ICO (UK) - Colour Car Sales Limited: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 56: | Line 56: | ||
}} | }} | ||
The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending direct marketing messages without obtaining valid consent. In particular, consent was not freely given, as individuals were given no other option but to agree to receive the direct marketing. | The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending direct marketing messages without obtaining valid consent in violation of Regulation 22 PECR. In particular, consent was not freely given, as individuals were given no other option but to agree to receive the direct marketing. | ||
== English Summary == | == English Summary == | ||
Revision as of 09:55, 15 June 2021
| ICO (UK) - Colour Car Sales Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Reguations 2003 Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulation 22 of the Privacy and Electronic Communications (EC Directive) Reguations 2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 24.05.2021 |
| Published: | 08.06.2021 |
| Fine: | 170000 GBP |
| Parties: | Colour Car Sales Limited |
| National Case Number/Name: | Colour Car Sales Limited |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Information Commissioner's Office (in EN) |
| Initial Contributor: | n/a |
The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending direct marketing messages without obtaining valid consent in violation of Regulation 22 PECR. In particular, consent was not freely given, as individuals were given no other option but to agree to receive the direct marketing.
English Summary
Facts
Colour Car Sales Limited (CCSL) is a company acting as a credit intermediary for finance on used cars. It traded under serveral names, including 'immediatecarfinance.co.uk'; 'carfinancetoday.net'; 'achillesuk.com'; and 'taxifinancetoday.com'.
Between 2018 and 2019, the UK DPA (Information Commissioner's Office; ICO) received nearly 200 complaints over unsolicited electronic direct marketing text messages. The ICO started a preliminary investigation and contacted CCSL for further evidence. The letter sent was returned undelivered. The company director was then contacted who provided an alternative contact address.
CCSL confirmed it had sent over 3 million direct marketing messages between 2018 and 2019. CCSL claimed to have gathered consent through an application form with the following statement: "By starting an application you agree that immediatecarfinance may/will pass your details on to a third party lender or broker, and they may wish to contact you by phone, post, SMS or other electronic means". CCSL explained that an opt-out would be possible by calling the CCSL office.
The ICO investigated the privacy notice available and found that the privacy notice stated that marketing communication was only sent where there was consent of a "legitimate business interest"
Following initial cooperation, CCSL did not respond to the ICO any further.
Dispute
What classifies as valid consent to send direct marketing messages?
Holding
The UK DPA first outlined the definition of consent as defined by Article 4(11) of the GDPR. It also outlined the rules under Regulation 22 PECR which address consent.
Analysing the application form, the ICO considered that there was no specific reference to direct marketing nor purposes of contact from third parties. Additionally, the UK DPA found that there was no method for the individual to send an application without consenting to being contacted, nor any option for them to select who may contact them.
The ICO therefore found CCSL in contravention of Regulation 22 of PECR for instigating unsolicited direct marketing messages. Individuals did not have the option other than agreeing to receiving direct marketing. Consent was therefore not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from. Finally, it was not informed (the information provided was too vague).
The ICO found that the "soft opt-in", where organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services, was also not available to CCSL. This is because individuals were not given the opportunity to refuse or opt-out in the first place.
The ICO took into account the seriousness and the deliberate or negligent nature of the infraction, as well as the lack of cooperation by CCSL. It therefore imposed a fine of approximately €198,000 on CCSL.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
Information Commissioner's Office
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
ENFORCEMENT NOTICE
To: Colour Car Sales Limited
Of: Unit 1 & 2 Mossfield Road, Stoke-on-TrenEngland ST3 SBW
1. The Information Commissioner ("the Commissioner")has decided to
issue Colour Car Sales Limited ("CCSL") with an enforcement notice
under section 40 of the Data Protection Act 1998 ("DPA"). The notice is
in relation to a serious contravenof Regulation 22 of the Privacy
and Electronic Communications(EC Directive) Regulations 2003
("PECR").
2. This notice explains the Commissioner's decision.
Legal framework
3. CCSL, whose registered office is given above (Companies House
Registration Number: 10382413) is the organisation stated in this
notice to have instigated the transmissof unsolicited
communications by means of electronic mail to individual subscribers
for the purposes of direct marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECRstates:
1 •
ICO.
Information Commissioner's Office
"(1) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual
subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where-
(a) that person has obtained the contact details of the recipient
of that electronic mail in the course of the sale or
negotiations for the sale of a product or service to that
recipient;
(b) the direct marketing is in respect of that person's similar
products and services only; and
(c) the recipient has been given a simple means of refusing
(free of charge except for the costs of the transmission of
the refusal) the use of his contact details for the purposes
of such direct marketing, at the time that the details were
initially collected, and, where he did not initially refuse the
use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contraventioof
paragraph (2)."
