Pensions company fined for unsolicited emails following inaccurate advice
How far can you avoid culpability for a data marketing data breach on the grounds that you were given faulty legal advice or that a third party conducted the marketing campaign on your behalf?
Grove Pension Solutions Ltd, a pensions company in Kent, sent nearly two million direct marketing emails without consent between 31 October 2016 and 31 October 2017. The company had instructed a marketing agent to use third party email providers to carry out hosted marketing campaigns.
The pensions company had sought independent legal advice as well as professional advice from a data protection consultancy about the use of hosted marketing. The company acted on the inaccurate advice it received, leading to the action by the ICO.The decision
Ultimately, the Part 36 offer was an offer which the Defendants could not accept as they “would have to pay all the costs to the case up to that date”, not just the costs relating to documents. As a result, Birss J concluded that it would be “unjust” to enforce the consequences of the Part 36 offer as:
“…the Part 36 offer itself was not a genuine offer to settle. In fact, if anything, I think the offer has proved to be a barrier to settlement of this dispute because since the offer was made and not accepted and then the admissions were made, the claimants seem to have been approaching this case as if they were entirely protected as to costs.”
Birss J concluded that Invista should pay 71% of the Defendants’ costs assessed on a standard basis. The 29% reduction in the percentage of costs awarded was to take into account that Invista had limited success in relation to documents in the main proceedings.
The ICO's decision
The fact that the company had sought professional advice, which was inaccurate, did not prevent the ICO from issuing a £40,000 fine. The ICO’s Director of Investigations and Intelligence, Andy White, said:
“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it”.
Moreover, Mr White added that the ICO is available to provide businesses with guidance about electronic marketing and data protection, free of charge. He stated that the company could have contacted the ICO for guidance to avoid the fine.
Why is this important?
This decision is important for two reasons. First, it shows that obtaining erroneous legal or other professional advice for the purpose of navigating electronic marketing and data protection rules will not render you immune to an adverse finding by the ICO. Secondly, the ICO’s decision clarifies that the rule that organisations cannot generally send marketing emails unless recipients have given consent applies equally to those situations where an organisation uses a third party to send direct marketing on its behalf.
Any practical tips?
Ensure that you instruct reputable firms for legal advice in relation to electronic marketing and data protection regulations. And don’t think that using a third party provider to conduct a marketing campaign on your behalf will somehow excuse you if that campaign is somehow conducted in breach of data regulation.