ICO (UK) - The Money Hive Limited: Difference between revisions
No edit summary |
No edit summary |
||
Line 53: | Line 53: | ||
}} | }} | ||
The UK DPA issued a €60,000 fine against a loan broker for making unsolicited direct marketing text messages in violation of | The UK DPA issued a €60,000 fine against a loan broker for making unsolicited direct marketing text messages in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003. | ||
== English Summary == | == English Summary == |
Revision as of 12:23, 2 March 2022
ICO (UK) - The Money Hive Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 09.09.2020 |
Decided: | 14.02.2022 |
Published: | 17.02.2022 |
Fine: | 50,000 GBP |
Parties: | The Money Hive Limited |
National Case Number/Name: | The Money Hive Limited |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | gauravpathak |
The UK DPA issued a €60,000 fine against a loan broker for making unsolicited direct marketing text messages in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
English Summary
Facts
The Money Hive Limited (TMHL) is a company that calls itself "a short term loan lender and broker for other lenders and financial service providers". Mobile UK is an entity representing the interests of mobile subscribers in the UK. Mobile UK has a Spam Reporting Service, and subscribers can report a spam message by forwarding the spam message to Mobile UK.
In September 2020, numerous unsolicited text messages by Money Hive were reported. The Investigating Officer ascertained nine separate message scripts promoting high-interest payday loans. The messages contained links to websites operated by TMHL and were sent to people who had “previously applied online for a loan with a TMHL-operated website” but had left the process midway to due to any reason.
In response to the ICO’s letter seeking information and documentation about consent provided by the subscribers, TMHL stated the following:
• It had used the services of two platform providers to send the messages.
• Between 1 January 2020 to 8 September 2020, a total of 752,425 text messages were received by subscribers.
• TMHL divided consent into two categories: “a) Individuals consent to being notified of their loan application results via SMS; and b) individuals consent to future marketing from it and "select 3rd parties" via separate tick boxes.” It added that "a very small number of customers might not realise that the messages are direct responses to their loan application and consider them to be marketing texts".
The ICO considered the 'customer journey' documents provided by TMHL and noticed two opt-in statements. Opt-in 1 was accessible after a customer had clicked 'apply now' on the respective website and had entered their contact details. It had the following text, followed by three separate optional tick boxes for email/SMS/phone:
"LoanPig and our 3rd party partners would like to stay in touch with you via email and sms to send you reminders and occasional relevant offers, please tick below if you wish to receive this[. .. ]"
Opt-in 2 had three checkboxes in which the first two checkboxes relating to subscribers being “contacted by SMS, email or telephone by Loanpig (TMHL) and its "third party partners"” and their agreement to Terms & Conditions and Privacy Policy were mandatory.
TMHL’s Privacy Policy stated that if a customer’s application “"does not meet [TMHL's] underwriting criteria, we may pass your details to a broker who may be able to offer you a loan or financial service from their panel of lenders and financial service providers"”. It also provided a list of brokers and further stated, “"[a]s part of the application process some lenders and financial service partners may take up to 24 hrs to respond by sms, email, or phone, so you may receive product offers from them within that period [... ]. To provide the best service possible during your application, we may send you, by sms or email, relevant alternative or complimentary products within the 24h application period".”
The ICO noticed that many of the brokers listed in TMHL’s Privacy Policy were in the business of lead generation services/affiliate network services.
Before the ICO, TMHL gave evidence of subscribers having opted out of its messaging texts. It also explained the working of its messaging system and the number of messages being sent. On the aspect of messages containing links to third parties, TMHL stated that “they use alternative brokers to obtain a loan for their customers stating: "[t]his isn't promoting 3rd party websites and we are only paid a commission when the customer gets a loan, not for each lead sent for example so we consider this the same as sending a customer to an alternative lender's website where they may obtain a loan. To confirm, we do not receive any commission if the consumer does not apply online or find a product, so this is not marketing".” In addition, TMHL submitted to the ICO a “'Legitimate Interest Assessment' document in relation to these messages, which explained that their purpose was to provide an alternative short-term loan [through an alternative broker] when the individual's application to TMHL directly was unsuccessful.”
TMHL informed the ICO that they had started sending these messages from 12 March 2020. TMHL stated that it conducted regular due diligence, but it was on a face to face basis and there was no documentary record of the same.