2 •
ICO.
Information Commissioner's Office
5. Section 122(5) of the DPA18 defines direct marketing as "the
communication (by whatever means) of any advertising material which
isdirected to particular individuals". This definition also applies for the
purposes of PECR(see regulation 2(2) PECR& Schedule 19 paragraphs
430 & 432(6) DPA18).
6. Priorto 29 March 2019, the European Directive 95/46/EC defined
'consent' as "any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal
data relating to him being processed".
7. Consent in PECRis now defined, from 29 March 2019, by reference to
the concept of consent in Regulation 2016/679 ("the GDPR"):
regulation 8(2) of the Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Article
4(11) of the GDPR sets out the following definition: "'consent' of the
data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her".
8. Recital 32 of the GDPR materially states that "When the processing has
multiple purposes, consent should be given for all of them". Recital 42
materiallyprovides that "For consent to be informed, the data subject
should be aware at least of the identity of the controllRecital 43
materially states that "Consent is presumed not to be freely given if it
does not allow separate consent to be given to different personal data
processing operations despite it being appropriate in the individual
case".
9. "Individual"is defined in regulation 2(1) of PECRas "a living individual
and includes an unincorporated body of such individuals".
3 •
ICO.
Information Commissioner's Office
10. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services".
11. "Electronic mail' is defined in regulation 2(1) of PECRas "any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient's terminal equipment until it is collected by the recipient and
includes messages sent using a short message service".
12. The term "soft opt-in" is used to describe the rule set out in in
Regulation 22(3) of PECR.In essence, an organisation may be able to
e-mail its existing customers even if they haven't specifically consented
to electronic mail. The soft opt-in rule can only be relied upon by the
organisation that collected the contact details.
13. The DPA contains enforcement provisions at Part V which are
exercisable bythe Commissioner. Those provisions are modified and
extended for the purposes of PECRby Schedule 1 PECR.
14. Section 40(1)(a) of the DPA (as extended and modified by PECR)
provides that if the Commissioner is satisfied that a person has
contravened or is contravening any of the requirementof the
Regulations, she may serve him with an Enforcement Notice requiring
him to take within such time as may be specified in the Notice, or to
refrain from taking after such time as may be so specified, such steps
as are so specified.
15. PECRwere enacted to protect the individual's fundamental right to
privacy in the electronic communicationssector. PECRwere
subsequently amended and strengthened. The Commissioner will
4 •
ICO.
Information Commissioner's Office
interpret PECRin a way which is consistent with the Regulations'
overall aim of ensuring high levels of protection for individuals' privacy
rights.
16. The provisions of the DPA remain in force for the purposes of PECR
notwithstandingthe introductionof the Data Protection Act 2018 (see
paragraph 58(1) of Part 9, Schedule 20 of that Act).
The contravention
17. The Commissioner finds that CCSL contravened regulation 22 of PECR.
18. The Commissioner finds that the contravention was as follows:
19. The Commissioner finds that between 1 October 2018 and 21 January
2020 there were 274 direct marketing text messages received by
subscribers which are capable of being evidenced by complaintsThe
Commissioner finds that CCSL instigated the transmissioof the direct
marketing messages sent, contrary to regulation 22 of PECR.
20. The Commissioner is not assisted by CCSL's failure to engage with her
during this investigatito explain the relationship between CCSL and
However she is satisfied that for the purposes
of the direct marketing messages sent from
Text Local account, CCSL positively encouraged the sending of those
messages. She makes this finding in light of the informatprovided
by Text Local in response to the Commissioner's 3PIN, and in view of
the content of the unsolicited direct marketing messages sent which
resulted in 274 complaints.
21. CCSL, as the instigator of the direct marketiis required to ensure
that it is acting in compliance with the requiremenof regulation 22 of
5 •
ICO.
Information Commissioner's Office
PECR,and to ensure that valid consent to send those messages had
been acquired.
22. In this instance, individuals applying for finance via one of CCSL's sites
were given no option but to agree to receive direct marketing from
CCSL and its unnamed third parties. Indeed, the statement that would
accompany the applications did not indicate in any manner that the
individual's personal details would be used for direct marketing
purposes. Furthermore, individuals could not specify the type of direct
marketing that they might be willing to receive, rather they were
requiredto agree to a suite of contact methods, from an unknown
number of third parties.
