|
|
| (2 intermediate revisions by one other user not shown) |
| Line 50: |
Line 50: |
| }} | | }} |
|
| |
|
| The UK DPA fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR. | | The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers, in breach of Regulation 22 of the PECR. The ICO considered the GDPR's definition of consent. |
|
| |
|
| == English Summary == | | ==English Summary== |
|
| |
|
| === Facts === | | ===Facts=== |
| Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name. | | Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name. |
|
| |
|
| Line 67: |
Line 67: |
| LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites. | | LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites. |
|
| |
|
| === Dispute === | | ===Dispute=== |
| Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR? | | Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR? |
|
| |
|
| === Holding === | | ===Holding=== |
| The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR. | | The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR. |
|
| |
|
| Line 81: |
Line 81: |
| As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited. | | As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited. |
|
| |
|
| == Comment == | | ==Comment== |
| ''Share your comments here!'' | | ''Share your comments here!'' |
|
| |
|
| == Further Resources == | | ==Further Resources== |
| ''Share blogs or news articles here!'' | | ''Share blogs or news articles here!'' |
|
| |
|
| == English Machine Translation of the Decision == | | ==English Machine Translation of the Decision== |
| The decision below is a machine translation of the English original. Please refer to the English original for more details.
| | See the original source link for to access the decision in English. |
| | |
| <pre>
| |
| •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| DATA PROTECTION ACT 1998
| |
| | |
| | |
| SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
| |
| | |
| | |
| MONETARY PENALTY NOTICE
| |
| | |
| | |
| | |
| To: Leads Work Limited
| |
| | |
| | |
| Of: Suite C Underwood House, 235 Three Bridges Road, Crawley,
| |
| West Sussex RH10 1LU
| |
| | |
| | |
| | |
| | |
| 1. The InformationCommissioner ("Commissioner")has decided to issue
| |
| | |
| Leads Work Limited ("LWL") with a monetary penalty under section
| |
| SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation
| |
| | |
| to a serious contravention of regulation 22 of the Privacy and Electronic
| |
| | |
| Communications (EC Directive) Regulations 2003 ("PECR").
| |
| | |
| | |
| 2. This notice explains the Commissioner's decision.
| |
| | |
| | |
| Legal framework
| |
| | |
| | |
| 3. LWL, whose registered office is given above (companies house
| |
| | |
| registration number: 10853169), is the organisation (person) stated in
| |
| this notice to have transmitunsolicited communicatioby means
| |
| | |
| of electronic mail to individual subscribers for the purposes of direct
| |
| marketing contrary to regulation 22 of PECR.
| |
| | |
| | |
| | |
| 4. Regulation 22 of PECRprovides that:
| |
| | |
| | |
| 1 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| "(l)This regulation applies to the transmission of unsolicited
| |
| communications by means of electronic mail to individual subscribers.
| |
| | |
| | |
| (2) Except in the circumstances referred to in paragraph (3), a person
| |
| shall neither transmitnor instigate the transmission of, unsolicited
| |
| | |
| communications for the purposes of direct marketing by means of
| |
| electronic mail unless the recipient of the electronic mail has previously
| |
| | |
| notified the sender that he consents for the time being to such
| |
| | |
| communications being sent by, or at the instigation of, the sender.
| |
| | |
| | |
| (3) A person may send or instigate the sending of electronic mail for
| |
| the purposes of direct marketing where -
| |
| | |
| | |
| | |
| (a) That person has obtained the contact details of the recipient of
| |
| that electronic mail in the course of the sale or negotiations for
| |
| | |
| the sale of a product or device to that recipient;
| |
| (b) The direct marketing is in respect of that person's similar
| |
| | |
| products and services only; and
| |
| (c) The recipient has been given a simple means of refusing (free of
| |
| | |
| charge except for the costs of transmission of the refusal) the
| |
| | |
| use of his contact details for the purposes of such direct
| |
| marketing, at the time that the details were initially collected,
| |
| | |
| and, where he did not initially refuse the use of the details, at the
| |
| time of each subsequent communication.
| |
| | |
| | |
| (4) A subscriber shall not permit his line to be used in contraventofn
| |
| | |
| paragraph (2)."
| |
| | |
| | |
| 5. Section 122(5) of the DPA 2018 defines "direct marketing" as "the
| |
| | |
| communication (by whatever means) of any advertising material which
| |
| | |
| | |
| | |
| 2 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| is directed to particular individualThis definition also applies for the
| |
| purposes of PECR.
| |
| | |
| | |
| 6. "Electronic mail" is defined in regulation 2(1) PECRas" any text, voice,
| |
| | |
| sound or image sent over a public electronic communications network
| |
| | |
| which can be stored in the network or in the recipient's terminal
| |
| equipment until it is collected by the recipient and includes messages
| |
| | |
| sent using a short message service".
| |
| | |
| | |
| 7. Consent is defined in Article 4(11) the General Data Protection
| |
| | |
| Regulation 2016/679 as "any freely given, specific, informed and
| |
| unambiguous indication of the data subject's wishes by which he or
| |
| | |
| she, by a statement or by a clear affirmativaction, signifies
| |
| | |
| agreement to the processing of personal data relating to him or her".