Holding
The ICO concluded as following:
1. TMHL contravened Regulation 22 PECR by sending 752,425 unsolicited direct marketing text messages that were received by subscribers.
2. TMHL’s marketing was not solicited as “in order to proceed with the online application, individuals had no choice but to agree to receive an undefined number of contacts via text, email and telephone from TMHL and its third-party partners.” The same is also evident from the high number of complaints received regarding TMHL’s messages.
3. Messages sent by TMHL were direct messages and not service messages as the messages “advertised the availability of loan products from both TMHL and third-party providers [and] can be appropriately defined as falling within the definition of direct marketing as prescribed by Section 122(5) DPA18.”
4. A valid consent needs to be “freely given” and the organisation will have to demonstrate how “the consent can be said to have been given freely.” This was not the case with TMHL as it “did provide a separate set of optional opt-in boxes for individuals who might wish to agree to marketing in the future.”
5. No specific consent was present in this case as individuals “were not able to select the method by which they may wish to receive direct marketing, with agreement to being potentially contacted by text message, email and/or telephone, being a requirement.”
6. “Consent will not be "informed" if individuals do not understand what they are consenting to.” Consent will not be valid if “if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description.” Moreover, “subscribers were denied the chance to select which, if any, of the potential third-parties it might wish to receive marketing messages about.”
7. TMHL could not rely on soft opt-in exemption under the PECR as “individuals were unable to opt out of receiving these particular direct marketing messages at the point at which their details were taken, since agreement to receipt of these messages was a condition of service.”
The contravention by TMHL was considered to be serious due to the high number of messages resulting in a total of 1,360 complaints. However, the contravention was not considered to be deliberate. Nevertheless, the ICO found TMHL to be negligent as it did not take “thorough steps to understand and implement marketing procedures that are compliant with the legislation.”
Thus, the ICO fined TMHL €60,000 (£50,000) for making unsolicited direct marketing text messages in violation of Regulation 22 PECR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: The Money Hive Limited Of: Britannic House 657 Liverpool Road Irlam Lancashire M44 SXD 1. The InformationCommissioner ("the Commissioner") has decided to issue The Money Hive Limited ("TMHL") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation to a serious contraventof Regulation 22 of the Privacy and Electronic Communications(EC Directive) Regulations 2003 ("PECR"). 2. This notice explains the Commissioner's decision. Legal framework 3. TMHL, whose registered office address is given above (Companies House Registration Number: 09932988) is the organisation stated in this notice to have transmitunsolicited communicationsby means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECRstates: 1, • ICO. Information Commissioner's Office "(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where- (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contraventionof paragraph (2)." 5. Section 122(5) of the Data Protection Act 2018 ("DPA18") defines direct marketing as "the communication (by whatever means) of 2, • ICO. Information Commissioner's Office advertising or marketing material which is directed to particular individuals". This definition also applies for the purposes of PECR(see regulation 2(2) PECRand paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 6. At the time of the alleged contraventioPECRwas defined by reference to the concept of consent in Regulation 2016/679 ("the GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR set out the following definiti"'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". 7. Recital 32 of the GDPR materiallstates that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materiallyprovides that "For consent to be informed, the data subject should be aware at least of the identity of the controller"Recital 43 materiallystates that "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case". 8. "Individual"is defined in regulation 2(1) of PECRas "a living individual and includes an unincorporatedbody of such individuals". 9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". 3, • ICO. Information Commissioner's Office 10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service". 11. The term "soft opt-in" is used to describe the rule set out in in Regulation 22(3) of PECR.In essence, an organisation may be able to e-mail its existing customers even if they haven't specifically consented to electronic mail. The soft opt-in rule can only be relied upon by the organisation that collected the contact details. 12. Section SSA of the DPA (as applied to PECRcases by Schedule 1 to PECR,as variously amended) states: "(1)The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that - (a) there has been a serious contraventionof the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventiwas deliberate. (3) This subsection applies if the person - (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention." 