|
|
(4 intermediate revisions by 2 users not shown) |
Line 11: |
Line 11: |
|
| |
|
| |Original_Source_Name_1=ICO | | |Original_Source_Name_1=ICO |
| |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619319/valca-mpn-20200218.pdf | | |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/2619378/leads-work-limited-mpn.pdf |
| |Original_Source_Language_1=English | | |Original_Source_Language_1=English |
| |Original_Source_Language__Code_1=EN | | |Original_Source_Language__Code_1=EN |
Line 58: |
Line 58: |
| }} | | }} |
|
| |
|
| The ICO (UK) has fined Leads Works Ltd 250000 GBP for sending more than 2.6 million nuisance and unlawful direct marketing text messages to customers without their valid consent. | | The ICO (International Commissioner's Officer) has fined Leads Works Ltd 250000 GBP (€291,237) for sending more than 2.6 million nuisance and unlawful direct marketing text messages to customers without their valid consent. Leads Works Ltd has continued to send significant numbers of marketing texts to individuals throughout, and since, the course of the Commissioner's investigation, incurring a substantial amount of complaints. |
|
| |
|
|
| |
|
| == English Summary == | | ==English Summary== |
|
| |
|
| === Facts === | | ===Facts=== |
| 2670140 mail messages have been sent between 16.05.2020 and 26.06.2020 during the Covid-19 pandemic. Members of the public have made to the ICO (UK) highest number of compaints to date, over 10000. ICO (UK) has also issued to Leads Works Ltd a 30 day enforcement notice. | | 2670140 mail messages have been sent between 16.05.2020 and 26.06.2020 during the Covid-19 pandemic. Members of the public have made to the ICO highest number of complaints to date, over 10000. ICO has also issued to Leads Works Ltd a 30 day enforcement notice. |
|
| |
|
| === Dispute === | | ===Dispute=== |
| Customers did not give their direct and valid consent to receive direct marketing messages by mail. Examples of the messages sent include: | | Customers did not give their direct and valid consent to receive direct marketing messages by mail. Examples of the messages sent include: |
| “In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.” | | “In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.” |
|
| |
|
| === Holding === | | ===Holding=== |
| Simple reliance on assurances of indirect consent alone without undertaking proper due diligence is not acceptable. | | Simple reliance on assurances of indirect consent alone without undertaking proper due diligence is not acceptable. |
|
| |
|
| == Comment == | | ==Comment== |
| ''Share your comments here!'' | | ''Share your comments here!'' |
|
| |
|
| == Further Resources == | | ==Further Resources== |
| ''Share blogs or news articles here!'' | | ''Share blogs or news articles here!'' |
|
| |
| == English Machine Translation of the Decision ==
| |
| The decision below is a machine translation of the English original. Please refer to the English original for more details.
| |
|
| |
| <pre>
| |
| •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| DATA PROTECTION ACT 1998
| |
|
| |
|
| |
| SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
| |
|
| |
|
| |
|
| |
| MONETARY PENAL TY NOTICE
| |
|
| |
|
| |
|
| |
|
| |
| To: Valca Vehicle and Life Cover Agency Limited
| |
|
| |
| Of: 281 Palatine Road, Manchester, England M22 4ET
| |
|
| |
| 1. The InformationCommissioner ("Commissioner") has decided to issue
| |
|
| |
| Valca Vehicle and Life Cover Agency Limited ("Valca") with a monetary
| |
|
| |
| penalty under section SSA of the Data Protection Act 1998 ("DPA"). The
| |
| penalty is in relation to a serious contravof Regulations 22 and
| |
|
| |
| 23 of the Privacy and Electronic Communicatio(EC Directive)
| |
| Regulations 2003 ("PECR").
| |
|
| |
|
| |
|
| |
| 2. This notice explains the Commissioner's decision.
| |
|
| |
|
| |
| Legal framework
| |
|
| |
|
| |
| 3. Valca, whose registered office is given above (Companies House
| |
|
| |
| Registration Number: 11013461) is the organisation stated in this
| |
| notice to have transmitteunsolicited communicationby means of
| |
|
| |
| electronic mail to individual subscribers for the purposes of direct
| |
|
| |
| marketing contrary to regulation 22 of PECR.
| |
|
| |
|
| |
| 4. Regulation 22 of PECRstates:
| |
|
| |
|
| |
|
| |
|
| |
| 1 •
| |
|
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| "(l) This regulation applies to the transmission of unsolicited
| |
| communications by means of electronic mail to individual
| |
|
| |
| subscribers.
| |
|
| |
| (2) Except in the circumstances referred to in paragraph (3), a person
| |
|
| |
| shall neither transmit, nor instigate the transmission of, unsolicited
| |
| communications for the purposes of direct marketing by means of
| |
|
| |
| electronic mail unless the recipient of the electronic mail has
| |
|
| |
| previously notified the sender that he consents for the time being
| |
| to such communications being sent by, or at the instigation of, the
| |
|
| |
| sender.
| |
|
| |
| (3) A person may send or instigate the sending of electronic mail for
| |
|
| |
| the purposes of direct marketing where-
| |
|
| |
| (a) that person has obtained the contact details of the recipient
| |
| of that electronic mail in the course of the sale or
| |
|
| |
| negotiations for the sale of a product or service to that
| |
|
| |
| recipient;
| |
|
| |
| (b) the direct marketing is in respect of that person's similar
| |
| products and services only; and
| |
|
| |
| (c) the recipient has been given a simple means of refusing
| |
|
| |
| (free of charge except for the costs of the transmission of
| |
|
| |
| the refusal) the use of his contact details for the purposes
| |
| of such direct marketing, at the time that the details were
| |
|
| |
| initially collected, and, where he did not initially refuse the
| |
|
| |
| use of the details, at the time of each subsequent
| |
| communication.
| |
|
| |
| (4) A subscriber shall not permit his line to be used in contraventioof
| |
|
| |
| paragraph (2)."