| |
| | |
| 8. Section SSA of the DPA (as amended by the Privacy and Electronic
| |
| | |
| Communications (EC Directive)(Amendment) Regulations 2011 and the
| |
| | |
| Privacy and Electronic Communications (EC Directive) (Amendment)
| |
| Regulations 2015) states:
| |
| | |
| | |
| "(l) The Commissioner may serve a person with a monetary penalty if
| |
| | |
| the Commissioner is satisfied that -
| |
| | |
| (a) there has been a serious contraventionof the requirements
| |
| | |
| of the Privacy and Electronic Communications (EC
| |
| Directive) Regulations 2003 by the person, and
| |
| | |
| (b) subsection (2) or (3) applies.
| |
| | |
| (2) This subsection applies if the contraventiwas deliberate.
| |
| | |
| (3) This subsection applies if the person -
| |
| | |
| (a) knew or ought to have known that there was a risk that
| |
| | |
| the contravention would occur, but
| |
| | |
| 3 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| (b) failed to take reasonable steps to prevent the
| |
| contravention."
| |
| | |
| | |
| 9. The Commissioner has issued statutory guidance under section SSC (1)
| |
| | |
| of the DPA about the issuing of monetary penalties that has been
| |
| published on the ICO's website. The Data Protection (Monetary
| |
| | |
| Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe
| |
| | |
| that the amount of any penalty determined by the Commissioner must
| |
| not exceed £500,000.
| |
| | |
| | |
| 10. PECRimplements European legislation (Directive 2002/58/EC) aimed at
| |
| | |
| the protection of the individual's fundamentright to privacy in the
| |
| | |
| electronic communications sector. PECRwas amended for the purpose
| |
| of giving effect to Directive 2009/136/which amended and
| |
| | |
| strengthened the 2002 provisions. The Commissioner approaches PECR
| |
| so as to give effect to the Directives.
| |
| | |
| | |
| | |
| 11. The provisionsof the DPA remain in force for the purposes of PECR
| |
| notwithstanding the introductioof the Data Protection Act 2018 (see
| |
| | |
| paragraph 58(1) of part 9, Schedule 20 of that Act).
| |
| | |
| | |
| | |
| Background to the case
| |
| | |
| | |
| | |
| 12. LWL is a lead generation company which operates primarily in the
| |
| | |
| 'multi-levemarketing' sector. It generates leads under the Avon brand
| |
| for the purpose of enlisting downstream recruits, and which are passed
| |
| | |
| directly to independent Avon sales representatives.
| |
| | |
| | |
| | |
| | |
| | |
| 4 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 13. LWL first came to the attention of the Commissioner in connection with
| |
| | |
| complaints about text messages seemingly sent by Avon Cosmetics
| |
| | |
| Limited ("Avon"). The investigatifound that Avon did not send or
| |
| instigate the texts. LWL were contacted, but not investigated at that
| |
| | |
| time.
| |
| | |
| | |
| 14. LWL came to the attention of the Commissioner again during the Covid-
| |
| 19 pandemic, when a significant number of complaints were received
| |
| | |
| about the following text message:
| |
| | |
| | |
| In lockdown and want to earn extra cash? Avon is now FULLY ONLINE,
| |
| | |
| FREE to do and paid weekly. Reply with your name for info. 18+ only.
| |
| Text STOP to opt out.
| |
| | |
| | |
| 15. Between 14 April 2020 and 14 May 2020, 835 complaints were received
| |
| | |
| by the 7726 SPAM reporting tool. Significant daily totals of complaints
| |
| were also seen, including 329 on 13 May 2020, 345 on 14 May 2020
| |
| | |
| and 370 on 15 May 2020.
| |
| | |
| | |
| 16. Given the rapid rise in complaint volumes, and as LWL were known to
| |
| | |
| send messages of this type, the Commissioner contacted LWL by
| |
| telephone on 13 May 2020, who confirmed that the messages had been
| |
| | |
| sent by LWL. This was subsequently supported by evidence from LWL's
| |
| mobile network provider.
| |
| | |
| | |
| 17. On 15 May 2020, the ICO sent an investigatioletter to LWL detailing
| |
| | |
| the Commissioner's concerns regarding LWL's compliance with PECR,
| |
| and containing a number of enquiries. The letter attached an index of
| |
| | |
| complaints received both by the 7726 SPAM reporting service, and by
| |
| | |
| the ICO.
| |
| | |
| | |
| 5 •
| |
| | |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 18. On 4 June 2020, the ICO received a response from LWL. This provided
| |
| a list of CLI's used by LWL and text volumes, identified the bodies of 19
| |
| | |
| different texts sent, and confirmation that texts were sent internally
| |
| | |
| through a platform operated by LWL. LWL explained that data was both
| |
| purchased from third parties and driven to websites such as
| |
| | |
| 'Avon.leadswork.co.uk'. The third parties from whom data was
| |
| | |
| purchased were said to be' , - -
| |
| - and _,_ Advertising was also operated extensively on
| |
| | |
| '-,--and--'·
| |
| | |
| | |
| 19. In response to enquiries about contractual agreements, LWL stated that
| |
| | |
| before working with a partner they 'review their terms and conditions
| |
| and see the URL where the opt-in will occur', later adding that they also
| |
| | |
| go through the registration process on a test basis to ensure necessary
| |
| | |
| opt-ins were present. No contractual agreements were said to be in
| |
| place or provided. LWL said that they had generated leads for Avon
| |
| | |
| representatives for a 'very long time'.