13. The Commissioner has issued statutory guidance under section SSC(1) of the DPA about the issuing of monetary penalties that has been published onthe ICO's website. The Data Protection (Monetary 4, • ICO. Information Commissioner's Office Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 14. PECRwere enacted to protect the individual's fundamentaright to privacy in the electronic communicationsector. PECRwere subsequently amended and strengthened. The Commissioner will interpret PECRin a way which is consistent with the Regulations' overall aimof ensuring high levels of protection for individuals' privacy rights. 15. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introductioof the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case 16. Mobile users can report the receipt of unsolicited marketing text messages to the Mobile UK's Spam Reporting Service by forwarding the message to 7726 (spelling out "SPAM"). Mobile UK is an organisation that represents the interests of mobile operators in the UK. The Commissioner is provided with access to the data on complaints made to the 7726 service and this data is incorporated into a Monthly Threat Assessment (MTA) used to ascertain organisations in breach of PECR. 17. The organisation first came to the attention of the ICO in September 2020, when large volumes of unsolicited text messages were reported via the 7726 tool. The InvestigatiOfficer analysed the complaints submitted and established that nine separate message scripts were sent promoting high interest payday loans. 5, • ICO. Information Commissioner's Office 18. The messages contained unique hyperlinks to one of the following websites: www.loanpig.co.uk, www.bingoloans.co.uk and www.pmloans.co.uk, which are trading styles of TMHL. When clicked on, the respective webpage would open and would generate a 'loading' bar which would ask the individual to wait while it gathered results, and the individual would then be presented with a loan offeItis understood that these messages were sent to individuals who had previously applied onlineor a loan with a TMHL-operated website. The purpose of these messages was to redirect the applicant to the relevant website when they had, for whatever reason, failed to proceed with the loan offer presented whilst on the website. 19. One of TMHL's websites, www.loanpig.co.uk, states they offer "a straight-forward,transparent 100% online solution for you to get a responsibleshort term loan." The two other named sites, in addition to TMHL's lending portal site (www.themoneyhive.co.uk), contained materially similar text, with the consistent suggestion that the application would be online-only. 20. On 9 September 2020, an initial investigation letter, along with a spreadsheet of complaints, was sent to TMHL. The letter outlined the Commissioner's concerns with TMHL's PECRcompliance, and asked a number of questions in relation to its direct marketing practices between 1 January 2020 and 8 September 2020, in addition to requesting evidence of consent for the complaints received. 21. TMHL responded on 24 September 2020 and provided details of the customer journey undertaken when data is obtained, using a separate document to demonstrate a walkthrough of an application via one of its sitesIt also provided copies of its privacy policies, data processing agreements, communications policy and a spreadsheet detailing the 6, • ICO. Information Commissioner's Office consent evidence to show when an individual had applied for a loan via one of its sites. It was confirmed that no data is purchased from third parties. At this point, TMHL described itself as "a short term loan lender and broker for other lenders and financial service providers". 22. TMHL explained that its text messages were transmitted using two platform providers: and who facilitated the sending of messages between 1 January 2020 to 8 September 2020 1.During this period, 661,012 messages were sent via Of those,616,824 were received by individuals. Whilst 146,370 messages were sent via with 135,601 of those messages being received by individuals. This suggests that a total of 752,425 text messages were received by subscribers. 23. The message scripts used by TMHL were provided, with some examples being as follows: - <Name> your <loan amount> fast track loan application results are ready. Click: www.tmhl.uk/XX Optout: STOP to 07491163044 - <Name> your <loan amount> fast track application is ready. Click: www.tmhl.uk/XX Rep 1261% APR Optout: STOP to 07491163044 - <Name> we've found lenders for your <loan amount> loan app. Just 1 Click to review results: www.tmhl.uk/XX Optout: STOP to 07491163044 1TMHL confirmed in later correspondence that text messages were sent from mid-March 2020. 7, • ICO. Information Commissioner's Office 24. In response to the Commissioner's enquiry as to how TMHL ensures consent for marketing had been obtained from individuals, TMHL stated that "consent is split into two categoriea) Individuals consent to being notified of their loan application results via SMS; and b) individuals consentto future marketing from it and "select 3parties" via separate tick boxes. 25. When asked for an explanation for the number of complaints received, TMHL suggested that "a very small number of customers might not realise that the messages are direct responses to their loan application and consider them to be marketing texts". 26. The Commissioner considered the 'customer journey' documents provided for one of TMHL's sites, www.loanpig.co.uk,which he was advised was identicalfor www.bingoloans.co.uk and www.pmloans.co.uk. As TMHL had said, there were two opt-in statements apparent from the webpage. 