Abstract of machinery with blue tint.

PPI claims company fined £120,000 by the ICO for spam texts

Published on 04 July 2019

Will a data controller be held responsible where a third party acting on its behalf breaches data privacy laws?

The background

Hall and Hanley Ltd (H&H) is a PPI claims management company based in Manchester. Between 1 January 2018 and 26 June 2018, it engaged third parties (the Third Parties) to send direct marketing text messages on its behalf. In total, 3,560,211 such messages were sent by the Third Parties over the period.

The ICO received a total of 1,353 complaints about the messages sent on behalf of H&H. The complaints stated that the messages had been sent unsolicited and without the recipients’ consent. In many cases the recipients had never had PPI insurance.

The ICO sent an initial investigation letter to H&H on 12 July 2018, questioning whether H&H’s practices were compliant with the Data Protection Act (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

H&H responded that it used the Third Parties to (a) obtain the data or consent of the individuals to whom it intended to advertise its products and (b) send the direct marketing messages. The ICO reviewed the privacy policies of the four websites which the Third Parties used to obtain the relevant data. Two of the websites made no reference to H&H. The other two did include H&H; however, potential subscribers were not given an option to select which third parties were allowed to contact them or their preferred method of contact.

The decision

The ICO found that H&H had contravened regulation 22 of PECR and imposed a monetary penalty of £120,000. Regulation 22 prevents any person or company from transmitting or instigating the transmission of unsolicited electronic direct marketing communications without the recipient’s prior consent. Although H&H had not sent the messages itself, it was the instigator of the direct marketing. As such, it had a responsibility to ensure that valid (direct or indirect) consent to send those messages had been obtained.

The ICO’s guidance states that indirect consent will only be valid if it is sufficiently clear and specific, so that the customer anticipates that the relevant organisation will have access to their details and be able to message them. None of the four websites used by the Third Parties were sufficiently clear and specific that H&H would be able to contact them. This satisfied the ICO that H&H did not have the necessary valid consent for the 3,560,211 direct marketing messages which were sent to customers of the websites used by the Third Parties on its behalf.

Why is this important?

This decision emphasises that the ICO will proactively clamp down on organisations which intrude on consumers’ privacy. What is particularly interesting in this example is that two of the four websites used by the Third Parties to obtain data used in the direct marketing messages actually included H&H in their privacy policies. However, the ICO confirmed that consent will not be valid where individuals are not properly informed as to what they are consenting to. The monetary penalty notice explained that consent will not be valid where individuals are asked to agree to marketing using generic terms like “selected third parties” or a “long, seemingly exhaustive list of general categories of organisations”. It will also not be valid where a privacy policy fails to provide any information or choice on the method of contact the different companies they listed might use.

The ICO held that H&H did not deliberately contravene regulation 22 of PECR. Instead, it found that H&H acted negligently and failed to take reasonable steps to prevent the Third Parties from contravening regulation 22. The case highlights why data controllers must properly scrutinise any third parties they engage to act on their behalf. 

Any practical tips?

This decision demonstrates the vital importance of obtaining informed consent before using consumers’ contact details for electronic direct marketing purposes. Data controllers should also verify the methods used by any third parties they engage on their behalf, as the H&H decision shows that they will ultimately be held responsible for any deficiencies in the third parties’ conduct. So, in addition to ensuring that the right data processing agreements are in place, make sure practical steps (such as due diligence into third parties, actively audits etc) etc) are taken. Passing the buck just won’t wash!