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 2 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 5. Regulation 23 of PECRstates that "A person shall neither transminor
| |
| instigate the transmission of, a communicatifor the purposes of
| |
|
| |
| direct marketing by means of electronic mail -
| |
|
| |
|
| |
| (a) where the identity of the person on whose behalf the
| |
| communication has been sent has been disguised or
| |
|
| |
| concealed;
| |
|
| |
| (b) where a valid address to which the recipient of the
| |
|
| |
| communication may send a request that such
| |
| communications cease has not been provided
| |
|
| |
| (c) where that electronic mail would contravene regulation 7 of
| |
|
| |
| the Electronic Commerce (EC Directive) Regulations 2002;
| |
| or
| |
|
| |
| (d) where that electronic mail encourages recipients to visit
| |
|
| |
| websites which contravene that regulation."
| |
|
| |
|
| |
|
| |
| 6. Section 122(5) of the DPA 2018 defines direct marketing as "the
| |
| communication (by whatever means) of advertising material which is
| |
|
| |
| directed to particular individuals". This definition also applies for the
| |
| purposes of PECR(see regulation 2(2) PECR; and Schedule 19,
| |
|
| |
| paragraph 430 and 432(6) DPA18).
| |
|
| |
|
| |
| 7. Consent is defined in Article 4(11) the General Data Protection
| |
|
| |
| Regulation 2016/679 as "any freely given, specific, informed and
| |
| unambiguous indication of the data subject's wishes by which he or
| |
|
| |
| she, by a statement or by a clear affirmative action, signifies
| |
| agreement to the processing of personal data relating to him or her.
| |
|
| |
|
| |
|
| |
| 8. "Individual"is defined in regulation 2(1) of PECRas "a living individual
| |
| and includes an unincorporatedbody of such individuals".
| |
|
| |
| 3 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
|
| |
| 9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
| |
| a party to a contract with a provider of public electronic
| |
|
| |
| communications services for the supply of such services".
| |
|
| |
| 10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text,
| |
|
| |
| voice, sound or image message sent over a public electronic
| |
| communications network which can be stored in the network or in the
| |
|
| |
| recipient's terminal equipment until it is collected by the recipient and
| |
|
| |
| includes messages sent using a short message service".
| |
|
| |
|
| |
| 11. Section SSA of the DPA (as amended by the Privacy and Electronic
| |
| Communications (EC Directive)(Amendment) Regulations 2011 and the
| |
|
| |
| Privacy and Electronic Communications (Amendment) Regulations
| |
| 2015) states:
| |
|
| |
|
| |
|
| |
| "(1) The Commissioner may serve a person with a monetary penalty if
| |
| the Commissioner is satisfied that -
| |
|
| |
| (a) there has been a serious contraventioof the requirements
| |
|
| |
| of the Privacy and Electronic Communications(EC
| |
| Directive) Regulations 2003 by the person,
| |
|
| |
| (b) subsection (2) or (3) applies.
| |
|
| |
| (2) This subsection applies if the contraventiwas deliberate.
| |
|
| |
|
| |
| (3) This subsection applies if the person -
| |
|
| |
| (a) knew or ought to have known that there was a risk that
| |
| the contravention would occur, but
| |
|
| |
| (b) failed to take reasonable steps to prevent the
| |
|
| |
| contravention."
| |
|
| |
|
| |
|
| |
|
| |
| 4 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
| 12. The Commissioner has issued statutory guidance under section SSC (1)
| |
| of the DPA about the issuing of monetary penalties that has been
| |
|
| |
| published on the ICO's website. The Data Protection (Monetary
| |
| Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
| |
|
| |
| that the amount of any penalty determined by the Commissioner must
| |
| not exceed £500,000.
| |
|
| |
|
| |
|
| |
| 13. PECRimplements European legislation (Directive 2002/58/EC) aimed at
| |
| the protection of the individual's fundamentright to privacy in the
| |
|
| |
| electronic communications sector. PECRwas amended for the purpose
| |
| of giving effect to Directive 2009/136/which amended and
| |
|
| |
| strengthened the 2002 provisions. The Commissioner approaches PECR
| |
|
| |
| so as to give effect to the Directives.
| |
|
| |
|
| |
| 14. The provisions of the DPA remain in force for the purposes of PECR
| |
| notwithstanding the introductionof the Data Protection Act 2018 (see
| |
|
| |
| paragraph 58(1) of Part 9, Schedule 20 of that Act).