27. The first ("Opt-Il") was accessible alter a customer had clicked 'apply now' on the respective website and had entered their contact details.t had the following text, followed by three separate optional tick boxes for email/SMS / phone: "LoanPig and our 3rd party partners would like to stay in touch with you via email and sms to send you reminders and occasional relevant offers, please tick below if you wish to receive this[. ..]" 28. Itis understood that Opt-In 1 related to marketing which would be sent beyond the 24-hour period immediately following the individual's application, and wasnot relevant for the purposes of the 752,425 messages which were received by subscribers within the initial 24 8, • ICO. Information Commissioner's Office hours of the application and which form the basis of the Commissioner's investigation. 29. The second ("Opt-In 2") materially consists of three parts and would be located at the end of the application with separate tick boxes. 30. The first part of this is to advise customers of the need for a credit check to be performed, and would advise them that they may be contacted by SMS, email or telephone by Loanpig (TMHL) and its "third party partners". This tick box would be mandatory for all applicants. 31. The second tick box requires agreement to signify that the customer agrees to the Terms & Conditions and Privacy PolicyIt is understood that this tick box was also mandatory. 32. The third appears to be optional and offers a "free 14 day trial with UK Credit Rating". 33. TMHL's Privacy Policy (referred to within the second tick box of Opt-In 2) advises that if a customer's application "does not meet [TMHL's] underwritingcriteria, we may pass your details to a broker who may be able tooffer you a loan or financial service from their panel of lenders and financial service providersItthen provides a list of brokers who may be used, stating that "[a]s part of the application process some lenders and financial service partners may take up to 24 hrs to respond by sms, email, or phone,so you may receive product offers from them within that period [...] To provide the best service possible during your application, we may send you, by sms or email, relevant alternative or complimentary products within the 24h application period". 9, • ICO. Information Commissioner's Office 34. From the list of brokers which were named on TMHL's websites, the Commissioner has evidence that a number of them in fact provide lead generation services/ affiliate network services• 35. Itis understood that the 752,425 unsolicited text messages sent by TMHL were received by subscribers who had ticked the necessary parts of Opt-In 2 (i.e. tick boxes 1 and 2) and clicked to submit their details to obtain an online loan offerItis understood that there were two circumstances under which text messages would be sent: a) messages advertising TMHL products would be sent to individuals who, having input their details and been directed to a loan offer page, failed to proceed with the offer for whatever reason; and, in the alternative, b) messages advertising third-party brokers/products would be sent to individuals who had been unsuccessful in their online loan application with TMHL. 36. In any event, if an individual did not proceed with an online loan offer, or was deemed ineligible for a loan offer from TMHL directly, TMHL would proceed to send them a series of text messages over the following 24 hours offering loan-related products. 37. In further correspondence on 16 October 2020, TMHL provided a screenshot of statistics showing the number of opt-outs which it had received via its 07491 163044 opt-out number (as included on all of its direct marketing texts) between March 2020 and August 2020. 2During the course of the investigation, the number and identity of the 'brokers' on the various websites changed. 10, • ICO. Information Commissioner's Office 38. TMHL also explained that in relation to the opt-in statements on its websites,Opt-In 1 concerned consent to future marketing SMS/emails from TMHL and third parties, whereas Opt-In 2 constituted agreement to a credit check and to an individual receiving the results of their loan application byMS text message. In subsequent correspondence of 3 November 2020 it was confirmed that all of the complaints which the Commissioner had brought to TMHL's attention related to messages sent on the basis of Opt-In 2, i.e. that they were sent "in serving the legitimate interests of the customer to find a loan or suitable financial product". TMHL confirmed that all of the complainants "had applied one or more times on our loan application form which is impossible to submit without agreeing [to Opt-In 2]". 39. During the investigation the Commissioner was able to establish complaints dating backto March 2020 which could be connected to TMHL but which included links to third-partsites not previously recognisedas being associated with TMHL. These websites included (which are all operated by who appear to have been added to TMHL's list of brokers on its various Privacy Policies at some point between August 2020 and November 2020), (which is operated by who is actingas an appointed rep to - these entities were not named within TMHL's Privacy Policies), (which is operated by isunknown). 40. On 30 November 2020 the Commissioner sent some further enquires to TMHL inter alia in relation to the frequency of the messages being sent, and the inclusion of third-parweb links in its messages. 