ICO Enforcement Updates (PECR)

It is interesting to note that the ICO have already issued three fines relating to breaches of PECR one month into the year, continuing the trend of enforcement under PECR being the most active area for the regulator. Looking back at the total of fines issued in 2023 there were by our count 17 cases totalling £1.62m in penalties. Whilst the amounts involved in each individual case are relatively low compared to the rarer but more high-profile fines imposed for breaches of UK GDPR that reflects the current maximum penalty of £500,000 available under PECR. This however is expected to change once the Data Protection and Digital Information Bill finishes it passage through the parliamentary process and becomes law. The proposed changes would increase the penalties available under PECR to align with those for breaches of UKGDPR, with breaches of Regulations 21-24 attracting a maximum penalty of £17,500,000 or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher. Whilst we would not expect cases of the type set out below to immediately attract penalties running into the Millions of pounds under the new provisions, it is likely that there would be an escalation in maximum penalties just as we saw when GDPR first introduced those higher maximum fines.

In respect of trends within the cases detailed below it is apparent that the ICO continues to focus its enforcement efforts on areas they perceive to be of greatest harm to individuals; in this case involving those likely to be financially vulnerable. The penalty imposed against Hello Fresh is also of note as this is a more high-profile name than is often the case. It is of interest that a fine was considered appropriate even where the infringements were found to be negligent rather than deliberate, there was full co-operation and steps had been taken to improve their practices. This demonstrates the broad scope of regulatory risk for organisations conducting this type of marketing.

Cases in Detail

The four companies which received fines are as follows:

• Grocery Delivery E-Services UK Ltd t/a HelloFresh (“HelloFresh”)
• Skean Homes Ltd (“Skean”)
• Poxell Ltd (“Poxell”)
• L.A.D.H Limited (“LADH”)

The two enforcement notices only were issued against Taipan Trading Ltd (“TTL”) and the sole trader, Daniel George Bentley. TTL, Daniel Bentley and LADH were found to be in contravention of Regulations 22 and 23 of PECR, HelloFresh was found be in contravention of Regulation 22, and both Poxell and Skean were found to be in contravention of Regulations 21 and 24.

Rules relating to unsolicited marketing phone calls

Although generally an organisation does not need consent under PECR to make most types of live marketing calls to consumers, consent is needed if the recipient has objected or their number is listed on the TPS. The TPS is a statutory register, provided for by regulation 26 of PECR, and acts as a general objection to receiving live direct marketing calls for consumers (including sole traders and partnerships). Any phone number can be added to the list free of charge, and will take effect once the number has appeared on the register for 28 days. The organisations who wish to make live marketing calls must check phone numbers against the TPS before making the calls. A similar register exists for corporate subscribers, the CTPS.

According to Regulation 21 of PECR if a number appears on the TPS, then an organisation should not call that individual unless the individual has specifically informed the organisation that they want to receive that organisation’s marketing calls, thereby overriding their general objection. In practice, this means obtaining a consent where the individual has clearly and proactively notified the caller about their willingness to receive marketing calls from that specific caller. Callers cannot rely on individuals opting in to marketing communications generally (unless it is clear that it includes telephone calls) or individuals agreeing to receive marketing calls from “similar organisations”, “partners” or “selected third parties”. ICO guidance on how to carry out direct marketing using live calls, can be found here.

Regulation 24 of PECR requires that organisations making live marketing calls must display their number (or a valid alternative number) to the call recipient and the number must not be withheld. In addition, the organisation must say who is calling (name of the organisation) and provide contact details or a freephone number of the organisation if requested.

Rules relating to unsolicited marketing emails or texts

Regulation 22 of PECR requires that organisations do not transmit or instigate the transmission of unsolicited marketing emails or texts to individuals unless they have provided their prior consent or they are an existing customer who bought (or negotiated to buy) a similar product or service from the organisation previously and the organisation gave them a simple way to opt out both at the time their details were initially collected and in every message sent (i.e. the soft opt in exemption).

Regulation 23 of PECR requires that organisations do not transmit or instigate the transmission of unsolicited marketing emails or texts to individuals where (a) the identity of the organisation on whose behalf the message has been sent has been disguised or concealed; (b) a valid opt out address has not been provided (c) where the message would breach regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002 or (d) where the message encourages recipients to visit websites which contravene that regulation.

Further details on the fines and enforcement notices for the individual companies can be found below.

Taipan Trading Ltd and Daniel George Bentley – Unsolicited direct marketing SMS messages – Enforcement notices only

On 5 December 2023, the ICO issued enforcement notices against TTL and Daniel George Bentley (director of TTL and sole trader) for contravening Regulations 22 and 23 of PECR. Between 1 May 2022 and 21 October 2022, Daniel sent 2,261,352 direct marketing SMS messages to subscribers in contravention of Regulation 22 of PECR. Similarly, between 1 November 2022 and 31 July 2023, TTL (and/or Daniel as sole director) sent 304,071 direct marketing messages to subscribers, also in contravention of Regulation 22.

Daniel admitted, in correspondence seen by the ICO, that he could not obtain a sufficient quantity of data that would be good enough quality legally to satisfy the needs of his business which led him to sending SMS messages “indiscriminately” and often used data obtained indirectly from third parties. The Commissioner was satisfied that neither TTL or Daniel Bentley had valid consent for the direct marketing messages sent and in addition, both TTL and Daniel Bentley had contravened Regulation 23 of PECR as Daniel used hundreds of unregistered pre-pay SIM cards and websites that did not correctly identify the sender or instigator of the messages and so was clearly attempting to hide his identity. As some of the messages included content relating to loans or debt solutions, the Commissioner considered that Daniel’s actions had the potential to cause damage to individuals who received them, especially if they were financially vulnerable.