| |
| | |
| | |
| 20. A review by the Commissioner of the information provided by LWL
| |
| | |
| revealed that its dominant data supplier was - - whose data
| |
| | |
| capture website was' '. This website consists of a
| |
| landing page to opt-in, a privacy notice, and an option to unsubscribe.
| |
| | |
| The website states that it is 'part of the - • - _',
| |
| | |
| which is a company quite distinct from - -· LWL is named in
| |
| the consent statement; by clicking the 'partners' link in the consent
| |
| | |
| statement, individuals are directed to the privacy policy in which LWL
| |
| are named in the 'marketing service providers' section.A further link
| |
| | |
| to 'direct clients' presents individuals with a further list of 457 distinct
| |
| | |
| organisations from whom individuals may expect to receive marketing,
| |
| in which LWL is not included. The website does not allow individuals to
| |
| | |
| submit their details without checking 'at least one' marketing channel.
| |
| | |
| 6 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| Furthermore, the website is vague and confusing given the discursive
| |
| | |
| and lengthy nature of the consent statement and the extensive list of
| |
| | |
| sectors and companies contained within both it and the privacy policy.
| |
| For these reasons the Commissioner concluded that consent was not
| |
| | |
| freely given, specific and informed.
| |
| | |
| | |
| 21. In response to a request by the Commissioner for evidence of consent,
| |
| LWL explained that a suppression list was in place should anyone reply
| |
| | |
| 'Stop' to a message. In respect of the customer journey LWL explained
| |
| that should a customer consent to be contacted by LWL then they are
| |
| | |
| sent an initial message asking whether they want to be contacted by a
| |
| local Avon representativeIf they respond positively then their data is
| |
| | |
| shared with the local representative.
| |
| | |
| | |
| 22. LWL provided the Commissioner with a 'GDPR pack' containing a Data
| |
| | |
| Protection Impact Assessment ("DPIA") and a 'company compliance
| |
| document'. The latter discusses LWL's data protection obligations as a
| |
| | |
| company, and whilst robust for the purpose it sets out to achieve, at no
| |
| point is PECRreferenced. The DPIA, dated 20 October 2019, explicitly
| |
| | |
| refersto PECRand consent, acknowledges that there is a 'degree of
| |
| public concern over personal data sales', and refers to regulatory action
| |
| | |
| by the ICO.
| |
| | |
| | |
| 23. LWL proclaimed their membership of 'S.H.I.E.L.D.' as an indicator of
| |
| | |
| their compliance. This is a scheme operated by a law firm who appear
| |
| to audit companies' GDPR compliance, and if deemed compliant, they
| |
| | |
| are entered into the scheme. No evidence of due diligence conducted
| |
| by this law firm on behalf of the company has been provided by LWL.
| |
| | |
| | |
| | |
| 24. Having reviewed LWL's response, the Commissioner sent a further set
| |
| of detailed enquiries to LWL on 9 June 2020, attaching evidence of an
| |
| | |
| 7 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| additional 8,089 complaints identified through the 7726 SPAM reporting
| |
| system since the initial enquiries were sent.
| |
| | |
| | |
| 25. A substantive response was provided by LWL on 19 June 2020. This
| |
| | |
| included the body of 64 distinct texts sent during the investigation
| |
| | |
| period (over three times the amount identified in LWL's initial
| |
| response). As was seen from those messages, LWL did not identify
| |
| | |
| itself as the sender. LWL also provided volumes of data purchased since
| |
| | |
| 1 May 2019. Further capture domains were identified. In particular,
| |
| was identified as also capturing the data that -
| |
| | |
| - supplied. LWL prefaced this by stating that they were previously
| |
| unaware of this website being a capture domain, and so had
| |
| | |
| immediately enquired as to the compliance and opt-in of this website.
| |
| | |
| It was explained that this website directs individuals to a registration
| |
| page where their details are inputted, and agreement to the privacy
| |
| | |
| policy obtained.LWL stated that lawyers had been involved in creation
| |
| of the website's legal framework on behalf of another client, and so
| |
| | |
| were confident it would be compliant.
| |
| | |
| | |
| 26. The Commissioner reviewed the privacy policy on '
| |
| | |
| which has granular opt-ins for each channel and a third party opt-in.
| |
| The policy states that the website is owned and operated by a
| |
| | |
| differentlynamed company than - ., who sold the data to
| |
| | |
| LWL. The third party opt-in on the registratiopage contains a link to
| |
| 'partners' where 16 companies are listed, in which LWL does not
| |
| | |
| appear. LWL does appear in the privacy policy, in a list of 7 'marketing
| |
| | |
| service providers'. A further 442 companies are then listed under 'direct
| |
| clients' followed by the following statement"at registration you have
| |
| | |
| the option to opt-in to sponsors of our website". The Commissioner
| |
| found the consent statements to be vague and confusing. Further, LWL
| |
| | |
| are not named at the point of consent and in view of the extensive list
| |
| | |
| 8 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| of companies in the privacy policy, the Commissioner considered that
| |
| | |
| consent was not specific or informed.
