ICO (UK) - Papa John's (GB) Limited: Difference between revisions
No edit summary |
m (grammatical mistake) |
||
(One intermediate revision by one other user not shown) | |||
Line 50: | Line 50: | ||
}} | }} | ||
The UK DPA (ICO) imposed a fine of | The UK DPA (ICO) imposed a fine of €11,600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of Article 22 PECR. | ||
== English Summary == | == English Summary == | ||
Line 60: | Line 60: | ||
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages. | However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages. | ||
=== Holding === | === Holding === | ||
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of | The Information Commissioner's Office (ICO) held that Papa John's was in contravention of Article 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent. | ||
Papa John's gathered details from individuals that ordered from their sales channels. It then attempted to rely on the soft opt-in exemption under | Papa John's gathered details from individuals that ordered from their sales channels. It then attempted to rely on the soft opt-in exemption under Article 22(3) PECR. The exemption enables organisations to send marketing texts to individuals whose details they have gathered "in the course or negotiation of a sale and in respect of similar products and services." However, the organisation must give individuals the opportunity to opt-out of direct marketing when gathering their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of Article 22(3)(c) PECR. | ||
The contravention is regarded as particularly serious in light of the quantity of messages sent without valid consent. The ICO also considered that the direct marketing was negligent because Papa John's knew, or ought reasonably to have known, that there was a risk of contravention of PECR and because Papa John's failed to take reasonable steps to prevent contravention. | The contravention is regarded as particularly serious in light of the quantity of messages sent without valid consent. The ICO also considered that the direct marketing was negligent because Papa John's knew, or ought reasonably to have known, that there was a risk of contravention of PECR and because Papa John's failed to take reasonable steps to prevent contravention. | ||
Therefore, the ICO imposed a fine of | Therefore, the ICO imposed a fine of €11,600 on Papa John's (GB) Limited. This amount can be reduced by 20% if Papa John's pays the fine within a month of the decision. | ||
== Comment == | == Comment == |
Latest revision as of 15:26, 20 June 2023
ICO (UK) - Papa John's (GB) Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 14.06.2021 |
Published: | 15.06.2021 |
Fine: | 10000 GBP |
Parties: | Papa John's (GB) Limited |
National Case Number/Name: | Papa John's (GB) Limited |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA (ICO) imposed a fine of €11,600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of Article 22 PECR.
English Summary
Facts
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices.
Papa John's responded by providing details on the number of marketing messages sent between October 2019 and April 2020. It outlined that it relied on a soft opt-in to send these messages to customers that had directly provided their data by filling out an order form. It was estimated that 168,022 text messages were received by individuals on that basis.
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages.
Holding
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of Article 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent.
Papa John's gathered details from individuals that ordered from their sales channels. It then attempted to rely on the soft opt-in exemption under Article 22(3) PECR. The exemption enables organisations to send marketing texts to individuals whose details they have gathered "in the course or negotiation of a sale and in respect of similar products and services." However, the organisation must give individuals the opportunity to opt-out of direct marketing when gathering their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of Article 22(3)(c) PECR.
The contravention is regarded as particularly serious in light of the quantity of messages sent without valid consent. The ICO also considered that the direct marketing was negligent because Papa John's knew, or ought reasonably to have known, that there was a risk of contravention of PECR and because Papa John's failed to take reasonable steps to prevent contravention.
Therefore, the ICO imposed a fine of €11,600 on Papa John's (GB) Limited. This amount can be reduced by 20% if Papa John's pays the fine within a month of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Papa John’s (GB) Limited Of: Papa John’s UK & European Campus, 11 Northfield Drive, Northfield, Milton Keynes, MK15 0DQ 1. The Information Commissioner (“the Commissioner”) has decided to issue Papa John’s (GB) Limited(“Papa John’s”) with a monetary penalty under section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in relation to a serious contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 2. This notice explains the Commissioner’s decision. Legal framework 3. Papa John’s, whose registered office is given above (Companies House Registration Number:02569801) is the organisation stated in this notice to have transmitted unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECR states: 1“(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person’s similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contravention of paragraph (2).” 25. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines direct marketing as “the communication (by whatever means) of any advertising material which is directed to particular individuals”. This definition also applies for the purposes of PECR (see r egulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 6. Consent in PECR is now defined, from 29 March 2019, by reference to the concept of consent in Regulation 2016/679 (“the GDPR”): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR sets out the following definition: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 7. “Individual” is defined in regulation 2(1) of PECR as “a living individual and includes an unincorporated body of such individuals”. 8. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is a party to a contract with a provider of public electronic communications services for the supply of such services”. 9. “Electronic mail” is defined in regulation 2(1) of PECR as “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. 10. The term "soft opt-in" is used to describe the rule set out in in Regulation 22(3) of PECR. In essence, an organisation may be able to 3 e-mail or message its existing customers even if they haven't specifically consented to electronic mail. The soft opt-in rule can only be relied upon by the organisation that collected the contact details . 11. