ICO (UK) - SportsDirect.com Retail Limited: Difference between revisions
From GDPRhub
Mariam-hwth (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...") |
(Edited short summary into a single sentence for newsletter. Minor typos and formatting issues fixed (e.g. added commas; italicised quotes).) |
||
| (One intermediate revision by one other user not shown) | |||
| Line 20: | Line 20: | ||
|Date_Published=15.09.2021 | |Date_Published=15.09.2021 | ||
|Year=2021 | |Year=2021 | ||
|Fine= | |Fine=70,000 | ||
|Currency=GBP | |Currency=GBP | ||
| Line 50: | Line 50: | ||
}} | }} | ||
The UK DPA | The UK DPA fined SportsDirect.com Retail Ltd approximately €82,000. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails received by almost 2.6 million individuals. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
SportsDirect.com Retail Limited ( | SportsDirect.com Retail Limited ('SportsDirect') is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints. | ||
SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "re-engagement campaign". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "re-engagement campaign". | SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "''re-engagement campaign''". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "''re-engagement campaign''". | ||
SportsDirect claimed to rely on | SportsDirect claimed to rely on a soft opt-in for 7 of the 12 complainants, and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained. | ||
During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme. | During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme. | ||
Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers. | Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers. | ||
=== Holding === | === Holding === | ||
The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that | The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that it had valid consent to send these marketing emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR. | ||
The ICO determined that the infringement was negligent from SportsDirect as they knew or | The ICO determined that the infringement was negligent from SportsDirect as they knew or ought reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done. The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "''you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003''". | ||
Considering these factors, the ICO imposed a fine of approximately €82,000 (GBP 70,000) on SportsDirect. | |||
== Comment == | == Comment == | ||
Latest revision as of 11:56, 21 September 2021
| ICO (UK) - SportsDirect.com Retail Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13.09.2021 |
| Published: | 15.09.2021 |
| Fine: | 70,000 GBP |
| Parties: | SportsDirect.com Retail Limited |
| National Case Number/Name: | SportsDirect.com Retail Limited |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | MH |
The UK DPA fined SportsDirect.com Retail Ltd approximately €82,000. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails received by almost 2.6 million individuals.
English Summary
Facts
SportsDirect.com Retail Limited ('SportsDirect') is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints.
SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "re-engagement campaign". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "re-engagement campaign".
SportsDirect claimed to rely on a soft opt-in for 7 of the 12 complainants, and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained.
During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme.
Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers.
Holding
The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that it had valid consent to send these marketing emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR.
The ICO determined that the infringement was negligent from SportsDirect as they knew or ought reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done. The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003".
Considering these factors, the ICO imposed a fine of approximately €82,000 (GBP 70,000) on SportsDirect.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To: SportsDirect.com Retail Limited
Of: Unit A, Brook Park East, Shirebrook NG20 8RY
1. The Information Commissioner (“the Commissioner”) has decided to
issue SportsDirect.com Retail Limited (“SportsDirect”) with a monetary
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The
penalty is in relation to a serious contravention of Regulation 22 of the
Privacy and Electronic Communications (EC Directive) Regulations 2003
(“PECR”).
2. This notice explains the Commissioner’s decision.
Legal framework
3. SportsDirect, whose registered office address is given above
(Companies House Registration Number: 03406347) is the organisation
stated in this notice to have transmitted unsolicited communications by
means of electronic mail to individual subscribers for the purposes of
direct marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECR states:
1“(1) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual
subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient
of that electronic mail in the course of the sale or
negotiations for the sale of a product or service to that
recipient;
(b) the direct marketing is in respect of that person’s similar
products and services only; and
(c) the recipient has been given a simple means of refusing
(free of charge except for the costs of the transmission of
the refusal) the use of his contact details for the purposes
of such direct marketing, at the time that the details were
initially collected, and, where he did not initially refuse the
use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contravention of
paragraph (2).”
25. Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct
marketing as “the communication (by whatever means) of any
advertising material which is directed to particular individuals”. This
definition also applies for the purposes of PECR (see regulation 2(2)
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).
6. Consent in PECR is now defined, from 29 March 2019, by reference to
the concept of consent in Regulation 2016/679 (“the GDPR”):
regulation 8(2) of the Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Article
4(11) of the GDPR sets out the following definition: “‘consent’ of the
data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her”.
7. Recital 32 of the GDPR materially states that “When the processing has
multiple purposes, consent should be given for all of them”. Recital 42
materially provides that “For consent to be informed, the data subject
should be aware at least of the identity of the controller”. Recital 43
materially states that “Consent is presumed not to be freely given if it
does not allow separate consent to be given to different personal data
processing operations despite it being appropriate in the individual case”.