11, • ICO. Information Commissioner's Office 41. In its response of 9 December 2020,TMHL provided the requested details. It explained that the average number of messages sent per application is five, and that this is now capped to be sent within the first 30 minutes of the application being received. In relation to the inclusion of third-parweb links in its messagesTMHL explained that "[t]he third party website(s) were used as an option for the consumer to obtain a loan with an alternative panel as a last option for them. They were also used in a separate capacity as a wayf providing customers with an option if there was any error with our online application process. Those combined usages led to too much confusion for the customer and we have removed that service as one of our results on sms [...] We do not send messages on behalf of anyone else, we are trying to find the consumer a loan or comparable financial product. On occasion the use of a broker with a different panel of lenders can lead to a better result for the customer so we believe this to still be in the legitimate interests of the customer. If they ultimately obtain a loan through the use of the broker site, we do receive a commission for the lead and is, therefore, no different to our relationships with other financial service providers". 42. Noting thatTMHL had not provided a list of the third parties whose web links were provided in its text messages, or the related requested information,the Commissioner wrote to TMHL on 10 December 2020 requesting the same. 43. TMHL responded the same day to advise that, in its view, messages were not sent on behalf of third-parwebsites, but that they use alternative brokers to obtain a loan for their customers stating: "[t]his isn't promoting 3dparty websites and we are only paid a commission when the customer gets a loan, not for each lead sent for example so we consider this the same as sending a customer to an alternative 12, • ICO. Information Commissioner's Office lender's website where they may obtain a loan. To confirm, we do not receive any commission if the consumer does not apply online or find a product, so this is not marketing". 44. TMHL explained they did not have a relationship with the credit brokers who received the leads because, in relation to the messages sent which advertise the loan products of a third-pathey use a redirection service provided by ('-"), which is effectively used to find customers an alternative loan. With its response, TMHL provided an 'affiliate processing activity contract' between itself and- dated 12 March 2020 which included a screenshotof TMHL's data capture page. This page included a screenshotof the Opt-In 1 statement, which TMHL had previously advised the Commissioner was not used in relation to the messages about which complaints had been received. 45. TMHL provided a 'Legitimate Interest Assessment' document in relation to these messages, which explained that their purpose was to provide an alternative short-terloan [through an alternative broker] when the individual's application to TMHL directly was unsuccessful. Under the section of the document headed "Would you be happy to explain the processing to the individuals?", TMHL wrote: "Yes - if any individual wanted to know why their details were processed we would provide the reasons behind our decision. This information is also provided within our Privacy Notice at all times. 'To provide the best service possible during your application, we may send you, by sms or email, relevant* alternative or complimentary products within the 24h application period. Where it is necessary for 13, • ICO. Information Commissioner's Office our legitimate interests and your interests and fundamenrights do not override those interests. If you opt in to marketing during your application, our partnemay send you marketing informationabout these services after this 24h period. *The product offers we consider relevant for both your initial application and for if you opt-in to future offers are: • High Cost Short Term Credit • Credit Cards • Loan Comparison Services • Tax Refund • Payday Loan/Short Term Credit • Guarantor Loans • Debt Management Services • Credit Scoring • Pre-paid Debit Cards • Money Saving Offers • Utility Switching Services"' 46. TMHL also provided figures to show that between March 2020 and September 2020, 217,797 such messages were sent, with 203,100 being received. As it is understood that 752,425 messages were received by subscribers in total over the prescribed period, the Commissioner therefore understands that 203,100 of these provided linkso third-partysites, and the remaining 549,325 messages which were received by subscribers contained links which directed recipients to TMHL's own sites. 14, • ICO. Information Commissioner's Office 47. On 15 December 2020 the Commissioner sent further correspondence to TMHL raising concerns with TMHL's apparent reliance on legitimate interest as the basis for the transmission of its direct marketing messages. The Commissioner requested further details of TMHL's relationship with- and details of the credit brokers whose services were included in TMHL's 'alternativloan' messages. 48. TMHL responded on 8 January 2021 disagreeing with the Commissioner's suggestion that its messages constituted direct marketing. Italso provided a summary of the service provided to it by - which essentially confirmed that-had no involvement in the content of the 'alternativloan' text messages, except for providing the redirect-URL, and arranging brokers which would be advertised in the messages. 