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to PECR, as variously amended) states: “(1) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that – (a) there has been a serious contravention of therequirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contravention was deliberate. (3) This subsection applies if the person – (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention.” 12. The Commissioner has issued statutory guidance under section 55C (1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 13. PECR implements Directive 2002/58/EC, and Directive 2009/136/EC which amended the earlier Directive. Both the Directive and PECR are 4 “designed to protect the privacy of electronic communications users: Leave.EU & Eldon Insurance Services v Information Commissioner [2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to interpret and apply PECR in a manner consistent with the purpose of the Directive and PECR of ensuring a high level of protection of the privacy of individuals, and in particular the protections provided from receiving unsolicited direct marketing communications which the individual has not consented to receive. 14. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introduction of the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case 15. Papa John’s is a pizza company offering both delivery and take-out service. It first came to the attention of the Commissioner following a number of complaints being receive d. 16. An initial investigation letter was sent to Papa John’s on 21 May 2020 raising some preliminary concerns with its PECR compliance and providing details of the complaints received. The correspondence also requested information about the volume of messages sent to subscribers, the sources of data for the recipients of those messages and any evidence of consent it relied upon to send marketing messages. Papa John’s were warned that the Commissioner could issue civil monetary penalties of up to £500,000 for PECR breaches. 17. In its response of 26 June 2020, Papa John’s provided the total number of marketing messages sent between 1 October 2019 and 30 April 2020. It explained that it only obtains data from its own customers 5 where orders are placed directly with the company. Itadvised that it does not obtain data from any other third-party sources. 18. Papa John’s informed the Commissioner that it relied on the soft opt in and provided examples of its online consent statements . It also provided evidence to show that unsubscribe options are given in every e-mail and text message sent. 19. In its correspondence Papa John’s advised that following an internal review of the complaints received by the Comm issioner, there were a number where the soft opt in was not available and a text message should not have been sent to the customer. It revealed that the individuals who had received these messages had placed an order over the telephone but were not presented with an option to opt out of receiving marketing messages. It explained that their privacy notice was displayed in stores, and online, and individuals could access the marketing preference centre on its website. It had suspended marketing to individuals who have placed an order over the telephone pending the outcome of the Commissioners enquiries. Further evidence was provided to show opt out messages and screenshots of online accounts showing individuals can unsubscribe. 20. The Commissioner subsequently requested the total volume of messages sent to individuals where their data was obtained over the telephone during the relevant period. This was provided although Papa John’s were unable to confirm, of the 210,028 marketing messages sent, how many had been received by individuals. However, based on its success rate on delivery, it advised 168,022 text messages were received by individuals. 621. The Commissioner has made the above findings of fact on the balance of probabilities. 22. The Commissioner has considered whether those facts constitute a contravention of regulation 22 of PECR by Papa John’s and, if so, whether the conditions of section 55A DPA are satisfied. The contravention 23. The Commissioner finds that Papa John’s contravened regulation 22 of PECR. 24. The Commissioner finds that the contravention was as follows: 25. The Commissioner finds that between 1 October 2019 to 30 April 2020 there were 168,022 direct marketing messages received by subscribers. The Commissioner finds that Papa John’s transmitted the direct marketing messages sent, contrary to regulation 22 of PECR. 26. Papa John’s, as the sender of the direct marketing, is required to ensure that it is acting in compliance with the requirements of regulation 22 of PECR, and to ensure that valid consent to send those messages had been acquired. 27. Papa John’s collected information for marketing purposes through customers who order directly via sales channels in its direct control including its website, app and in store. It relies on the ‘soft opt -in’ exemption provided by Regulation 22(3) PECR. This exemption means that organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services. The organisation must also give the person a simple opportunity to 7 refuse or opt out of the marketing, both when first collectng the details and in every message after that. 28. Papa John’s informed the Commissioner that for those customers ordering over the telephone its privacy notice is made available in store and on its website. It is the Commissioners view that those individuals would not reasonably expect to receive marketing. As a result, 15 complaints were received regarding text messages sent by Papa John’s during the contravention period in respect of those customers. 29. In this instance Papa John’s have been unable to evidence consent. From the evidence provided it is clear that the individuals had not, at the point their data was collected, been given a simple means of refusing the use of their contact details for direct marketing; accordingly, Papa John’s direct marketing messages failed to meet the criteria of Regulation 22(3)(c) PECR. 30. The Commissioner is therefore satisfied from the evidence she has seen that Papa John’s did not have the necessary valid consent for the 168,022 direct marketing messages received by subscribers. 31. The Commissioner has gone on to consider whether the conditions under section 55A DPA are met. Seriousness of the contravention 32. The Commissioner is satisfied that the contravention identified above was serious. This is because between 1 October 2019 and 30 April 2020 a confirmed total of 168,022 direct marketing messages were sent by Papa John’s. These messages contained direct marketing material for which subscribers had not provided adequate consent. 833. The rules for electronic marketing are clear in that organisations must present individuals with an opportunity to opt out of marketing at the time that their details are collected. Whilst Papa John’s does have consent for the majority of marketing messages it sends, it does not have consent to send marketing messages to individuals who have placed an order over the telephone for delivery. It is unable to rely on the soft opt in because those subscribers had not been given a simple means of refusing the use of their contact details for direct marketing . 