8. “Individual” is defined in regulation 2(1) of PECR as “a living individual
and includes an unincorporated body of such individuals”.
9. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services”.
310. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient’s terminal equipment until it is collected by the recipient and
includes messages sent using a short message service”.
11. The term "soft opt-in" is used to describe the rule set out in in
Regulation 22(3) of PECR. In essence, an organisation may be able to
e-mail its existing customers even if they haven't specifically consented
to electronic mail. The soft opt-in rule can only be relied upon by the
organisation that collected the contact details.
12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to
PECR, as variously amended) states:
“(1) The Commissioner may serve a person with a monetary penalty if
the Commissioner is satisfied that –
(a) there has been a serious contravention of the requirements
of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the person –
(a) knew or ought to have known that there was a risk that the
contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention.”
13. The Commissioner has issued statutory guidance under section 55C (1)
of the DPA about the issuing of monetary penalties that has been
4 published on the ICO’s website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
14. PECR were enacted to protect the individual’s fundamental right to
privacy in the electronic communications sector. PECR were
subsequently amended and strengthened. The Commissioner will
interpret PECR in a way which is consistent with the Regulations’
overall aim of ensuring high levels of protection for individuals’ privacy
rights.
15. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introduction of the DPA18: see paragraph 58(1) of
Schedule 20 to the DPA18.
Background to the case
16. SportsDirect came to the attention of the Commissioner due to
complaints reported via the ICO’s online reporting tool. The
Commissioner received twelve complaints about unsolicited
communications between 21 December 2019 and 16 February 2020.
17. The Commissioner sent an initial investigation letter to SportsDirect on
25 February 2020 setting out her concerns regarding SportsDirect’s
compliance with PECR and asking for, inter alia, the source of its data,
and evidence of the consent relied on in the course of its direct
marketing campaign between 21 December 2019 and 16 February
2020.
518. SportsDirect provided a response on 13 March 2020. This response
explained that all data used to engage in its direct marketing is
obtained directly from customers; and provided details of the ways in
which it obtained consent to engage in its direct marketing campaigns.
In relation to the complaints which had been received, SportsDirect
indicated that these recipients were part of a “re-engagement
campaign”, and stated:
“The ecommerce team determined that the data subjects in the aged
data set had not unsubscribed from receiving email marketing and
would only send emails with content that provided offers on multi-buy
products or free delivery/click&collect, along with the usual unsubscribe
link. This was done with the expectation that data subjects would
either not engage with the email, choose to unsubscribe from future
emails or view those offers and emails positively and engage with
Sports Direct.
Where a data subject unsubscribed, this would be processed in the
normal way, and where they did not engage with the emails after a
reasonable period, the data would be removed from or anonymised
within the marketing database.
Having considered the proposed approach and likely impact of the re-
engagement campaign, the ecommerce team took the decision to run a
re-engagement campaign with that aged data set with the objectives of
(1) reducing the amount of data held in the marketing database and
(2) connecting with customers who had not engaged with Sports Direct
within the normal engagement criteria.”
19. SportsDirect explained that "...the Sports Direct ecommerce team
analysed the Sports Direct marketing database and identified a
6 category of data that showed as being opted in to receive email
marketing but had not been sent any marketing emails.". This category
of data has been referred to as the ‘aged data / aged dataset’.
20. Regarding evidence of consent, SportsDirect stated that “none of the
complainants were recorded as being opted out of marketing emails at
the time their details were collected and had not unsubscribed to
marketing emails at the time when the emails were sent”. It also
provided a simple breakdown of the “lawful basis” relied upon for each
complainant (i.e. soft opt-in; or consent).
21. The Commissioner sent further enquiries to SportsDirect on 2 April
2020, specifically seeking confirmation of the number of emails which
were sent between 21 December 2019 and 16 February 2020, in
addition to further information regarding the consent being relied upon
and the frequency of the direct marketing emails being sent.
22. SportsDirect requested an extension of two months for its response in
light of the impact of the COVID-19 pandemic, which the Commissioner
agreed to.
23. SportsDirect responded on 12 June 2020 in line with the agreed
extension period to provide answers to the Commissioner’s most recent
questions. Within this response it was confirmed that between 21
December 2019 and 16 February 2020 there were a total of
459,882,124 emails sent by SportsDirect, with 2,948,865 of those
relating specifically to the “re-engagement campaign”. SportsDirect
provided percentages for the number of those sent messages which
had been received by a subscriber; in relation to the “re-engagement
campaign” it was explained that 87% were received, which the
7 Commissioner calculates equates to 2,565,513 direct marketing
messages being received over the relevant period.