| |
|
| |
|
| |
| Background to the case
| |
|
| |
|
| |
| 15. Phone users can report the receipt of unsolicited marketing text
| |
|
| |
| messages to the GSMA's Spam Reporting Service by forwarding the
| |
| message to 7726 (spelling out "SPAM"). The GSMA is an organisation
| |
|
| |
| that represents the interests of mobile operators worldwidThe
| |
| Commissioner is provided with access to the data on complaints made
| |
|
| |
| to the 7726 service and this data is incorporated into a Monthly Threat
| |
|
| |
| Assessment (MTA) used to ascertain organisations in breach of PECR.
| |
|
| |
|
| |
| 16. Valca are a company specialising in lead generation for financial
| |
| products. They currently operate as 'Debtquitto generate leads for
| |
|
| |
|
| |
|
| |
| 5 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| Individual Voluntary Agreements ("IVA's") and other debt management
| |
| products.
| |
|
| |
|
| |
| 17. Valca came to the attention of the Commissioner after an initial 22
| |
| complaints were received via the 7726 complaints tool about
| |
|
| |
| unsolicited text messages between 15 June 2020 and 23 June 2020.
| |
| These text messages contained, or contained slight variations of, the
| |
|
| |
| following text:
| |
|
| |
|
| |
| "*firstname*Affected by Covid? Struggling with finances? lost job
| |
| /furloughed? Were here to help! Gvnmnt backed support see if you
| |
|
| |
| qualify http ://www.debtquity.org"
| |
|
| |
|
| |
| 18. It was noted that these texts did not offer individuals an ability to 'opt
| |
|
| |
| out' of future unsolicited text messages.
| |
|
| |
|
| |
| 19. An initial investigatiletter was sent to Valca on 24 June 2020,
| |
| highlighting the Commissioner's concerns with Valca's PECRcompliance
| |
|
| |
| and requesting informationrelating to the volumes of texts sent, the
| |
| source of data used to send said texts, details of any due diligence
| |
|
| |
| undertaken, together with questions regarding the lack of an opt-out in
| |
|
| |
| the text messages for which there had been complaints.An appendix
| |
| detailing the complaints received was also sent to Valca.
| |
|
| |
|
| |
| 20. The director of Valca provided a partial response on 24 June 2020
| |
| stating that "all data we use is fully compliant and purchased from
| |
|
| |
| credible UK data suppliers that we carried out full due diligence against
| |
|
| |
| prior to point of supply, in relation to not listing an opt out on said SMS
| |
| messages this is down to human error and has been amended now for
| |
|
| |
| future broadcasts, we are happy to send out an opt out message to the
| |
| complaints made to date which is a total of 23 from a one of broadcast
| |
|
| |
| of 30. 000 lines of opted in data. We only commenced the sms
| |
|
| |
| 6 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| th
| |
| campaign on the 15 June 2020 so we have nipped this in the bud
| |
| extremely early" [sic].
| |
|
| |
|
| |
| 21. The Commissioner, on 25 June 2020, advised Valca not to contact the
| |
|
| |
| complainants again, but to add them to a suppression list, and asked
| |
| that Valca respond to all of the initial questions asked by the
| |
|
| |
| Commissioner in full.
| |
|
| |
| 22. A further substantive response was provided by Valca on 7 July 2020.
| |
|
| |
| This response advised that two platforms were used to send Valca's
| |
|
| |
| direct marketing messages: _,and_, with reports being
| |
| provided to show the volumes of messages sent via those platforms.
| |
|
| |
|
| |
| 23. Valca confirmed that its data was purchased from a third party: •
| |
|
| |
| Limited (the "third-partydata provider"), and that
| |
| regarding its due diligence with the third-padata provider, it
| |
|
| |
| "matched our campaign and Company requirements against fully opted
| |
| in data, due diligence wise we run various checks on any Company that
| |
|
| |
| we consider using from the ICO MOJ and other governing bodies to
| |
|
| |
| ensure that there are no outstanding concerns relating to them as a
| |
| potential supplier, we also look at financials, recommendatiofrom
| |
|
| |
| other Companies within this arena and finally check out any online
| |
| listings for any bad press".
| |
|
| |
|
| |
| 24. In terms of evidencing how consent is obtained by the third-partdata
| |
|
| |
| provider for Valca to engage in direct marketing, Valca advised that it
| |
| is "on privacy policy and other privacy policies allow for third party
| |
|
| |
| marketing also" [sic].
| |
|
| |
|
| |
| 25. The Commissioner directed further enquiries to Valca on 8 July 2020,
| |
| requesting information as to the data purchased, and the agreement
| |
|
| |
| with the third-partdata provider. An updated complaints spreadsheet
| |
|
| |
|
| |
| 7 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| was provided to Valca, showing that there had now been a total of 68
| |
| complaints recognised in relation to its text messages.