49. The Commissioner emailed TMHL on 13 January 2021 providing some short guidance in relation to the soft opt-in, as it had been referred to by TMHL in previous correspondence, and explained why it would not apply in these circumstances. The Commissioner then sent TMHL a further email on 11 February 2021 with some additional enquiries concerning inter alia the precise start date for its messages, its due diligence in respectf the third parties listed within the Privacy Policies of its sites, and details of the point at which an individual who leaves a TMHL-operated website after completing a loan application would qualify to receive messages from TMHL. 50. The Commissioner received a response on 1 March 2021 to advise that the- messages (i.e. those about which complaints had been received) had begun in "mid-March 2020". Itadvised that its due diligence was conducted routinely but largely face-to-facaccordingly it could not produce any documentary proof. TMHL confirmed it did not 15, • ICO. Information Commissioner's Office do any formal due diligence on - explaining that "we do not send customer data to them, we redirect the customer's browser session to them". 51. In terms of the point of the application process at which an individual would be eligibleto begin receiving text messages from TMHL, it explained that: "[...] we sent the customer their loan result in a text message as a courtesy following each application. The loan application process can be slow due to the affordabilichecks we need to do and then if we can't lend to the customer, it then takes longer to find the customer a product within our panels. The end result is the customer can frequently get disconnected from our website or get impatient and leave thinking it's not working. That gave rise to the entire process of texting them to ensure they obtained the product they were qualified for. This was done as a courtesy to all customers as we would not really find out data on abandoned applications until the following month". 52. TMHL confirmed on 2 March 2021 that it first sent the relevant text messages from 12 March 2020. 53. The Commissioner received 4 complaints in July 2020 from a single complainant who received four separate messages within a 24-hour period, of which 3 were between 9pm and 10pm, with the complainant reporting that the messages disrupted her sleep. 54. There were 1,356 complaints made to the 7726-reportingservice between 26 March 2020 and 8 September 2020 concerning messages sent by TMH L. 16, • ICO. Information Commissioner's Office 55. It is understood that there have been a further 5,107 complaints to the 7726 service between 9 September 2020 and 23 May 2021, with a number of further complaints being made from 24 May 2021 and continuing into 2022. 56. The Commissioner has made the above findings of fact on the balance of probabilities. 57. The Commissioner has considered whether those facts constitute a contravention of regulation 22 of PECRby TMHL and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 58. The Commissioner finds that TMHL contravened regulation 22 of PECR. 59. The Commissioner finds that the contraventiowas as follows: 60. The Commissioner finds that between 12 March 2020 and 8 September 2020 there were 752,425 unsolicited direct marketing text messages received by subscribers. The Commissioner findshat TMHL transmitted those direct marketing messages via two platform providers, contrary to regulation 22 of PECR. 61. The Commissioner takes the view that these messages are unsolicited. Subscribers used TMHL's websites, which advertised themselvesas a "100%" and "purely online" service, as a means of obtaining a short term loan offer. However, in order to proceed with the online application, individuals had no choice but to agree to receive an undefined number of contacts via text, email and telephone from TMHL 17, • ICO. Information Commissioner's Office and its third-partpartners. TMHL used the individual's mandatory agreement as a basis for engaging in its direct marketing campaign. Individuals used TMHL's service to obtain an online loan offer and had not requested this additional contact voluntarthe Commissioner therefore takes the view that the marketing cannot be said to have been solicited. The fact that individuals were denied this choice at the outset of their application is evidenced by the high volume of complaints which were received regarding these messages. 62. TMHL, as the sender of unsolicited direct marketing, is required to ensure that it is acting in compliance with the requirements of regulation 22 of PECR,and to ensure that valid consent to send those messages had been acquired. 63. Whilst TMHL has suggested that its messages were 'service messages', and not direct marketing messages, the Commissioner is satisfied that the messages which were received by subscribers, which advertised the availability of loan products from both TMHL and third-party providers, can be appropriately defined as falling within the definition of direct marketing as prescribed by Section 122(5) DPA18. 64. For consentto be valid it is required to be "freely given", by which it follows that if consent to marketing is a condition of subscribing to a service,the organisation will have to demonstrate how the consent can be said to have been given freely. Whilst TMHL did provide a separate set of optional opt-in boxes for individuals who might wish to agree to marketing in the future, it is the case that if a subscriber wished to proceed with their online loan application they would be required to agree to receiving a variety of contacts (telephone, email and text message) from TMHL and a range of third-partiesIn this instance, over a 6-month period over 750,000 messages were sent. These 18, • ICO. Information Commissioner's Office messages would be sent if an individual decided not to proceed with the subsequent online offer, or if they were ineligible for a loan offer from TMHL. This requirement to agree