24. SportsDirect claimed to rely on the ‘soft opt in’ for seven of the twelve
complainants, and stated that consent had been obtained from three of
the twelve complainants directly. In terms of the two remaining
complainants, SportsDirect claimed that its records did not show any
messages being sent to one of them; and that the final complainant
had since requested that their information be removed from its
systems and so SportsDirect was unable to provide details of the lawful
basis on which it would have relied to send the message.
25. The Commissioner took the view that sufficient evidence of valid
consent had not been provided and sent an email to SportsDirect on 2
July 2020 to request this. SportsDirect requested an extension for
providing this information which the Commissioner granted, although it
was explained to SportsDirect that in the Commissioner’s view such
evidence should be readily available.
26. SportsDirect provided its response on 20 July 2020 with purported
evidence of consent for three of the twelve complainants, specifically
stating that those individuals had signed up to a ‘local customer benefit
scheme’ (the “benefit scheme”) at a store outside of the United
Kingdom on 8 August 2011, 6 October 2012 and 24 April 2014
respectively. The purpose of the benefit scheme was to allow
subscribers to “receive their receipts by email, a regular brochure,
annual vouchers and other offers and promotions”. This scheme
ceased to operate in 2018.
27. The Commissioner sent further queries to SportsDirect on 14 August
2020 to establish why subscribers who signed up to the benefit scheme
8 continued to receive messages, and the number of customers who had
consented to marketing communications in this way.
28. SportsDirect explained in response that “[f]ollowing cessation of the
Scheme, the Scheme data set was reviewed and it was decided that (i)
there was a legitimate interest in members of the Scheme continuing
to receive general offers and discounts from the business as an
alternative to the benefits previously made available under the Scheme
and (ii) it would be prudent to run a data cleanse. This data cleanse
removed duplicated data, incorrectly formatted email addresses and
emails identified as ‘spam traps’. This left a data set of around 779,000
email contacts.
This reduced data set then received a small number of emails
immediately following cessation of the Scheme, starting with a
welcome-style email introducing the type of emails members would
receive following cessation of the Scheme, unless they unsubscribed.”
29. The Commissioner asked further questions on 4 September 2020. In
particular the Commissioner wished to know, inter alia, the specific
date when the benefit scheme ended; the number of emails sent to,
and received by, subscribers after the cessation of the scheme; and as
part of the “re-engagement campaign”, how many subscribers were
sent messages who had initially consented to marketing emails as part
of a previous campaign.
30. In its response, SportsDirect again cited concerns which it had raised
earlier in the investigation in respect of the challenges it has faced in
gathering information to respond to some of the Commissioner’s
queries; i.e. since many of the individuals who were “involved in
making decisions and administering the databases around the time the
dataset was cleansed have already long since left the business” [and]
9 “most files and communications created during their employment on
local drives have long since been deleted in accordance with standard
retention procedures”.
31. SportsDirect therefore sought to provide its “best estimate” of the
dates in connection with the cessation of the benefit scheme, stating
that it ceased to operate “in around January 2018”, and that
throughout January and February 2018 the data cleanse took place,
leaving “around 779,000 email contacts”. This dataset was then sent a
“welcome-style email” although the content of this could not be
determined. Those who “engaged” with the “welcome-style email”
were added to the “main email marketing dataset”.
32. In relation to the “re-engagement campaign” (also referred to by
SportsDirect as the “Christmas 2019 Email Campaign”), SportsDirect
stated: “one of the objectives of the Christmas 2019 Email Campaign
was to cleanse the marketing database. This cleanse began in the week
commencing 13 January 2020. This means that the business is not able
to retrieve data deleted at that time and is unable to re-create that
segmentation to provide [the Commissioner] with specific details
around how many individuals initially consented to marketing emails as
part of a previous campaign or scheme. The business used legitimate
interests as the basis on which to send the Christmas 2019 Email
Campaign.
