PPI claims company fined £120,000 by the ICO for spam texts
Will a data controller be held responsible where a third party acting on its behalf breaches data privacy laws?
Hall and Hanley Ltd (H&H) is a PPI claims management company based in Manchester. Between 1 January 2018 and 26 June 2018, it engaged third parties (the Third Parties) to send direct marketing text messages on its behalf. In total, 3,560,211 such messages were sent by the Third Parties over the period.
The ICO received a total of 1,353 complaints about the messages sent on behalf of H&H. The complaints stated that the messages had been sent unsolicited and without the recipients’ consent. In many cases the recipients had never had PPI insurance.
The ICO sent an initial investigation letter to H&H on 12 July 2018, questioning whether H&H’s practices were compliant with the Data Protection Act (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
H&H responded that it used the Third Parties to (a) obtain the data or consent of the individuals to whom it intended to advertise its products and (b) send the direct marketing messages. The ICO reviewed the privacy policies of the four websites which the Third Parties used to obtain the relevant data. Two of the websites made no reference to H&H. The other two did include H&H; however, potential subscribers were not given an option to select which third parties were allowed to contact them or their preferred method of contact.
The ICO found that H&H had contravened regulation 22 of PECR and imposed a monetary penalty of £120,000. Regulation 22 prevents any person or company from transmitting or instigating the transmission of unsolicited electronic direct marketing communications without the recipient’s prior consent. Although H&H had not sent the messages itself, it was the instigator of the direct marketing. As such, it had a responsibility to ensure that valid (direct or indirect) consent to send those messages had been obtained.
The ICO’s guidance states that indirect consent will only be valid if it is sufficiently clear and specific, so that the customer anticipates that the relevant organisation will have access to their details and be able to message them. None of the four websites used by the Third Parties were sufficiently clear and specific that H&H would be able to contact them. This satisfied the ICO that H&H did not have the necessary valid consent for the 3,560,211 direct marketing messages which were sent to customers of the websites used by the Third Parties on its behalf.
Why is this important?
The ICO held that H&H did not deliberately contravene regulation 22 of PECR. Instead, it found that H&H acted negligently and failed to take reasonable steps to prevent the Third Parties from contravening regulation 22. The case highlights why data controllers must properly scrutinise any third parties they engage to act on their behalf.
Any practical tips?
This decision demonstrates the vital importance of obtaining informed consent before using consumers’ contact details for electronic direct marketing purposes. Data controllers should also verify the methods used by any third parties they engage on their behalf, as the H&H decision shows that they will ultimately be held responsible for any deficiencies in the third parties’ conduct. So, in addition to ensuring that the right data processing agreements are in place, make sure practical steps (such as due diligence into third parties, actively audits etc) etc) are taken. Passing the buck just won’t wash!