| |
| | |
| | |
| 27. Data was also stated to be purchased by LWL from ,. -
| |
| _, ('-"), the second largest of LWL's data suppliers, through
| |
| | |
| websites' 'and' '. These sites
| |
| share the same vague consent statement, which contains a link to
| |
| | |
| identical privacy policies. The privacy policies contain no distinguishable
| |
| | |
| 'third party policy' and lists approximat40 companies with whom
| |
| data may be shared. LWL are not listed in the privacy policy, instead
| |
| | |
| 'UK - Avon' are listed; this listing is hyperlinked to LWL's privacy policy.
| |
| In representationsmade to the Commissioner in response to the Notice
| |
| | |
| of Intent, LWL provided a letter from - which stated that LWL
| |
| should be considered to fall within the category of 'health and beauty
| |
| | |
| tips'.Given that LWL are not directly named in any list, and the
| |
| policies are convoluted, individuals could not reasonably be expected to
| |
| | |
| know that LWL were linked to Avon. For the reasons above the
| |
| Commissioner found that the consent statements did not constitute
| |
| | |
| informed and specific consent.
| |
| | |
| | |
| 28. In relation to the volume of texts sent to each data source, LWL stated
| |
| it was not possible to produce an entirely accurate figure, however
| |
| | |
| provided an approximation of volumes in a further email to the
| |
| | |
| Commissioner dated 24 June 2020. Between 1 May 2019 and 15 May
| |
| 2020 LWL approximated that it sent in excess of 25 million texts to
| |
| | |
| data sourced from __ , --- and•••· The vast
| |
| majority of the texts, as well as the complaints evidenced in the
| |
| | |
| Commissioner's second investigation letter, were related to data
| |
| | |
| supplied by --·
| |
| | |
| | |
| | |
| 9 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 29. A further request for information was sent by the Commissioner to LWL
| |
| | |
| on 26 June 2020 seeking evidence of consent in relation to another
| |
| 4,703 complaints received through the 7726 SPAM reporting service,
| |
| | |
| information regarding data supplier'••• ,and an accurate
| |
| number of texts sent though each source between 16 May 2020 and 26
| |
| | |
| June 2020.
| |
| | |
| | |
| 30. LWL's director responded on 3 July 2020, providing further opt-ins. In
| |
| relation to he said the use of this data preceded his time as
| |
| | |
| director, and so would need to contact directly or his
| |
| predecessors for information.
| |
| | |
| | |
| 31. LWL went onto verify that between 16 May 2020 and 26 June 2020, a
| |
| | |
| total of 3,486,716 messages were sent, of which 3,327,573 were
| |
| received. Of these,3,013,096 texts were sent, and 2,670,140
| |
| | |
| connected, to data sourced by -- and ---
| |
| (comprising 1,911,493 to -- data and 758,647 to'-
| |
| | |
| -'data).
| |
| | |
| | |
| 32. On 10 July 2020 LWL supplied the Commissioner with information
| |
| regarding the ' ' data source. LWL identified the domains used
| |
| | |
| by '(also used by -- and
| |
| previously reviewed by the Commissioner - see para. 20 above) and
| |
| | |
| '. Thelatter is operated by - - and its
| |
| consent statement lists 240 companies who may contact individuals.
| |
| | |
| LWL are not included in the list. The privacy policy does name LWL, but
| |
| within a list of hundreds of other sponsors. The Commissioner found
| |
| | |
| that consent in those circumstances was not specific and informed.
| |
| | |
| | |
| 33. In conclusion the Commissioner considers that LWL relied upon invalid
| |
| consents to send direct marketing texts to individuals whose data was
| |
| | |
| 10 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| sourced by __ , ___ , and
| |
| LWL's business
| |
| model is inextricably linked to direct marketing, and whilst it did make
| |
| | |
| some attempt to comply with data protection legislation, it had no
| |
| discernible policiesr procedures relevant to PECRcompliance, and any
| |
| | |
| due diligence was insufficient.
| |
| | |
| | |
| 34. During the period 16 May 2020 to 26 June 2020, a total of 12,281
| |
| | |
| complaints from 11,733 individuals about unsolicited texts from LWL
| |
| | |
| were received via the 7726 reporting service. 4 complaints were
| |
| received though the Commissioner's online reporting tool. The vast
| |
| | |
| majority of complaints (10,570) relate to data sourced by - -·
| |
| It is also noteworthy that LWL began receiving a significant number of
| |
| | |
| complaints from May 2020 onwards, shortly after the UK entered
| |
| | |
| lockdown in response to the pandemic.
| |
| | |
| | |
| 35. The Commissioner has made the above findings of fact on the balance
| |
| of probabilities.
| |
| | |
| | |
| 36. The Commissioner has considered whether those facts constitute a
| |
| | |
| contravention of regulation 22 of PECRby LWL and, if so, whether the
| |
| conditions of section SSA DPA are satisfied.
| |
| | |
| | |
| The contravention
| |
| | |
| | |
| | |
| 37. The Commissioner finds that LWL has contravened Regulation 22 of
| |
| PECR.The Commissioner finds that the contravention was as follows:
| |
| | |
| | |
| 38. Between 16 May 2020 and 26 June 2020 LWL transmitted 2,670,140
| |
| texts over a public electronic communicationnetwork by means of
| |
| | |
| electronic mail to individual subscribers for the purposes of direct
| |
| | |
| marketing contrary to regulation 22 of PECR.