| |
|
| |
|
| |
| 26. Valca provided a further response on 17 July 2020 stating that it had
| |
| purchased 100,000 records from the third-partydata provider which
| |
|
| |
| were "fully opted in for SMS". Valca was unable to produce a contract
| |
| as it had been a "trial order" but did produce an invoice between itself
| |
|
| |
| and its third-pardata provider dated 16 March 2020 confirming the
| |
|
| |
| purchase of 100,000 leads, and payment for a 'privacy policy edit' to
| |
| '. Valca produced updated 'outbound SMS' reports for
| |
|
| |
| its-and - platforms, although it noted that_
| |
| had been used for just one day. Valca also produced a document as
| |
|
| |
| purported evidence of consent for the initial 22 complaints, with each
| |
|
| |
| of the 22 complainant's data having been obtained through
| |
|
| |
|
| |
|
| |
| 27. requires users to register with it to use its services
| |
| and operates by offering 'deals'. At the point of registrausers
| |
|
| |
| agree to a consent statement where they are able to select whether
| |
|
| |
| they wish to be contacted by email, SMS, post, and/or telephone,
| |
| together with a further option to agree to being contacted by 'the
| |
|
| |
| following partners' using the agreed methods.The 'Partners' link takes
| |
| users to a 'brands page' which lists 16 distinct companies, none of
| |
|
| |
| which are Valca. There appears to be no option for users to
| |
|
| |
| select/deselect partners.
| |
|
| |
| 28. Upon viewing Privacy Policy, users are told:
| |
|
| |
|
| |
| "Once you register with the our website you consent to
| |
| its sponsor question clients and website sponsors being able to send
| |
|
| |
| you communications via the channel(s) you selected as part of the sign
| |
|
| |
|
| |
|
| |
| 8 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| up until such time as you exercise your right to opt-out of receiving
| |
| such communications"
| |
|
| |
|
| |
| 29. The Privacy Policy proceeds to provide two further lists of companies: a
| |
| 'marketing service providers' list containing 7 distinct companies, and a
| |
|
| |
| list of 'direct clients' containing 443 distinct companies. The Privacy
| |
| Policy's 'Data Collection Notice' advises that and its
| |
|
| |
| partners operate in over 40 areas, spanning a wide range of sectors
| |
|
| |
| including fashion, automotivegambling, construction,legal services
| |
| etc. The Commissioner noted that Valca were not visible at all as of
| |
|
| |
| checks carried out on the website's privacy policy separately on 22
| |
| June 2020 but were visible as one of the 443 'direct clients' on 21 July
| |
|
| |
| 2020. The precise date on which Valca became visible is not known.
| |
|
| |
|
| |
| 30. On 22 July 2020 the Commissioner served a third-party Information
| |
|
| |
| Notice ("3PIN") on - - to establish, inter
| |
| alia, the number of connected messages sent by Valca between 1 June
| |
|
| |
| 2020 and 20 July 2020.
| |
|
| |
|
| |
| 31. The response to the 3PIN advised that there had been 104,550
| |
| messages sent by Valca between 15 June 2020 and 20 July 2020, of
| |
|
| |
| which 95,004 were delivered to a subscriber.
| |
|
| |
| 32. The 3PIN also provided details of the content for each of the messages
| |
|
| |
| sent, of which a trend could be identified that none of the messages
| |
|
| |
| sent contained an opt-out link until 25 June 2020 - the first day
| |
| following the Commissioner's initial investigatletter.It can
| |
|
| |
| therefore be determined that between 15 June 2020 and 24 June 2020
| |
| there were 24,995 text messages sent without an opt-out link, of which
| |
|
| |
| 18,393 were delivered.
| |
|
| |
|
| |
|
| |
|
| |
| 9 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
| 33. The Commissioner is aware, from information provided by Valca on 7
| |
| July 2020, of a further 2,025 text messages being sent by Valca over
| |
|
| |
| the period of contraventionusing the - platform, although this
| |
| platform was used for just one day, and the number of received
| |
|
| |
| messages is unknown and is unlikely to be obtainable.
| |
|
| |
|
| |
| 34. As of 20 July 2020, the Commissioner was able to identify a total of
| |
| 114 complaints concerning Valca's unsolicited direct marketing text
| |
|
| |
| messages over the relevant period.
| |
|
| |
| 35. An 'end of investigationletter was sent to Valca on 21 July 2020.
| |
|
| |
|
| |
| 36. The Commissioner has since identified that between 21 July 2020 and
| |
|
| |
| 13 November 2020 there were a further 165 complaints made about
| |
| Valca via the 7726 service.
| |
|
| |
|
| |
| 37. The Commissioner has made the above findings of fact on the
| |
|
| |
| balance of probabilities.
| |
|
| |
|
| |
| 38. The Commissioner has considered whether those facts constitute
| |
|
| |
| a contraventionof regulations 22 and 23 of PECRby Valca and, if so,
| |
| whether the conditions of section SSA DPA are satisfied.
| |
|
| |
|
| |
| The contravention
| |
|
| |
|
| |
|
| |
| 39. The Commissioner finds that Valca contravened regulations 22 and 23
| |
| of PECR.
| |
|
| |
|
| |
| 40. The Commissioner finds that the contraventionwas as follows:
| |
|
| |
|
| |
| 41. The Commissioner finds that between 15 June 2020 and 20 July 2020
| |
|
| |
| there were 95,004 unsolicited direct marketing text messages received
| |
|
| |
| 10 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| by subscribers.This resulted in a total of 114 complaints being
| |
| received via the 7726 service. The Commissioner finds that Valca
| |
|
| |
| transmitted the direct marketing messages received, contrary to
| |
| regulation 22 of PECR.
