|
|
(One intermediate revision by one other user not shown) |
Line 50: |
Line 50: |
| }} | | }} |
|
| |
|
| The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR. | | The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers, in breach of Regulation 22 of the PECR. The ICO considered the GDPR's definition of consent. |
|
| |
|
| ==English Summary== | | ==English Summary== |
Line 88: |
Line 88: |
|
| |
|
| ==English Machine Translation of the Decision== | | ==English Machine Translation of the Decision== |
| The decision below is a machine translation of the English original. Please refer to the English original for more details.
| | See the original source link for to access the decision in English. |
| | |
| <pre>
| |
| •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| DATA PROTECTION ACT 1998
| |
| | |
| | |
| SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
| |
| | |
| | |
| MONETARY PENALTY NOTICE
| |
| | |
| | |
| | |
| To: Leads Work Limited
| |
| | |
| | |
| Of: Suite C Underwood House, 235 Three Bridges Road, Crawley,
| |
| West Sussex RH10 1LU
| |
| | |
| | |
| | |
| | |
| 1. The InformationCommissioner ("Commissioner")has decided to issue
| |
| | |
| Leads Work Limited ("LWL") with a monetary penalty under section
| |
| SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation
| |
| | |
| to a serious contravention of regulation 22 of the Privacy and Electronic
| |
| | |
| Communications (EC Directive) Regulations 2003 ("PECR").
| |
| | |
| | |
| 2. This notice explains the Commissioner's decision.
| |
| | |
| | |
| Legal framework
| |
| | |
| | |
| 3. LWL, whose registered office is given above (companies house
| |
| | |
| registration number: 10853169), is the organisation (person) stated in
| |
| this notice to have transmitunsolicited communicatioby means
| |
| | |
| of electronic mail to individual subscribers for the purposes of direct
| |
| marketing contrary to regulation 22 of PECR.
| |
| | |
| | |
| | |
| 4. Regulation 22 of PECRprovides that:
| |
| | |
| | |
| 1 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| "(l)This regulation applies to the transmission of unsolicited
| |
| communications by means of electronic mail to individual subscribers.
| |
| | |
| | |
| (2) Except in the circumstances referred to in paragraph (3), a person
| |
| shall neither transmitnor instigate the transmission of, unsolicited
| |
| | |
| communications for the purposes of direct marketing by means of
| |
| electronic mail unless the recipient of the electronic mail has previously
| |
| | |
| notified the sender that he consents for the time being to such
| |
| | |
| communications being sent by, or at the instigation of, the sender.
| |
| | |
| | |
| (3) A person may send or instigate the sending of electronic mail for
| |
| the purposes of direct marketing where -
| |
| | |
| | |
| | |
| (a) That person has obtained the contact details of the recipient of
| |
| that electronic mail in the course of the sale or negotiations for
| |
| | |
| the sale of a product or device to that recipient;
| |
| (b) The direct marketing is in respect of that person's similar
| |
| | |
| products and services only; and
| |
| (c) The recipient has been given a simple means of refusing (free of
| |
| | |
| charge except for the costs of transmission of the refusal) the
| |
| | |
| use of his contact details for the purposes of such direct
| |
| marketing, at the time that the details were initially collected,
| |
| | |
| and, where he did not initially refuse the use of the details, at the
| |
| time of each subsequent communication.
| |
| | |
| | |
| (4) A subscriber shall not permit his line to be used in contraventofn
| |
| | |
| paragraph (2)."
| |
| | |
| | |
| 5. Section 122(5) of the DPA 2018 defines "direct marketing" as "the
| |
| | |
| communication (by whatever means) of any advertising material which
| |
| | |
| | |
| | |
| 2 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| is directed to particular individualThis definition also applies for the
| |
| purposes of PECR.
| |
| | |
| | |
| 6. "Electronic mail" is defined in regulation 2(1) PECRas" any text, voice,
| |
| | |
| sound or image sent over a public electronic communications network
| |
| | |
| which can be stored in the network or in the recipient's terminal
| |
| equipment until it is collected by the recipient and includes messages
| |
| | |
| sent using a short message service".
| |
| | |
| | |
| 7. Consent is defined in Article 4(11) the General Data Protection
| |
| | |
| Regulation 2016/679 as "any freely given, specific, informed and
| |
| unambiguous indication of the data subject's wishes by which he or
| |
| | |
| she, by a statement or by a clear affirmativaction, signifies
| |
| | |
| agreement to the processing of personal data relating to him or her".
| |
| | |
| 8. Section SSA of the DPA (as amended by the Privacy and Electronic
| |
| | |
| Communications (EC Directive)(Amendment) Regulations 2011 and the
| |
| | |
| Privacy and Electronic Communications (EC Directive) (Amendment)
| |
| Regulations 2015) states:
| |
| | |
| | |
| "(l) The Commissioner may serve a person with a monetary penalty if
| |
| | |
| the Commissioner is satisfied that -
| |
| | |
| (a) there has been a serious contraventionof the requirements
| |
| | |
| of the Privacy and Electronic Communications (EC
| |
| Directive) Regulations 2003 by the person, and
| |
| | |
| (b) subsection (2) or (3) applies.