| |
| | |
| | |
| 11 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| 39. Organisations cannot generally send marketing texts unless the
| |
| recipient has notified the sender that they consent to such texts being
| |
| | |
| sent by, or at the instigation of, that sender.
| |
| | |
| 40. The Commissioner is satisfied that the consent relied on by
| |
| | |
| LWL did not amount to valid consent for the purposes of regulation 22
| |
| | |
| PECR.
| |
| | |
| 41. The Commissioner is satisfied that LWL was responsible for this
| |
| | |
| contravention.
| |
| | |
| 42. The Commissioner has gone on to consider whether the conditions
| |
| | |
| under section SSA DPA were met.
| |
| | |
| | |
| Seriousness of the contravention
| |
| | |
| | |
| | |
| 43. The Commissioner is satisfied that the contraventioidentified above
| |
| was serious.
| |
| | |
| | |
| 44. This is because LWL sent 2,670,140 marketing text messages to
| |
| | |
| individuals without their consent, resulting in excess of 10,000
| |
| | |
| complaints, over a period of 41 days. The volume of texts and
| |
| complaints over such a short period is substantial. Indeed, the
| |
| | |
| Commissioner would go so far as to say that the ratio of complaints to
| |
| the volume of data subjects in receipt of unlawful texts far exceeds any
| |
| | |
| contravention she has witnessed to date.
| |
| | |
| | |
| 45. It is reasonable to suppose that the volume of contraventionis
| |
| | |
| actually significantly higher, and spanned a broader period of time. LWL
| |
| | |
| approximated that during the period 1 May 2019 and 15 May 2020, it
| |
| sent 17.23 million texts to--data, 6.43 million texts to.
| |
| | |
| -- data and 1.37 million texts to data. All these data
| |
| | |
| 12 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| sources have been deemed non-compliant, however as LWL's system
| |
| overwrites data after a period of time, LWL have been unable to verify
| |
| | |
| these figures.
| |
| | |
| | |
| 46. The Commissioner's Direct Marketing Guidance available on the ICO's
| |
| | |
| website states that: "Organisations can generally only send marketing
| |
| texts or emails to individuals (including sole traders and some
| |
| | |
| partnerships) if that person has specifically consented to receiving
| |
| | |
| them". Point 60 of the Guidance refers to the fact that freely given
| |
| consent should be demonstrated where it is the "condition of
| |
| | |
| subscribing to a service", however it is apparent that consent is not
| |
| freely given in the case of data sourced by - - (LWL's largest
| |
| | |
| provider of data) through ' ', because individuals are
| |
| | |
| not able to register without subscribing to at least one marketing
| |
| channel.
| |
| | |
| | |
| 47. Furthermore, the Commissioner's guidance in relation to PECRstates
| |
| | |
| that "making a large number of marketing calls based on recorded
| |
| | |
| messages or sending large numbers of marketing text messages to
| |
| individuals who have not consented to receive them [...] is likely to
| |
| | |
| constitute a serious contraventioof the Regulations".
| |
| | |
| | |
| 48. The Commissioner is therefore satisfied that condition (a) from section
| |
| | |
| SSA (1) DPA is met.
| |
| | |
| | |
| Deliberate or foreseeable contravention
| |
| | |
| | |
| 49. The Commissioner has considered whether the contravention identified
| |
| | |
| above was deliberate. In the Commissioner's view, this means that
| |
| LWL's actions which constituted that contraventionwere deliberate
| |
| | |
| | |
| | |
| 13 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| actions (even if LWL did not actually intethereby to contravene
| |
| PECR).
| |
| | |
| | |
| 50. The Commissioner considers that in this case that LWL's actions were
| |
| | |
| deliberate, as despite having been notified that it was under
| |
| | |
| investigatioby the Commissioner, and given her concerns about
| |
| LWL's compliance with PECR, LWL has continued its marketing
| |
| | |
| campaign without making any adjustments to its business model. LWL
| |
| | |
| continues to send unlawful text messages even after the investigation
| |
| was completed, and a Notice of Intent served upon LWL in which it's
| |
| | |
| practices were deemed non-compliant.
| |
| | |
| | |
| 51. Further, and in the alternatithe Commissioner has gone on to
| |
| | |
| consider whether the contraventionidentified above was negligent.
| |
| | |
| | |
| 52. First, she has considered whether LWL knew or ought reasonably to
| |
| have known that there was a risk that this contraventiowould occur.
| |
| | |
| She is satisfiedhat this condition is met, given that LWL's business
| |
| | |
| model relied heavily on direct marketing.
| |
| | |
| | |
| 53. LWL is registered with the ICO as a data controller and as such should
| |
| be aware of the Regulations.As the sender of the texts it was the
| |
| | |
| responsibility of LWL to ensure valid consent had been obtained prior to
| |
| | |
| their transmission.
| |
| | |
| | |
| 54. The Commissioner has published detailed guidance for those carrying
| |
| | |
| out direct marketing explaining their legal obligations under PECR.This
| |
| guidance explains the circumstances under which organisations are
| |
| | |
| able to carry out marketing over the phone, by text, by email, by post,
| |
| or by fax.