HelloFresh – Unsolicited direct marketing emails and SMS messages - £140,000 fine and enforcement notice

On 11 January 2024, the ICO issued an enforcement notice and fined HelloFresh for sending 80,893,013 direct marketing messages between 23 August 2021 and 23 February 2022, of which 79,779,279 were emails and 1,113,734 were SMS messages, which were received by subscribers in contravention of Regulation 22 of PECR.

HelloFresh is an online meal order business that delivers ingredients and recipes in food boxes to its customers who subscribe to their service. The investigation by the ICO was launched following a review of data from the UK’s SPAM reporting service, which received 15,221 complaints between 27 September 2021 and 23 February 2022 regarding messages from HelloFresh.
In response to the initial investigation letter, HelloFresh stated that they had consent to contact such individuals. They detailed that they sent direct marketing messages to two groups of data subjects as follows: 1) Active UK customers – those with an active or paused subscription and 2) Reactivation customers – former customers with a cancelled subscription within the last 24 months but who had consented to receive SMS based marketing messages from the company.

The ICO found the consent statement relied upon by HelloFresh was not specific or informed, and so the messages sent were in contravention of Regulation 22 of PECR. This finding was based on the fact that:

• HelloFresh did not mention that SMS would be used as a channel for direct marketing purposes in their request for consent;
• The consent statement was not clear as it combined an age confirmation statement and consent to receive free samples with a consent for direct marketing via email; and
• Customers were not given sufficient information that would make them aware that they would receive direct marketing messages up to 24 months after subscription cancellation.

The ICO did not find that this contravention was deliberate but did consider it to be negligent. The Commissioner also noted that HelloFresh had cooperated fully with the investigation and had taken steps to improve its marketing practices and customer journey after the investigation.

Skean – Unsolicited direct marketing calls - £100,000 fine and enforcement notice

On 11 January 2024, the ICO issued an enforcement notice and fined Skean for making 614,342 unsolicited direct marketing calls to subscribers where their number was listed on the TPS in contravention of Regulation 21 of PECR. In addition, Skean did not identify themselves in accordance with Regulation 24 of PECR during such calls.

Skean came to the attention of the ICO during an operation in 2022 to assess and analyse complaint trends in relation to the energy and home improvement sector. Skean is a home improvement company focussing on energy efficiency in an attempt to reduce household bills. The ICO received 20 complaints about direct marketing calls from Skean and the TPS received 11 complaints.

During the investigation, Skean responded to the ICO letting them know that data was sourced by a lead generator which conducted lifestyle surveys and if an individual expressed their interest in a service, their details would be passed to a team elsewhere to make a follow up call or arrange an appointment for the service required. The data was supplied to Skean only once an appointment was made.

However, Skean was not named in the survey and thereby they admitted that they did not have the consent required for those listed on the TPS register but the recipients of the calls had stated that they would like to hear from a home improvement company and arranged an appointment, however, Skean failed to provide any supporting evidence of this. Skean stated that they believed the company that arranged the appointment screened the calls against the TPS and ran a suppression list for anyone that expressed they did not wish to receive a further call. Although they stated it was their understanding that this complied with PECR, they failed to provide any evidence to show that they had carried out any due diligence checks to ensure compliance. They also failed to provide any policies or procedures relating to PECR compliance or staff training.

The Commissioner found that this contravention was negligent and did not identify any mitigating or aggravating features in this case.

Poxell – Unsolicited direct marketing calls - £150,000 fine and enforcement notice

On 3 August 2023, the ICO issued an enforcement notice and fined Poxell £150,000 for making 2,647,805 unsolicited direct marketing calls to subscribers where their number was listed on the TPS in contravention of Regulation 21 of PECR. In addition, Poxell did not identify themselves in accordance with Regulation 24 of PECR during such calls.

Similarly to Skean, Poxell came to the ICO’s attention as part of the same investigation to assess complaint trends in the energy and home improvements sector. Poxell operate as a construction and installation company specialising in energy saving products and services.

There were 203 complaints made to the TPS about Poxell and within the same period, 210 complaints submitted via the Commissioner’s Online Reporting Tool. Poxell did not respond to the investigation, and so the ICO found this to be a deliberate contravention of PECR. Other aggravating factors considered were that they had deliberately targeted vulnerable individuals and had used multiple Calling Line Identifications (“CLIs”) to avoid detection in a method known as “snowshoeing”.

LADH – Unsolicited direct marketing SMS messages - £50,000 fine and enforcement notice

On 11 January 2024, the ICO issued an enforcement notice and fined LADH £50,000 for sending 31,329 direct marketing SMS messages between 14 March 2022 and 30 April 2022 in contravention of Regulation 22 of PECR.

LADH is a company in the financial services sector, although due to their limited online presence the exact nature of the business is unclear. They came to the attention of the ICO as part of a wider operation to focus on organisations sending unsolicited direct marketing messages promoting debt advice and debt management solutions.

LADH failed to provide any evidence that the SMS messages sent were solicited or that recipients had notified LADH of their consent for the time being to receive such messages. In messages submitted to the ICO, most of them did not contain an opportunity for individuals to opt out. In addition, LADH were found to be in contravention of Regulation 23 of PECR as the only identifying information of the sender was the number which could only be linked by the ICO to LADH by way of a third-party information notice.

Aggravating features considered were that the director of the company failed to engage and satisfactorily cooperate with the investigation and although the contravention period was relatively short, the weekly volume of SMS messages sent were relatively high and led to a significant number of complaints.

Click here to see previous PECR enforcement tracker updates