34. Papa John’s instead sought to rely upon the assumption that an individual could review its privacy notice , in store or on its website, and online marketing preference centre. This assumption is unfair as it puts the responsibility back on to the individual rather than on to the company. Customers may not have visited the company app or website to locate the branch telephone number when placing their order, these being widely available via online search engines. They may also not have visited a store to collect their order. Further, any information about any marketing communications should be provided to individuals rather than them having to seek it out for themselves. All individuals should be given the same choice in respect of these communications, regardless of how they choose to place an order with Papa John’s. 35. The Commissioner is therefore satisfied that condition (a) from section 55A(1) DPA is met. Deliberate or negligent contraventions 36. The Commissioner has considered whether the contravention identified above was deliberate. In the Commissioner’s view, this means that Papa John’s actions which constituted that contravention were 9 deliberate actions (even if Papa John’s did not actually intend thereby to contravene PECR). 37. The Commissioner does not consider that Papa John’s deliberately set out to contravene PECR in this instance. 38. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements: 39. Firstly, she has considered whether Papa John’s knew or ought reasonably to have known that there was a risk that these contraventions would occur. She is satisfied that this condition is met, not least since the issue of unsolicited text messages has been widely publicised by the media as being a problem. 40. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirements of consent for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. In particular it states that organisations can generally only send, or instigate, marketing emails to individuals if that person has specifically consented to receiving them; and highlights the difficulties of relying on indirect consent for email marketing . The Commissioner has also published detailed guidance on consent under the GDPR. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement action where businesses have not complied with PECR are also readily available. 1041. It is therefore reasonable to suppose that Papa John’sshould have been aware of its responsibilities in this area . 42. Secondly, the Commissioner has gone on to consider whether Papa John’s failed to take reasonable steps to prevent the contraventions. Again, she is satisfied that this condition is m et. 43. Such reasonable steps in these circumstances could have included putting in place appropriate systems, policies and procedures to ensure that it had the consent of all of its customers to whom it had sent marketing messages. Whilst it is evident that Papa John’s had policies in place to ensure a certain level of compliance its measures failed to capture all types of customer and methods of customer contact. In this case, a number of customers were not offered adequate means of opting out of marketing at the time their details were collected by telephone. 44. In the circumstances, the Commissioner is satisfied that Papa John’s failed to take reasonable steps to prevent the contraventions. 45. The Commissioner is therefore satisfied that co ndition (b) from section 55A (1) DPA is met. The Commissioner’s decision to issue a monetary penalty 46. The Commissioner has also taken into account the following aggravating features of this case: • The actions of Papa John’s were carried out to generate business and to increase profits, gaining an unfair advantage on those businesses complying with the PECR; 1147. The Commissioner has also taken into account the following mitigating feature of this case: • Papa John’s have advised the Commissioner that it has temporarily suspended marketing to individuals placing orders by telephone, but otherwise has not yet taken steps to rectify its marketing practices to ensure overall compliance with PECR for this method of customer contact. 48. For the reasons explained above, the Commissioner is satisfied that the conditions from section 55A (1) DPA have been met in this case. She is also satisfied that the procedural rights under section 55B have been complied with. 49. The latter has included the issuing of a Notice of Intent, in which the Commissioner set out her preliminary thinking. In reaching her final view, the Commissioner received no representations from Papa John’s. 50. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 51. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. 52. The Commissioner has considered the likely impact of a monetary penalty on Papa John’s. She has decided on the information that is available to her, that Papa John’s has access to sufficient financial resources to pay the proposed monetary penalty without causing undue financial hardship. 1253. The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The sending of unsolicited marketing emails is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive marketing. 54. For these reasons, the Commissioner has decided to issue a monetary penalty in this case. The amount of the penalty 55. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £10,000 (Ten thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 56. The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 15 July 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England. 57. If the Commissioner receives full payment of the monetary penalty by 14 July 2021 the Commissioner will reduce the monetary penalty by 20% to £8,000 (Eight thousand pounds). However, you should be 13 aware that the early payment discount is not available if you decide to exercise your right of appeal. 58. There is a right of appeal to the First-tier Tribunal (Information Rights) against: (a) the imposition of the monetary penalty and/or; (b) the amount of the penalty specified in the monetary pena lty notice. 59. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 60. Information about appeals is set out in Annex 1. 61. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and • the period for appealing against the monetary penalty and any variation of it has expired. 62. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as 14 an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 14 thday of June 2021 Andy Curry Head of Investigations Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 15ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(5) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ 16 Telephone: 0203 936 8963 Email: grc@justice.gov.uk a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 17 and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First- tier Tribunal (Information Rights) are contained in section 55B(5) of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 18