| |
| | |
| | |
| | |
| 14 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| 55. Furthermore, the issue of unsolicited marketing has been widely
| |
| publicised by the media as being a problem.
| |
| | |
| | |
| 56. LWL had a DPIA in place dated 20 October 2019 which demonstrates
| |
| | |
| awareness on the part of LWL as to its statutory obligatioIt.contains
| |
| | |
| the following statement:
| |
| | |
| LW have considered the fact that there is a degree of public concern
| |
| over the sales of personal data. The legislation is clear on the point of
| |
| consent and the subsequent enforcement action brought by the
| |
| | |
| Regulator (ICO) has reinforced the legislation and demonstrated a clear
| |
| pathway to take for businesses engaged in the sale of personal data
| |
| | |
| This unambiguously references public concern regarding data sales,
| |
| | |
| and an awareness of enforcement action taken by the ICO.
| |
| | |
| | |
| 57. It is therefore reasonable to suppose that LWL knew or ought
| |
| | |
| reasonably to have known that there was a risk that these
| |
| contraventions would occur.
| |
| | |
| | |
| | |
| 58. The Commissioner has also considered whether LWL failed to take
| |
| reasonable steps to prevent the contraventions.
| |
| | |
| | |
| 59. Reasonable steps could have included seeking appropriate guidance on
| |
| the rules in relation to electronic direct marketing and ensuring the
| |
| | |
| consent on which it sought to rely on was valid, putting in place
| |
| | |
| contractual arrangements to ensure the veracity of the data, and
| |
| conducting sufficient due diligence in relation to its data providers.
| |
| | |
| | |
| 60. In this case, LWL failed to put in place contractual arrangements with
| |
| data suppliers despite sourcing significant volumes of data from these
| |
| | |
| suppliers. Any due diligence appears to be minimal and there is a lack
| |
| | |
| of evidence in relation to thisBy their own admission, LWL conducted
| |
| most of their due diligence checks on ' ', by looking
| |
| | |
| 15 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| at the website and testing the registration pages, however had these
| |
| checks been sufficient LWL should have known that the website was
| |
| | |
| non-compliant. In fact, LWL only became aware of a page that sourced
| |
| | |
| a significantmount of-- data when the ICO investigation
| |
| commenced. LWL purports to rely on their entry to the S.H.I.E.L.D.
| |
| | |
| scheme as reassurance of compliance, however no evidence in relation
| |
| to this has been provided.
| |
| | |
| | |
| | |
| 61. LWL appear to have placed great reliance upon due diligence
| |
| conducted by third parties in relation to data capture websites, and the
| |
| | |
| fact that there had been legal input from lawyers engaged by other
| |
| organisations who also utilised those same websites. LWL have
| |
| | |
| provided minimal evidence in relation to any due diligence provided by
| |
| | |
| others and appear to have assumed that as others were reliant upon it,
| |
| then their own business model must also have been compliant. It would
| |
| | |
| have been reasonable for LWL to carry out its own checks as to
| |
| how consent was being obtained via the websites, notwithstandingany
| |
| | |
| assurances by its third-partdata providers - such checks would have
| |
| | |
| alerted LWL to the inadequacy of the consents being obtained via the
| |
| sites for the purposes of third-pardirect marketing. In short, simple
| |
| | |
| reliance on assurances of indirect consent alone without undertaking
| |
| proper due diligence is not acceptable.
| |
| | |
| | |
| | |
| 62. Furthermore, LWL has continued to send significant numbers of
| |
| marketing texts to individuals throughoutand since, the course of the
| |
| | |
| Commissioner's investigation,incurring a substantial amount of
| |
| | |
| complaints. This would suggest that no remedial measures have been
| |
| taken to prevent further contraventionsand an apparent continuing
| |
| | |
| disregard for its obligations under PECR. Indeed, since August 2020 to
| |
| the date of this Notice, a further 28,350 complaints about marketing
| |
| | |
| texts from LWL have been received by the 7726 reporting service.
| |
| | |
| 16 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| 63. In representations made to the Commissioner, LWL states that at no
| |
| | |
| time was it made aware that its practices were non-compliant.The
| |
| Commissioner views the fact that an organisation is under investigation
| |
| | |
| should be sufficient impetus for that organisation to review its own
| |
| | |
| practices in lineith the Regulations. Irrespective of the timing of any
| |
| awareness on LWL's part, it is apparent that LWL has not heeded the
| |
| | |
| Commissioner's concerns and has continued its campaign in blatant
| |
| | |
| disregard for the Regulations.
| |
| | |
| | |
| 64. The Commissioner is therefore satisfied that condition (b) from section
| |
| SSA (1) DPA is met.
| |
| | |
| | |
| The Commissioner's decision to impose a monetary penalty
| |
| | |
| | |
| 65. The Commissioner has taken into account the following aggravating
| |
| | |
| features of this case:
| |
| | |
| | |
| • The texts misleadingly appeared to be sent by Avon. LWL accepts that
| |
| | |
| it deliberately did not identify itself in the body of the texts as the
| |
| sender so as to not "confuse" recipients, and as such were in breach of
| |
| | |
| regulation 23 of PECR.