| |
|
| |
|
| |
| 42. The Commissioner is satisfied that the contraventicould have been
| |
| higher, with a total of 104,550 unsolicited text messages being sent
| |
|
| |
| over the relevant time using the-platform, and a further 2,025
| |
|
| |
| being sent using -·
| |
|
| |
| 43. Of the messages known to have been received, 18,393 (i.e., all of
| |
|
| |
| those received before 25 June 2020) did not contain an opt-out link,
| |
| contrary to the requirements of regulation 23 PECR.
| |
|
| |
|
| |
| 44. Valca, as the sender of the direct marketing, is required to ensure that
| |
|
| |
| it is acting in compliance with the requirements of regulation 22 of
| |
| PECR,and to ensure that valid consent to send those messages had
| |
|
| |
| been acquired.
| |
|
| |
|
| |
| 45. Valca relied on consent obtained by another organisation for its own
| |
|
| |
| purposes, i.e., 'indirect conseThe Commissioner's direct marketing
| |
| guidance says "organisationneed to be aware that indirect consent
| |
|
| |
| will not be enough for texts, emails or automated calls. This is because
| |
| the rules on electronic marketing are stricter, to reflect the more
| |
|
| |
| intrusive nature of electronic messages."
| |
|
| |
|
| |
| 46. It goes on to say that indirect consent can be valid but only if it is clear
| |
| and specific enough. Moreover, "the customer must have anticipated
| |
|
| |
| that their details would be passed to the organisation in question, and
| |
| that they were consenting to messages from that organisation. This will
| |
|
| |
| depend on what exactly they were told when consent was obtained".
| |
|
| |
|
| |
|
| |
| 11 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 47. Consent will not be "informedif individuals do not understand what
| |
| they are consenting to. Organisations should therefore always ensure
| |
|
| |
| that the language used is clear, easy to understand, and not hidden
| |
| away in a privacy policy or small prinThe Commissioner is concerned
| |
|
| |
| that at the point of consent being obtained, subscribers are asked to
| |
|
| |
| tick a box which gives a misleading impression that only a limited
| |
| number of 16 organisations may contact them (duly named within the
| |
|
| |
| 'partners' link on the registration pagHowever, it is only if
| |
|
| |
| subscribers drill down into the separate privacy policy that they are
| |
| advised that any one of 450 companies may in fact contact them, none
| |
|
| |
| of which the subscriber has any ability to refuse contact from.
| |
|
| |
| 48. It is the Commissioner's position that consent will not be valid if
| |
|
| |
| individuals are asked to agree to receive marketing from "similar
| |
|
| |
| organisations", "partners""selected third parties" or other similar
| |
| generic description.Further, and relevantly, consent will not be valid
| |
|
| |
| where an individual is presented with a long, seemingly exhaustive list
| |
| of general categories of organisations. The Commissioner finds that
| |
|
| |
| 450 organisations, concerning 40 sectors, is far too exhaustive a list to
| |
|
| |
| enable individuals to give valid consent.
| |
|
| |
| 49. During the course of the investigatioValca provided an invoice dated
| |
|
| |
| 16 March 2020 between it and its third-partdata provider to
| |
|
| |
| demonstrate that it had paid to be added to the privacy policy for
| |
| , the website from which its third-pardata provider
| |
|
| |
| obtained data. The date on which Valca were added to the privacy
| |
| policy is unclear, however the Commissioner has evidence that it was
| |
|
| |
| not listed as a 'direct client', or apparently at all on
| |
|
| |
| by 22 June 2020, by which point Valca had already sent 16,759
| |
| unsolicited text messages using data obtained from that site. In any
| |
|
| |
| event, even after Valca had been added to the privacy policy, the
| |
|
| |
|
| |
| 12 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
| Commissioner has concerns that any consents relied on by Valca
| |
|
| |
| cannot be said to be valid.
| |
|
| |
|
| |
| 50. There is nothing immediately in the consent statement at registration
| |
| that would inform an individual that by agreeing to the privacy policy
| |
|
| |
| and terms and conditions, they are in fact agreeing for their data to be
| |
| passed to 450 companies spanning 40 various sectors. Whilst there is a
| |
|
| |
| third-partyconsent opt-in box, this only lists 16 companies at the point
| |
| of consent and gives individuals no indication that for a more
| |
|
| |
| comprehensive list they will need to consult the privacy policy. This
| |
| cannot constitute informed consent.
| |
|
| |
|
| |
|
| |
| 51. The Commissioner is therefore satisfied from the evidence she has
| |
| seen that Valca did not have the necessary valid consent to send the
| |
|
| |
| 95,004 unsolicited direct marketing messages received by subscribers.
| |
| This constitutes a contraventioof regulation 22 PECR.
| |
|
| |
|
| |
| 52. The Commissioner is also concerned that 18,393 of those received
| |
| messages (i.e., all of those received before the Commissioner's initial
| |
|
| |
| investigation letter) did not contain an opt-out link. As such, the
| |
|
| |
| Commissioner is satisfied that the actions of Valca in respect of these
| |
| 18,393 messages have also contravened regulation 23 PECR.