| |
| | |
| (2) This subsection applies if the contraventiwas deliberate.
| |
| | |
| (3) This subsection applies if the person -
| |
| | |
| (a) knew or ought to have known that there was a risk that
| |
| | |
| the contravention would occur, but
| |
| | |
| 3 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| (b) failed to take reasonable steps to prevent the
| |
| contravention."
| |
| | |
| | |
| 9. The Commissioner has issued statutory guidance under section SSC (1)
| |
| | |
| of the DPA about the issuing of monetary penalties that has been
| |
| published on the ICO's website. The Data Protection (Monetary
| |
| | |
| Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe
| |
| | |
| that the amount of any penalty determined by the Commissioner must
| |
| not exceed £500,000.
| |
| | |
| | |
| 10. PECRimplements European legislation (Directive 2002/58/EC) aimed at
| |
| | |
| the protection of the individual's fundamentright to privacy in the
| |
| | |
| electronic communications sector. PECRwas amended for the purpose
| |
| of giving effect to Directive 2009/136/which amended and
| |
| | |
| strengthened the 2002 provisions. The Commissioner approaches PECR
| |
| so as to give effect to the Directives.
| |
| | |
| | |
| | |
| 11. The provisionsof the DPA remain in force for the purposes of PECR
| |
| notwithstanding the introductioof the Data Protection Act 2018 (see
| |
| | |
| paragraph 58(1) of part 9, Schedule 20 of that Act).
| |
| | |
| | |
| | |
| Background to the case
| |
| | |
| | |
| | |
| 12. LWL is a lead generation company which operates primarily in the
| |
| | |
| 'multi-levemarketing' sector. It generates leads under the Avon brand
| |
| for the purpose of enlisting downstream recruits, and which are passed
| |
| | |
| directly to independent Avon sales representatives.
| |
| | |
| | |
| | |
| | |
| | |
| 4 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 13. LWL first came to the attention of the Commissioner in connection with
| |
| | |
| complaints about text messages seemingly sent by Avon Cosmetics
| |
| | |
| Limited ("Avon"). The investigatifound that Avon did not send or
| |
| instigate the texts. LWL were contacted, but not investigated at that
| |
| | |
| time.
| |
| | |
| | |
| 14. LWL came to the attention of the Commissioner again during the Covid-
| |
| 19 pandemic, when a significant number of complaints were received
| |
| | |
| about the following text message:
| |
| | |
| | |
| In lockdown and want to earn extra cash? Avon is now FULLY ONLINE,
| |
| | |
| FREE to do and paid weekly. Reply with your name for info. 18+ only.
| |
| Text STOP to opt out.
| |
| | |
| | |
| 15. Between 14 April 2020 and 14 May 2020, 835 complaints were received
| |
| | |
| by the 7726 SPAM reporting tool. Significant daily totals of complaints
| |
| were also seen, including 329 on 13 May 2020, 345 on 14 May 2020
| |
| | |
| and 370 on 15 May 2020.
| |
| | |
| | |
| 16. Given the rapid rise in complaint volumes, and as LWL were known to
| |
| | |
| send messages of this type, the Commissioner contacted LWL by
| |
| telephone on 13 May 2020, who confirmed that the messages had been
| |
| | |
| sent by LWL. This was subsequently supported by evidence from LWL's
| |
| mobile network provider.
| |
| | |
| | |
| 17. On 15 May 2020, the ICO sent an investigatioletter to LWL detailing
| |
| | |
| the Commissioner's concerns regarding LWL's compliance with PECR,
| |
| and containing a number of enquiries. The letter attached an index of
| |
| | |
| complaints received both by the 7726 SPAM reporting service, and by
| |
| | |
| the ICO.
| |
| | |
| | |
| 5 •
| |
| | |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 18. On 4 June 2020, the ICO received a response from LWL. This provided
| |
| a list of CLI's used by LWL and text volumes, identified the bodies of 19
| |
| | |
| different texts sent, and confirmation that texts were sent internally
| |
| | |
| through a platform operated by LWL. LWL explained that data was both
| |
| purchased from third parties and driven to websites such as
| |
| | |
| 'Avon.leadswork.co.uk'. The third parties from whom data was
| |
| | |
| purchased were said to be' , - -
| |
| - and _,_ Advertising was also operated extensively on
| |
| | |
| '-,--and--'·
| |
| | |
| | |
| 19. In response to enquiries about contractual agreements, LWL stated that
| |
| | |
| before working with a partner they 'review their terms and conditions
| |
| and see the URL where the opt-in will occur', later adding that they also
| |
| | |
| go through the registration process on a test basis to ensure necessary
| |
| | |
| opt-ins were present. No contractual agreements were said to be in
| |
| place or provided. LWL said that they had generated leads for Avon
| |
| | |
| representatives for a 'very long time'.
| |
| | |
| | |
| 20. A review by the Commissioner of the information provided by LWL
| |
| | |
| revealed that its dominant data supplier was - - whose data
| |
| | |
| capture website was' '. This website consists of a
| |
| landing page to opt-in, a privacy notice, and an option to unsubscribe.