| |
| | |
| | |
| • LWL has continued to run the marketing campaign both during, and
| |
| | |
| since,the Commissioner's investigation and despite the ICO's
| |
| concerns,without attempting to amend or review its practices. Indeed,
| |
| | |
| all the contraventionwhich are the subject of this Notice occurred
| |
| | |
| after LWL were notified it was under investigatioFurthermore, LWL
| |
| has continued to send unlawful marketing texts after the Commissioner
| |
| | |
| completed her investigationon 26 June 2020, and issued a Notice of
| |
| Intent in which LWL's practices were deemed non-compliant.
| |
| | |
| | |
| 17 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| • Since August 2020 to the present time, an additional 28,350
| |
| complaints have been received by the 7726 SPAM reporting tool about
| |
| | |
| texts sent by LWL.
| |
| | |
| | |
| • LWL sought to capitalise on the pandemic by sending a significant
| |
| | |
| number of text messages relating to, and directly referencing, the
| |
| ensuant lockdown when the population was at its most vulnerable and
| |
| | |
| advertising the potential financial gains by becoming an Avon
| |
| | |
| representative.1,698 complaints were received regarding this
| |
| particular message.
| |
| | |
| | |
| • LWL repeatedly indicated long standing compliance with PECRin its
| |
| | |
| communications with the Commissioner which was blatantly untrue.
| |
| | |
| LWL also failed to be completely transparentduring the course of the
| |
| investigation.For example, when asked to provide details of the body
| |
| | |
| of texts sent by LWL, it initially provided only 19, when it later
| |
| | |
| transpired 65 separate texts were utilised. In representatioto the
| |
| Commissioner, LWL stated that those omitted were simply variants of
| |
| | |
| the original texts however the Commissioner's view remains that LWL
| |
| were not completely open and transparent in relation to her enquiry.
| |
| | |
| | |
| • Furthermore, LWL failed to inform the Commissioner in its response to
| |
| | |
| enquiries about marketing methods that it also conducted email
| |
| | |
| marketing. The Commissioner has since been made aware that·
| |
| - conducted hosted marketing for LWL, and that over a 12 month
| |
| | |
| period had sent 7.5 million emails on LWL's behalf, including activity
| |
| | |
| during the contravention period. Between the contravention period 16
| |
| May 2020 - 26 June 2020 the number of emails transmitted was
| |
| | |
| 1,006,000.
| |
| | |
| | |
| | |
| 18 •
| |
| | |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 66. The Commissioner considers there are no mitigating factors to be
| |
| | |
| considered in this case.
| |
| | |
| | |
| 67. For the reasons explained above, the Commissioner is satisfied that the
| |
| | |
| conditions from section SSA(l) DPA have been met in this case. She is
| |
| also satisfiedthat the procedural rights under section 55B have been
| |
| | |
| complied with.
| |
| | |
| | |
| 68. This has included the issuing of a Notice of Intent, in which the
| |
| | |
| Commissioner set out her preliminary thinking, and invited LWL to make
| |
| representations in response.
| |
| | |
| | |
| | |
| 69. The Commissioner has received and considered Representations in
| |
| response to the Notice of Intent dated 9th & 22nd December 2020, and
| |
| | |
| 5th, 13th & 20th January 2021.
| |
| | |
| | |
| 70. The Commissioner is accordingly entitled to issue a monetary penalty in
| |
| | |
| this case.
| |
| | |
| | |
| 71. The Commissioner has considered whether, in the circumstances, she
| |
| | |
| should exercise her discretion so as to issue a monetary penalty. She
| |
| | |
| has decided that a monetary penalty is an appropriate and proportionate
| |
| response to the finding of a serious contraventionof regulation22 of
| |
| | |
| PECRby LWL.
| |
| | |
| | |
| 72. The Commissioner's underlying objective in imposing a monetary
| |
| | |
| penalty notice is to promote compliance with PECR. The making of
| |
| | |
| unsolicited direct marketing calls is a matter of significant public concern.
| |
| A monetary penalty in this case should act as a general encouragement
| |
| | |
| towards compliance with the law, or at least as a deterrent against non
| |
| | |
| compliance, on the part of all persons running businesses currently
| |
| | |
| 19 •
| |
| | |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| engaging in these practices. This is an opportuto reinforce the need
| |
| for businesses to ensure that they are only telephoning consumers who
| |
| | |
| want to receive these calls.
| |
| | |
| | |
| 73. The Commissioner has also considered the likely impact of a monetary
| |
| | |
| penalty on LWL and in doing so has reviewed financial evidence supplied
| |
| | |
| by LWL.
| |
| | |
| | |
| The amount of the penalty
| |
| | |
| | |
| 74. Taking into account all of the above, the Commissioner has decided that
| |
| | |
| the amount of the penalty is £250,000 (Two hundred and fifty
| |
| thousand pounds).
| |
| | |
| | |
| Conclusion
| |
| | |
| | |
| | |
| 75. The monetary penalty must be paid to the Commissioner's office by
| |
| BACS transfer or cheque by 1 April 2021 at the latest. The monetary
| |
| | |
| penalty is not kept by the Commissioner but will be paid into the
| |
| Consolidated Fund which is the Government'sgeneral bank account at
| |
| | |
| the Bank of England.