| |
|
| |
|
| |
| 53. The Commissioner has gone on to consider whether the conditions
| |
|
| |
| under section SSA DPA are met.
| |
|
| |
|
| |
| Seriousness of the contravention
| |
|
| |
|
| |
| 54. The Commissioner is satisfied that the contraventiidentified
| |
|
| |
| above was serious. This is because between 15 June 2020 and 20 July
| |
| 2020 a total of 95,004 connected unsolicited direct marketing
| |
|
| |
| messages were received by subscribers, resulting in 114 complaints.
| |
| 13 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| 55. Valca has failed to provide any evidence of valid consent for any of the
| |
|
| |
| 95,004 unsolicited direct marketing messages received by subscribers.
| |
|
| |
| 56. In addition, the Commissioner is concerned by the content of the
| |
|
| |
| unsolicited text messages which reference the Covid-19 pandemic and
| |
| appeal to individuals whose finances have been adversely affected.
| |
|
| |
| This, in the Commissioner's view, is a clear attempt to capitalise on,
| |
| and profiteer from, the national health crisis.
| |
|
| |
|
| |
| 57. The Commissioner is therefore satisfied that condition (a) from
| |
|
| |
| section 55A(l) DPA is met.
| |
|
| |
|
| |
| Deliberate or negligent contraventions
| |
|
| |
|
| |
| 58. The Commissioner has considered whether the contravention identified
| |
|
| |
| above was deliberate.
| |
|
| |
|
| |
| 59. The Commissioner considers that Valca deliberately set out to
| |
| contravene PECRin this instance. The data relied on by Valca was not
| |
|
| |
| validly opted-in, and beyond paying a small sum for its inclusion on a
| |
| privacy policy there is no indication that they sought to undertake any
| |
|
| |
| additional steps to ensure protection of individuals' privacy rights, i.e.,
| |
|
| |
| by observing the 'customer journey'doing so would likely have raised
| |
| concerns with Valca regarding its reliance on the data being obtained.
| |
|
| |
| It is also concerning that Valca continued to send its unsolicited direct
| |
| marketing text messages (albeit with an opt-out link) even following
| |
|
| |
| the Commissioner's initial investigation correspondence which
| |
| highlighted real concerns with the organisation's compliance with PECR.
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 14 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 60. Further, and in any event, the Commissioner has gone on to consider
| |
| whether the contraventionidentified above was negligent. This
| |
|
| |
| consideration comprises two elements:
| |
|
| |
|
| |
| 61. Firstly, she has considered whether Valca knew or ought reasonably to
| |
| have known that there was a risk that these contraventionwould
| |
|
| |
| occur. She is satisfied that this condition is met, not least since the
| |
|
| |
| issue of unsolicited text messages have been widely publicised by the
| |
| media as being a problem.
| |
|
| |
|
| |
| 62. The Commissioner has published detailed guidance for those carrying
| |
|
| |
| out direct marketing explaining their legal obligations under PECR.
| |
| This guidance gives clear advice regarding the requirements of consent
| |
|
| |
| for direct marketing and explains the circumstances under which
| |
|
| |
| organisations are able to carry out marketing over the phone, by text,
| |
| by email, by post, or by fax. In particular it states that organisations
| |
|
| |
| can generally only send, or instigate, marketing messages to
| |
| individuals if that person has specifically consented to receiving them.
| |
|
| |
| The guidance is also clear about the significant risks of relying on
| |
|
| |
| indirect consent, as Valca did in this instance.
| |
|
| |
| 63. The Commissioner also notes that the company's sole director, in a
| |
|
| |
| self-writtebiography on f6s.com, describes himself as a 'serial
| |
| entrepreneur with vast experience in sales and marketing'.
| |
|
| |
|
| |
| 64. It is therefore reasonable to suppose that Valca should have been
| |
| aware of its responsibilities in this area.
| |
|
| |
|
| |
| 65. Secondly, the Commissioner has gone on to consider whether Valca
| |
|
| |
| failed to take reasonable steps to prevent the contraventioAgain,
| |
| she is satisfied that this condition is met.
| |
|
| |
|
| |
|
| |
| 15 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 66. Valca used a bought-in list of data and relied on indirect consent for its
| |
| unsolicited direct marketing messages.It claimed during the
| |
|
| |
| investigation that it had carried out "full due diligence", however the
| |
| Commissioner has seen little evidence of this in ensuring the veracity
| |
|
| |
| of the data being purchased aside from the production of an invoice to
| |
|
| |
| show that Valca were to be added to the privacy policy of
| |
| on an unknown date (which was, in any event,
| |
|
| |
| evidently not before 22 June 2020).
| |
|
| |
|
| |
| 67. Whilst Valca advised in the course of the investigation that "due
| |
| diligence wise we run various checks on any Company that we consider
| |
|
| |
| using from the ICO MOJ and other governing bodies to ensure that
| |
| there are no outstanding concerns relating to them as a potential
| |
|
| |
| supplier, we also look at financials, recommendationsfrom other
| |
|
| |
| Companies within this arena and finally check out any online listings for
| |
| any bad press" [sic], such checks do nothing to ensure that the data
| |
|
| |
| being obtained by Valca is compliant for its own marketing purposes.