23. For consent to be valid it is required to be "freely given", by which it
follows that if consent to marketing is a condition of subscribing to a
service, the organisation will have to demonstrate how the consent can
be saidto have been given freely. In this instance, CCSL has failed to
explain how its consent could be said to be freely given.
24. Consent is also required to be "specific" as to the type of marketing
communication to be received, and the organisation, or specific type of
organisation, that will be sending it. Again, this requirement does not
appear to be met in CCSL's case.
25. Consent will not be "informed"if individuals do not understand what
they are consenting to. Organisations should therefore always ensure
that the language used is clear, easy to understand, and not hidden
away in a privacy policyr small print.Consent will not be valid if
individuals are asked to agree to receive marketing from "similar
organisations","partners","selected third parties" or other similar
generic description.
6 •
ICO.
Information Commissioner's Office
26. The Commissioner is satisfied that CCSL cannot avail itself to the "solt
opt-in" exemption provided by regulation 22(3) PECR. This exemption
means that organisations can send marketing messages by text and e
mail to individuals whose details had been obtained in the course or
negotiation of a sale and in respect of similar products and services.
The organisation must also give the person a simple opportunity to
refuse or opt out of the marketing, both when first collecting the details
and in every message alter that.It is apparent from the sign-up page
on CCSL's websites that individuals were not provided a simple
opportunity to refuse or opt out of the marketing, nor were they
offered an opt-out in the subsequent direct marketing messages that
they received. The Commissioner therefore finds that CCSL is unable to
rely on this exemption.
27. The Commissioner is satisfied that this contravention could have been
far greater, since there is evidence that a total of 3,650,194 direct
marketing messages were sent to individuals at the instigation of CCSL
over the contraventionperiod. However, because of CCSL's lack of
engagement, and the Communications Service Provider's failure to
retain such records, it has not been possible to determine the exact
number of those messages which were received by subscribers. The
full extent of the contraventiis therefore unknown.
28. The Commissioner is satisfied fromthe evidence she has seen that
CCSL did not have the necessary valid consent for the 274 direct
marketing messages received by subscribers.
29. The Commissioner has considered, as she is required to do under
section 40(2) of the DPA (as extended and modified by PECR)when
deciding whether to serve an Enforcement Notice, whether any
contravention has caused or is likely to cause any person damage or
distress. The Commissioner has decided that it is likely that damage or
7 •
ICO.
Information Commissioner's Office
distress has been caused in this instance, not least because of the
sheer number of complaints.
30. In view of the matters referred to above the Commissioner
hereby gives notice that, in exercise of her powers under
section 40 of the DPA, she requires CCSL to take the steps
specified in Annex 1 of this Notice.
Right of Appeal
31. There is a right of appeal against this Notice to the First-tier Tribunal
(InformationRights), part of the General Regulatory Chamber.
Informationabout appeals is set out in the attached Annex 2.
Dated the 24tday of May 2021
Andy Curry
Head of Investigations
InformationCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
8 •
ICO.
Information Commissioner's Office
ANNEX 1
TERMS OF THE ENFORCEMENT NOTICE
CCSL shall within 30 days of the date of this notice:
• Except in the circumstances referred to in paragraph (3) of
regulation 22 of PECR, neither trnor instigate the
transmission of, unsolicited communicfor the purposes of
direct marketing by means of electronic mail unless the recipient of
the electronic mail has previously notified CCSL that he clearly and
specifically consentsthe time being to such communications
being sent by, or at the instigation of, CCSL.
9 •
ICO.
Information Commissioner's Office
ANNEX 2
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 48 of the Data Protection Act 1998 gives any person upon
whom an enforcement notice has been served a right of appeal to the
First-tier Tribunal (InformaRights) (the "Tribunalagainst the
notice.
2. If you decide to appeal and if the Tribunal considers: -
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of discretion by
the Commissioner, that she ought to have exercised her
discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
General Regulatory Chamber
HM Courts &Tribunals Service
PO Box 9300
Leicester
LEl 8DJ
Telephone: 0300 123 4504
Email: grc@justice.gov.uk
10 •
ICO.
Information Commissioner's Office
• The notice of appeal should be served on the Tribunal within 28
days of the date on which the enforcement notice was sent
4. The statutory provisions concerning appeals to the First-tier Tribunal
(General Regulatory Chamber) are contained in sections 48 and 49 of,
and Schedule 6 to, the Data Protection Act 1998, and Tribunal
Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules
2009 (StatutoInstrument2009 No. 1976 (L.20)).
11