| |
| | |
| | |
| 76. If the Commissioner receives full payment of the monetary penalty by
| |
| | |
| 31 March 2021 the Commissioner will reduce the monetary penalty by
| |
| | |
| 20% to £200,000 (Two hundred thousand pounds). However, you
| |
| should be aware that the early payment discount is not available if you
| |
| | |
| decide to exercise your right of appeal.
| |
| | |
| | |
| 77. There is a right of appeal to the First-tier Tribunal (InfoRights)
| |
| | |
| against:
| |
| | |
| | |
| | |
| 20 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| a) the imposition of the monetary penalty
| |
| | |
| and/or;
| |
| | |
| | |
| b) the amount of the penalty specified in the monetary penalty
| |
| notice.
| |
| | |
| | |
| 70. Any notice of appeal should be received by the Tribunal within 28 days
| |
| | |
| of the date of this monetary penalty notice.
| |
| | |
| | |
| 71. Informationabout appeals is set out in Annex 1.
| |
| | |
| 72. The Commissioner will not take action to enforce a monetary penalty
| |
| | |
| unless:
| |
| | |
| | |
| • the period specified within the notice within which a monetary penalty
| |
| | |
| must be paid has expired and all or any of the monetary penalty has
| |
| not been paid;
| |
| | |
| | |
| • all relevant appeals against the monetary penalty notice and any
| |
| | |
| variation of it have either been decided or withdraand
| |
| | |
| • period for appealing against the monetary penalty and any variation of
| |
| | |
| it has expired.
| |
| | |
| 73. In England, Wales and Northern Ireland, the monetary penalty is
| |
| | |
| recoverable by Order of the County Court or the High Court. In
| |
| Scotland, the monetary penalty can be enforced in the same manner
| |
| | |
| as an extract registered decree arbitral bearing a warrant for execution
| |
| issued by the sheriff court of any sheriffdom in Scotland.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| 21 •
| |
| | |
| Information Commissioner's Office
| |
| | |
| | |
| Dated the 1 day of March 2021
| |
| | |
| | |
| Andy Curry
| |
| Head of Investigations
| |
| InformatioCommissioner's Office
| |
| Wycliffe House
| |
| Water Lane
| |
| Wilmslow
| |
| Cheshire
| |
| SK9 SAF
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| 22 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| | |
| ANNEX 1
| |
| | |
| SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
| |
| | |
| | |
| | |
| RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
| |
| | |
| | |
| 1. Section 48 of the Data Protection Act 1998 gives any person upon
| |
| whom a monetary penalty notice or variation notice has been served a right
| |
| of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
| |
| | |
| against the notice.
| |
| | |
| 2. If you decide to appeal and if the Tribunal considers:-
| |
| | |
| | |
| a) that the notice against which the appeal is brought is not in accordance
| |
| with the law; or
| |
| | |
| b) to the extent that the notice involved an exercise of discretion by the
| |
| | |
| Commissioner, that she ought to have exercised her discretion differently,
| |
| | |
| the Tribunal will allow the appeal or substitute such other decision as could
| |
| have been made by the Commissioner. In any other case the Tribunal will
| |
| dismiss the appeal.
| |
| | |
| | |
| 3. You may bring an appeal by serving a notice of appeal on the Tribunal
| |
| at the following address:
| |
| | |
| | |
| | |
| GRC & GRPTribunals
| |
| PO Box 9300
| |
| Arnhem House
| |
| | |
| 31 Waterloo Way
| |
| Leicester
| |
| LEl 8DJ
| |
| | |
| | |
| a) The notice of appeal should be sent so it is received by the Tribunal
| |
| within 28 days of the date of the notice.
| |
| | |
| | |
| 23 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| b) If your notice of appeal is late the Tribunal will not admit it unless the
| |
| Tribunal has extended the time for complying with this rule.
| |
| | |
| 4. The notice of appeal should state:-
| |
| | |
| | |
| a) your name and address/name and address of your representative
| |
| (if any);
| |
| | |
| | |
| b) an address where documents may be sent or delivered to you;
| |
| | |
| c) the name and address of the Information Commissioner;
| |
| | |
| d) detailsof the decision to which the proceedings relate;
| |
| | |
| | |
| e) the result that you are seeking;
| |
| | |
| f) the grounds on which you rely;
| |
| | |
| | |
| g) you must provide with the notice of appeal a copy of the
| |
| monetary penalty notice or variation notice;
| |
| | |
| | |
| h) if you have exceeded the time limit mentioned above the notice
| |
| of appeal must include a request for an extension of time and the
| |
| reason why the notice of appeal was not provided in time.
| |
| | |
| | |
| 5. Before deciding whether or not to appeal you may wish to consult your
| |
| solicitor or another adviser. At the hearing of an appeal a party may conduct
| |
| his case himself or may be represented by any person whom he may
| |
| appoint for that purpose.
| |
| | |
| | |
| 6. The statutory provisions concerning appeals to the First-tier Tribunal
| |
| (Information Rights) are contained in sections 48 and 49 of, and Schedule 6
| |
| to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
| |
| (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.
| |
| | |
| 1976 (L.20)).
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| 24
| |
| </pre>
| |