| |
|
| |
| 68. Such reasonable steps which the Commissioner might expect in these
| |
|
| |
| circumstances could have included ensuring a comprehensive contract
| |
|
| |
| was in place with the third-partdata provider for the provision of the
| |
| data to be relied upon, to ensure its reliability and valiItwould
| |
|
| |
| also have been reasonable for Valca to carry out its own checks as to
| |
| how consent was being obtained via the site,
| |
|
| |
| notwithstanding any assurances by its third-partydata provider - such
| |
|
| |
| checks would have alerted Valca to the inadequacy of the consents
| |
| being obtained via this site for the purposes of third-padirect
| |
|
| |
| marketing. In short, simple reliance on assurances of indirect consent
| |
|
| |
| alone without undertaking proper due diligence is not acceptable.
| |
|
| |
| 69. In the circumstances, the Commissioner is satisfied that Valca failed to
| |
|
| |
| take reasonable steps to prevent the contraventions.
| |
|
| |
| 16 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| 70. The Commissioner is therefore satisfied that condition (b) from section
| |
|
| |
| SSA (1) DPA is met.
| |
|
| |
|
| |
| The Commissioner's decision to issue a monetary penalty
| |
|
| |
|
| |
| 71. The Commissioner has also taken into account the following
| |
|
| |
| aggravating features of this case:
| |
|
| |
|
| |
| • Valca failed to include an opt-out in its unsolicitedirect marketing
| |
|
| |
| messages up until the Commissioner's initiainvestigation letter,in
| |
| direct contraventionof regulation 23 PECR;
| |
|
| |
|
| |
| • Thereafter, despite being under investigation by the Commissioner
| |
|
| |
| where concerns were raised regarding its PECRcompliance, and where
| |
| it was notified that a number of complaints had already been received,
| |
|
| |
| Valca continued to send unsolicited messages to its data set during the
| |
| period of contravention;
| |
|
| |
|
| |
|
| |
| 72. For the reasons explained above, the Commissioner is satisfied that the
| |
| conditions from section SSA (1) DPA have been met in this case. She is
| |
|
| |
| also satisfied that the procedural rights under section SSB have been
| |
| complied with.
| |
|
| |
|
| |
|
| |
| 73. The latter has included the issuing of a Notice of Intent, in which the
| |
| Commissioner set out her preliminary thinking. In reaching her final
| |
|
| |
| view, the Commissioner has taken into account the representations
| |
|
| |
| made by Valca on this matter.
| |
|
| |
|
| |
| 74. The Commissioner is accordingly entitled to issue a monetary penalty
| |
| in this case.
| |
|
| |
|
| |
| 17 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| 75. The Commissioner has considered whether, in the circumstances, she
| |
|
| |
| should exercise her discretion so as to issue a monetary penalty.
| |
|
| |
| 76. The Commissioner has considered the financial representatiomade,
| |
|
| |
| and the likely impact of a monetary penalty on Valca. She has decided
| |
| on the information that is available to her, that a monetary penalty in
| |
|
| |
| the figure proposed remains an appropriate and proportionaresponse
| |
| to the contravention.
| |
|
| |
|
| |
| 77. The Commissioner's underlying objective in imposing a monetary
| |
|
| |
| penalty notice is to promote compliance with PECR.The sending of
| |
|
| |
| unsolicited marketing text messages is a matter of significant public
| |
| concern. A monetary penalty in this case should act as a general
| |
|
| |
| encouragement towards compliance with the law, or at least as a
| |
| deterrent against non-compliance,on the part of all persons running
| |
|
| |
| businesses currently engaging in these practices. The issuing of a
| |
| monetary penalty will reinforce the need for businesses to ensure that
| |
|
| |
| they are only messaging those who specifically consent to receive
| |
| marketing.
| |
|
| |
|
| |
| 78. For these reasons, the Commissioner has decided to issue a monetary
| |
|
| |
| penalty in this case.
| |
|
| |
|
| |
| The amount of the penalty
| |
|
| |
| 79. Taking into account all of the above, the Commissioner has decided
| |
|
| |
| that a penalty in the sum of £80,000(eighty thousand pounds) is
| |
| reasonable and proportionategiven the particular facts of the case and
| |
|
| |
| the underlying objective in imposing the penalty.
| |
|
| |
|
| |
|
| |
|
| |
| 18 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
| Conclusion
| |
|
| |
|
| |
|
| |
| 80. The monetary penalty must be paid to the Commissioner's office by
| |
| BACS transfer or cheque by 23 March 2021 at the latest. The
| |
|
| |
| monetary penalty is not kept by the Commissioner but will be paid into
| |
| the Consolidated Fund which is the Government's general bank account
| |
|
| |
| at the Bank of England.
| |
|
| |
|
| |
| 81. If the Commissioner receives full payment of the monetary penalty by
| |
| 22 March 2021 the Commissioner will reduce the monetary penalty
| |
|
| |
| by 20% to £64,000 (sixty-four thousand pounds). However, you
| |
|
| |
| should be aware that the early payment discount is not available if you
| |
| decide to exercise your right of appeal.
| |
|
| |
|
| |
| 82. There is a right of appeal to the First-tier Tribunal (InforRights)
| |
|
| |
| against:
| |
|
| |
|
| |
| (a) the imposition of the monetary penalty
| |
|
| |
| and/or;
| |
| (b) the amount of the penalty specified in the monetary penalty
| |
|
| |
| notice.