For the reasons described above, it is no longer possible for us to
retrieve the distribution list used in the Christmas 2019 Email
Campaign and then separate out individuals who were initially opted in
through being a member of the Scheme”
1033. The Commissioner sent an ‘end of investigation’ email to SportsDirect
on 21 October 2020, although it was invited to provide any further
“relevant evidence, or information regarding [its] policies, procedures
and training programmes”. SportsDirect responded on 2 November
2020 with a summary of its position, and information in respect of the
number of individuals who may have received an email as part of the
“re-engagement campaign”, specifically stating that it: “understand[s]
that the volume of emails sent as part of the Christmas 2019 Campaign
was approximately 2.9 million. [It] cannot quantify the total number of
data subjects emailed as part of this campaign due to the absence of
historic communications due to strict data deletion […]. […] the data
subjects would have included individuals who had been members of the
[Loyalty Scheme operating outside of the UK], but there would also
have been other recipients”. Whilst SportsDirect were unable to
confirm the precise number of individuals which it had emailed, its
confirmation that “approximately 2.9 million” messages were sent
accorded with the precise figures which it had provided on 12 June
2020 where it was stated that there had been 2,948,865 direct
marketing messages sent relating specifically to the “re-engagement
campaign”, with 87% being received.
34. The Commissioner has made the above findings of fact on the
balance of probabilities.
35. The Commissioner has considered whether those facts constitute
a contravention of regulation 22 of PECR by SportsDirect and, if so,
whether the conditions of section 55A DPA are satisfied.
The contravention
1136. The Commissioner finds that SportsDirect contravened regulation 22 of
PECR.
37. The Commissioner finds that the contravention was as follows:
38. The Commissioner finds that between 21 December 2019 and 16
February 2020 there were 2,565,513 direct marketing emails received
by subscribers. The Commissioner finds that SportsDirect transmitted
those direct marketing messages, contrary to regulation 22 of PECR.
39. SportsDirect, as the sender of the direct marketing, is required to
ensure that it is acting in compliance with the requirements of
regulation 22 of PECR, and to ensure that valid consent to send those
messages had been acquired.
40. SportsDirect has been unable to provide evidence of consent for the
messages sent over the period of 21 December 2019 and 16 February
2020.
41. In this instance, in relation to the 2,565,513 direct marketing emails
stated by SportsDirect on 12 June 2020 to have been received by
subscribers over the relevant period, SportsDirect has been unable to
provide evidence of valid consent. Indeed it is stated that it is no
longer possible for SportsDirect to “retrieve the distribution list used in
the Christmas 2019 Email Campaign”. In the circumstances the
Commissioner is not satisfied that SportsDirect can avail itself to the
soft opt-in exception provided at regulation 22(3) PECR.
42. The Commissioner has gone on to consider whether the conditions
under section 55A DPA are met.
12 Seriousness of the contravention
43. The Commissioner is satisfied that the contravention identified
above was serious. This is because between 21 December 2019 and 16
February 2020, a total of 2,565,513 direct marketing messages were
received by subscribers having been sent by SportsDirect. These
messages, which were sent as part of a “re-engagement campaign”,
contained direct marketing material for which subscribers had not
provided valid consent. Furthermore, since SportsDirect is now unable
to retrieve the distribution list and is therefore unable to evidence
how/when details were purportedly obtained, the Commissioner is
satisfied that SportsDirect is unable to rely on the soft opt-in
exemption.
44. The Commissioner is therefore satisfied that condition (a) from
section 55A(1) DPA is met.
Deliberate or negligent contraventions
45. The Commissioner has considered whether the contravention identified
above was deliberate.
46. The Commissioner does not consider that SportsDirect deliberately set
out to contravene PECR in this instance.
47. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises two
elements:
48. Firstly, she has considered whether SportsDirect knew or ought
reasonably to have known that there was a risk that these
13 contraventions would occur. This is not a high bar and she is satisfied
that this condition is met.
49. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligations under PECR.
This guidance gives clear advice regarding the requirements of consent
for direct marketing and explains the circumstances under which
organisations are able to carry out marketing over the phone, by text,
by email, by post, or by fax. In particular it states that organisations
can generally only send, or instigate, marketing messages to
individuals if that person has specifically consented to receiving them.
The guidance also provides a full explanation of the “soft opt-in”
exemption and states that organisations “should […] make sure that
they keep clear records of exactly what someone has consented to. In
particular, they should record the date of consent, the method of
consent, who obtained consent, and exactly what information was
provided to the person consenting”. SportsDirect has been unable to
do this.
50. The Commissioner has published detailed guidance on consent under
the GDPR. In case organisations remain unclear on their obligations,
the ICO operates a telephone helpline. ICO communications about
previous enforcement action where businesses have not complied with
PECR are also readily available.
51. It is therefore reasonable to suppose that SportsDirect should have
been aware of its responsibilities in this area.
52. Secondly, the Commissioner has gone on to consider whether
SportsDirect failed to take reasonable steps to prevent the
contraventions. Again, she is satisfied that this condition is met.