to TMHL's messages was also bundled up with the requirement to agree to a credit check. Individuals were unable to agree solely to the credit check and to proceed with their loan application online only. Agreement to being potentially contacted by text message, email and telephone was a requirement of proceeding with TMHL's service.Whilst TMHL has characterised its text messages as a "courtesy" for customers, in the Commissioner's view it is misleading to do so, as subscribers had no choice but to agree to receipt of these messages. Furthermore, and in any event, messages sent as a "courtesy" are not exempt from the rules regarding PECR. 65. Consent is also required to be "specific" as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. Individuals in this instance were not able to select the method by which they may wish to receive direct marketing, with agreement to being potentially contacted by text message, email and/or telephone, being a requirement. 66. Consent willnot be "informed"if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print. Consent will not be valid if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description. In this instance, individuals did not have the option to select which, if any, of TMHL's third parties it might wish to receive direct marketing from following their online loan application. Whilst some of the third parties about which the individuals might receive direct marketing were named within the relevant Privacy Policy, there 19, • ICO. Information Commissioner's Office was no indication of how many messages they might receive, nor was there an option to select the method of contact. Indeed, as TMHL itself recognised in the course of the investigatiit could be confusing for an individual to receive a text with a link to a thirdwebsite offering a loanith an alternative panel with which it will have had no contact previously. It is also understood that in relation to the messages which were sent which advertised the loan products of third parties, whilst some third-partiwere named within TMHL's Privacy Policies, the third-partincluded brokers (who might in turn advertise their own affiliates) and entities who provided lead generation services / affiliate network services. Accordingly ,TMHL were not fully aware of precisely which loan provider a subscriber may be directed to within its text messages. Therefore, subscribers were denied the chance to select which, if any, of the potential third-pait might wish to receive marketing messages about. 67. The Commissioner is therefore satisfied from the evidence he has seen that TMHL did not have the necessary valid consent for the 752,425 direct marketing messages received by subscribers. 68. The Commissioner is also satisfied that TMHL cannot rely on the soft opt-in exemption provided by regulation 22(3). This is because, contrary to the requirement of regulation 22(3)( c) individuals were unable to opt out of receiving these particular direct marketing messages at the point at which their details were taken, since agreement to receipt of these messages was a condition of service. Furthermore, 203,100 of the 752,425 received messages did not relate to TMHL's own products or services, contrary to the requirement of regulation 22(3)(b). 20, • ICO. Information Commissioner's Office 69. The Commissioner has gone on to consider whether the conditions under section SSA DPA are met. Seriousness of the contravention 70. The Commissioner is satisfied that the contraventiidentified above was serious. This is because between 12 March 2020 and 8 September 2020, a confirmed total of 807,382 direct marketing messages were sent by TMHL, of which 7S2,42S were received by subscribers. These messages contained direct marketing material for which subscribers had not provided valid consent. Furthermore the Commissioner is satisfied that TMHL cannot rely on the soft opt-in exemption. From these messages, a total of 1,360 complaints were made. 71. The Commissioner is therefore satisfied that condition (a) from section SSA(l) DPA is met. Deliberate or negligent contraventions 72. The Commissioner has considered whether the contravention identified above was deliberate. The Commissioner does not consider that TMHL deliberately set out to contravene PECRin this instance. 73. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises elements: 74. Firstly, he has consideredhether TMHL knew or ought reasonably to have known that there was a risk that these contraventiowould 21, • ICO. Information Commissioner's Office occur. This is not a high bar and he is satisfied that this condition is met. 75. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirementof consent for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. In particular it states that organisations cangenerally only send, or instigate, marketing messages to individuals if that person has specifically consented to receiving them. The guidance also provides a full explanation of the "solt opt-in" exemption. The Commissioner has also published detailed guidance on consent under the GDPR. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement action where businesses have not complied with PECRare also readily available. 76. It is therefore reasonable to suppose that TMHL should have been aware of its responsibilitin this area. 77. Secondly, the Commissioner has gone on to consider whether TMHL failedto take reasonable steps to prevent the contraventionAgain, he is satisfied that this condition is met. 78. The Commissioner considers that any organisation engaging in direct marketing must take thorough steps to understand and implement marketing procedures that are compliant with the legislation. If TMHL had done this, it would have realised that it was unable to rely on 'legitimateinterest' to comply with PECRas it had suggested for the sending of its direct marketing material. 