| |
|
| |
|
| |
| 83. Any notice of appeal should be received by the Tribunal within 28 days
| |
| of the date of this monetary penalty notice.
| |
|
| |
|
| |
| 84. Information about appeals is set out in Annex 1.
| |
|
| |
|
| |
|
| |
| 85. The Commissioner will not take action to enforce a monetary penalty
| |
| unless:
| |
|
| |
|
| |
|
| |
|
| |
| 19 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| • the period specified within the notice within which a monetary
| |
|
| |
| penalty must be paid has expired and all or any of the monetary
| |
| penalty has not been paid;
| |
|
| |
|
| |
| • all relevant appeals against the monetary penalty notice and any
| |
| variation of it have either been decided or withdandn;
| |
|
| |
| • the period for appealing against the monetary penalty and any
| |
|
| |
| variation of it has expired.
| |
|
| |
| 86. In England, Wales and Northern Ireland, the monetary penalty is
| |
|
| |
| recoverable by Order of the County Court or the High Court. In
| |
| Scotland, the monetary penalty can be enforced in the same manner as
| |
|
| |
| an extract registered decree arbitral bearing a warrant for execution
| |
| issued by the sheriff court of any sheriffdom in Scotland.
| |
|
| |
|
| |
| Dated the 18tday of February 2021
| |
|
| |
|
| |
| Andy Curry
| |
| Head of Investigations
| |
| InformationCommissioner's Office
| |
| Wycliffe House
| |
| Water Lane
| |
| Wilmslow
| |
| Cheshire
| |
| SK9 SAF
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 20 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| ANNEX 1
| |
|
| |
|
| |
| SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
| |
|
| |
|
| |
| RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
| |
|
| |
|
| |
| 1. Section 55B(S) of the Data Protection Act 1998 gives any person
| |
|
| |
| upon whom a monetary penalty notice has been served a right of
| |
|
| |
| appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
| |
| against the notice.
| |
|
| |
|
| |
| 2. If you decide to appeal and if the Tribunal considers:-
| |
|
| |
|
| |
|
| |
| a) that the notice against which the appeal is brought is not in
| |
| accordance with the law; or
| |
|
| |
|
| |
| b) to the extent that the notice involved an exercise of
| |
|
| |
| discretion by the Commissioner, that she ought to have exercised
| |
|
| |
| her discretion differently,
| |
|
| |
|
| |
| the Tribunal will allow the appeal or substitute such other decision as
| |
| could have been made by the Commissioner. In any other case the
| |
|
| |
| Tribunal will dismiss the appeal.
| |
|
| |
|
| |
| 3. You may bring an appeal by serving a notice of appeal on the
| |
|
| |
| Tribunal at the following address:
| |
|
| |
|
| |
| General Regulatory Chamber
| |
|
| |
| HM Courts &Tribunals Service
| |
| PO Box 9300
| |
|
| |
| Leicester
| |
|
| |
| 21 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| LEl 8DJ
| |
|
| |
|
| |
|
| |
| Telephone: 0300 123 4504
| |
| Email: grc@justice.gov.uk
| |
|
| |
|
| |
| a) The notice of appeal should be sent so it is received by the
| |
|
| |
| Tribunal within 28 days of the date of the notice.
| |
|
| |
|
| |
| b) If your notice of appeal is late the Tribunal will not admit it
| |
| unless the Tribunal has extended the time for complying with this
| |
|
| |
| rule.
| |
|
| |
|
| |
| 4. The notice of appeal should state:-
| |
|
| |
|
| |
| a) your name and address/name and address of your
| |
|
| |
| representative(if any);
| |
|
| |
|
| |
| b) an address where documents may be sent or delivered to
| |
| you;
| |
|
| |
|
| |
|
| |
| c) the name and address of the Information Commissioner;
| |
|
| |
|
| |
| d) details of the decision to which the proceedings relate;
| |
|
| |
|
| |
| e) the result that you are seeking;
| |
|
| |
|
| |
| f) the grounds on which you rely;
| |
|
| |
|
| |
| g) you must provide with the notice of appeal a copy of the
| |
|
| |
| monetary penalty notice or variation notice;
| |
|
| |
|
| |
| 22 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| h) if you have exceeded the time limit mentioned above the
| |
| notice of appeal must include a request for an extension of time
| |
|
| |
| and the reason why the notice of appeal was not provided in
| |
| time.
| |
|
| |
|
| |
| 5. Before deciding whether or not to appeal you may wish to consult
| |
|
| |
| your solicitor or another adviser. At the hearing of an appeal a party
| |
| may conduct his case himself or may be represented by any person
| |
|
| |
| whom he may appoint for that purpose.
| |
|
| |
| 6. The statutory provisions concerning appeals to the First-tier
| |
|
| |
| Tribunal (InformatiRights) are contained in section 55B(S) of, and
| |
| Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure
| |
|
| |
| (First-tier Tribunal) (General Regulatory Chamber) Rules 2009
| |
| (StatutoryInstrument2009 No. 1976 (L.20)).
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 23
| |
| </pre>
| |