1453. The Commissioner takes the view that any person wishing to engage in
direct marketing by electronic mail could and should – particularly
since the coming into effect of the GDPR – have ensured that all of
their consent capture mechanisms properly enabled consent to be
separately given or withheld for direct marketing communications, and
that such consent was retained. At the outset of the investigation the
Commissioner raised concerns with SportsDirect’s privacy policy which
stated: “You acknowledge that you do not object to us and third parties
identified below, including our Third Party Advertisers, using your
personal information for any of the purposes outlined in this privacy
policy and you confirm that you do not and will not consider any of
these purposes as a breach of any of your rights under the Privacy and
Electronic Communications (EC Directive) Regulations 2003” (emphasis
added). SportsDirect has since amended the wording of its Privacy
Policy.
54. The Commissioner takes the view that SportsDirect could legitimately
have sought advice either from the Commissioner or from a legal
advisor in relation to the basis on which it proposed to send its
unsolicited direct marketing to an aged dataset but failed to do so.
This is particularly egregious given that the purpose of SportsDirect’s
“re-engagement campaign” was to contact individuals with whom it
had not “connected” with for some time.
55. In the circumstances, the Commissioner is satisfied that SportsDirect
failed to take reasonable steps to prevent the contraventions.
56. The Commissioner is therefore satisfied that condition (b) from section
55A (1) DPA is met.
The Commissioner’s decision to issue a monetary penalty
1557. The Commissioner has taken into account the following
aggravating feature of this case:
• The Commissioner is concerned about SportsDirect’s failure to maintain
satisfactory internal consent records.
58. The Commissioner has taken into account the following mitigating
feature of this case:
• The Commissioner is mindful that SportsDirect has taken a number of
steps to improve its compliance with data protection legislation,
specifically it has carried out an exercise to reduce the amount of data
in its database; it has reconsidered the frequency of emails which will
be sent to individuals; and will introduce a new cleansing system. It
is noted that it has also updated its privacy policy in line with the
Commissioner’s guidance.
59. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A (1) DPA have been met in this case. She is
also satisfied that the procedural rights under section 55B have been
complied with.
60. The latter has included the issuing of a Notice of Intent, in which the
Commissioner set out her preliminary thinking. In reaching her final
view, the Commissioner has taken into account the representations
made by SportsDirect on this matter.
61. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
1662. The Commissioner has considered whether, in the circumstances, she
should exercise her discretion so as to issue a monetary penalty.
63. The Commissioner has considered the likely impact of a monetary
penalty on SportsDirect. She has decided on the information that is
available to her, that SportsDirect has access to sufficient financial
resources to pay the proposed monetary penalty without causing
undue financial hardship.
64. The Commissioner’s underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The sending of
unsolicited direct marketing messages is a matter of significant public
concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. The issuing of a
monetary penalty will reinforce the need for businesses to ensure that
they are only messaging those who specifically consent to receive
direct marketing.
65. For these reasons, the Commissioner has decided to issue a monetary
penalty in this case.
The amount of the penalty
66. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £70,000 (seventy thousand pounds) is
reasonable and proportionate given the particular facts of the case and
the underlying objective in imposing the penalty.
Conclusion
1767. The monetary penalty must be paid to the Commissioner’s office by
BACS transfer or cheque by 14 October 2021 at the latest. The
monetary penalty is not kept by the Commissioner but will be paid into
the Consolidated Fund which is the Government’s general bank account
at the Bank of England.
68. If the Commissioner receives full payment of the monetary penalty by
13 October 2021 the Commissioner will reduce the monetary penalty
by 20% to £56,000 (fifty-six thousand pounds). However, you
should be aware that the early payment discount is not available if you
decide to exercise your right of appeal.
69. There is a right of appeal to the First-tier Tribunal (Information Rights)
against:
(a) the imposition of the monetary penalty
and/or;
(b) the amount of the penalty specified in the monetary penalty
notice.
70. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
71. Information about appeals is set out in Annex 1.
72. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the monetary
penalty has not been paid;
18 • all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and
• the period for appealing against the monetary penalty and any
variation of it has expired.
73. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner as
an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
th
Dated the 13 day of September 2021
Andy Curry
Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
19ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 55B(5) of the Data Protection Act 1998 gives any person
upon whom a monetary penalty notice has been served a right of
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that she ought to have exercised
her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
General Regulatory Chamber
HM Courts & Tribunals Service
PO Box 9300
Leicester
LE1 8DJ
20 Telephone: 0203 936 8963
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your
representative (if any);
b) an address where documents may be sent or delivered to
you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the
notice of appeal must include a request for an extension of time
21 and the reason why the notice of appeal was not provided in
time.
5. Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier
Tribunal (Information Rights) are contained in section 55B(5) of, and
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
22