22, • ICO. Information Commissioner's Office 79. The Commissioner considers that it would have been reasonable for TMHL to separate the various elements of its opt-in page. i.e., by making agreement to the credit check and use of its online loan application process separate anddistinct from its request for individuals to agree to follow-up direct marketing communicatioBy. conflating theserequirements, TMHL removed the individual's ability to proceed with an online-only loan application, without being required to agree to potentially invasive direct marketing by a variety of methods. That TMHL intended to send these further messages only over the 24- hour period immediately following the individual's application is irrelevant, and appears arbitrary. Indeed, TMHL has also accepted during the investigation that some of the messages it sent, about which complaints were received, fell outside of this time frame in any event. 80. The Commissioner is also concerned by TMHL's lack of knowledge as to the third-partieabout whom individuals may have received direct marketing text messages. He considers that it would be reasonable to expect TMHL to conduct sufficient due diligence to ensure that it is at least aware of which third-partiit may be referring individuals to. 81. In the circumstances, the Commissioner is satisfied that TMHL failed to take reasonable steps to prevent the contraventions. 82. The Commissioner is therefore satisfied that condition (b) from section SSA (1) DPA is met. The Commissioner's decision to impose a monetary penalty 83. The Commissioner has taken into account the following 23, • ICO. Information Commissioner's Office aggravating feature of this case: • The direct marketing being received in this case is likely to have been sent to vulnerable individuals in financial difficulty. 84. The Commissioner does not consider there to be any significant mitigating features in this case. 85. Forthe reasons explained above, the Commissioner is satisfied that the conditions from section SSA (1) DPA have been met in this case. He is also satisfied that the procedural rights under section 55B have been complied with. 86. The latter has included the issuing of a Notice of Intent, in which the Commissioner set out his preliminary thinking. In reaching his final view, the Commissioner has taken into account the representations made by TMHL, but remains satisfied that there are valid grounds for proceeding to issue a monetary penalty notice. 87. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 88. The Commissioner has considered whether, in the circumstances, he should exercise his discretion so as to issue a monetary penalty. 89. The Commissioner has considered the likely impact of a monetary penalty on TMHL. He has decided on the information that is available to him, that a penalty remains the appropriate course of action in the circumstances of this case. 24, • ICO. Information Commissioner's Office 90. The Commissioner's underlying objective in imposing a monetary penalty notice is to promote compliance with PECR.The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance,on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing. 91. For these reasons, the Commissioner has decided to issue a monetary penalty in this case. The amount of the penalty 92. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £50,000(fifty thousand pounds) is reasonable and proportionategiven the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 93. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 16 March 2022 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 94. If the Commissioner receives full payment of the monetary penalty by 15 March 2022 the Commissioner will reduce the monetary penalty 25, • ICO. Information Commissioner's Office by 20% to £40,000 (forty thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 95. There is a right of appeal to the First-tier Tribunal (InformRights) against: (a) the imposition of the monetary penalty and/or; (b) the amount of the penalty specified in the monetary penalty notice. 96. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 97. Information about appeals is set out in Anne1. 98. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • allrelevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawand • the period for appealing against the monetary penalty and any variation of it has expired. 99. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as 26, • ICO. Information Commissioner's Office an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 14day of February 2022 Andy Curry Head of Investigations InformatioCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 27, • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(S) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretionfferently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts &Tribunals Service PO Box 9300 Leicester LEl 8DJ 28, • ICO. Information Commissioner's Office Telephone: 0203 936 8963 Email: grc@justice.gov.uk a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative(if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 29, • ICO. Information Commissioner's Office and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (InformatiRights) are contained in section 55B(S) of, and Schedule 6to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (StatutorInstrument 2009 No. 1976 (L.20)). 30