICO found the MPL’s business model appears to have been designed to avoid MPL being identified as the instigator of the calls – it had used a network of overseas call centres who it referred to as “independent contractors” and “third parties” and denied responsibility for the complaints raised with it by the TPS.
Reasonable steps that MPL should have taken included: (i) asking Aim tech to provide details of its standard operating procedures for screening data against the TPS and CTPS; (ii) conducting proper due diligence on Aims Tech rather than asking them to just complete a self assessment questionnaire; (iii) properly investigating the TPS complaints and taking appropriate remediation action; (iv) screening the data against the TPS itself before providing it to the call centres; and (v) providing call scripts for the call centres to use during the initial part of the call rather than just at the point of sale.