| |
| | |
| The website states that it is 'part of the - • - _',
| |
| | |
| which is a company quite distinct from - -· LWL is named in
| |
| the consent statement; by clicking the 'partners' link in the consent
| |
| | |
| statement, individuals are directed to the privacy policy in which LWL
| |
| are named in the 'marketing service providers' section.A further link
| |
| | |
| to 'direct clients' presents individuals with a further list of 457 distinct
| |
| | |
| organisations from whom individuals may expect to receive marketing,
| |
| in which LWL is not included. The website does not allow individuals to
| |
| | |
| submit their details without checking 'at least one' marketing channel.
| |
| | |
| 6 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| Furthermore, the website is vague and confusing given the discursive
| |
| | |
| and lengthy nature of the consent statement and the extensive list of
| |
| | |
| sectors and companies contained within both it and the privacy policy.
| |
| For these reasons the Commissioner concluded that consent was not
| |
| | |
| freely given, specific and informed.
| |
| | |
| | |
| 21. In response to a request by the Commissioner for evidence of consent,
| |
| LWL explained that a suppression list was in place should anyone reply
| |
| | |
| 'Stop' to a message. In respect of the customer journey LWL explained
| |
| that should a customer consent to be contacted by LWL then they are
| |
| | |
| sent an initial message asking whether they want to be contacted by a
| |
| local Avon representativeIf they respond positively then their data is
| |
| | |
| shared with the local representative.
| |
| | |
| | |
| 22. LWL provided the Commissioner with a 'GDPR pack' containing a Data
| |
| | |
| Protection Impact Assessment ("DPIA") and a 'company compliance
| |
| document'. The latter discusses LWL's data protection obligations as a
| |
| | |
| company, and whilst robust for the purpose it sets out to achieve, at no
| |
| point is PECRreferenced. The DPIA, dated 20 October 2019, explicitly
| |
| | |
| refersto PECRand consent, acknowledges that there is a 'degree of
| |
| public concern over personal data sales', and refers to regulatory action
| |
| | |
| by the ICO.
| |
| | |
| | |
| 23. LWL proclaimed their membership of 'S.H.I.E.L.D.' as an indicator of
| |
| | |
| their compliance. This is a scheme operated by a law firm who appear
| |
| to audit companies' GDPR compliance, and if deemed compliant, they
| |
| | |
| are entered into the scheme. No evidence of due diligence conducted
| |
| by this law firm on behalf of the company has been provided by LWL.
| |
| | |
| | |
| | |
| 24. Having reviewed LWL's response, the Commissioner sent a further set
| |
| of detailed enquiries to LWL on 9 June 2020, attaching evidence of an
| |
| | |
| 7 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| additional 8,089 complaints identified through the 7726 SPAM reporting
| |
| system since the initial enquiries were sent.
| |
| | |
| | |
| 25. A substantive response was provided by LWL on 19 June 2020. This
| |
| | |
| included the body of 64 distinct texts sent during the investigation
| |
| | |
| period (over three times the amount identified in LWL's initial
| |
| response). As was seen from those messages, LWL did not identify
| |
| | |
| itself as the sender. LWL also provided volumes of data purchased since
| |
| | |
| 1 May 2019. Further capture domains were identified. In particular,
| |
| was identified as also capturing the data that -
| |
| | |
| - supplied. LWL prefaced this by stating that they were previously
| |
| unaware of this website being a capture domain, and so had
| |
| | |
| immediately enquired as to the compliance and opt-in of this website.
| |
| | |
| It was explained that this website directs individuals to a registration
| |
| page where their details are inputted, and agreement to the privacy
| |
| | |
| policy obtained.LWL stated that lawyers had been involved in creation
| |
| of the website's legal framework on behalf of another client, and so
| |
| | |
| were confident it would be compliant.
| |
| | |
| | |
| 26. The Commissioner reviewed the privacy policy on '
| |
| | |
| which has granular opt-ins for each channel and a third party opt-in.
| |
| The policy states that the website is owned and operated by a
| |
| | |
| differentlynamed company than - ., who sold the data to
| |
| | |
| LWL. The third party opt-in on the registratiopage contains a link to
| |
| 'partners' where 16 companies are listed, in which LWL does not
| |
| | |
| appear. LWL does appear in the privacy policy, in a list of 7 'marketing
| |
| | |
| service providers'. A further 442 companies are then listed under 'direct
| |
| clients' followed by the following statement"at registration you have
| |
| | |
| the option to opt-in to sponsors of our website". The Commissioner
| |
| found the consent statements to be vague and confusing. Further, LWL
| |
| | |
| are not named at the point of consent and in view of the extensive list
| |
| | |
| 8 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| of companies in the privacy policy, the Commissioner considered that
| |
| | |
| consent was not specific or informed.
| |
| | |
| | |
| 27. Data was also stated to be purchased by LWL from ,. -
| |
| _, ('-"), the second largest of LWL's data suppliers, through
| |
| | |
| websites' 'and' '. These sites
| |
| share the same vague consent statement, which contains a link to
| |
| | |
| identical privacy policies. The privacy policies contain no distinguishable
| |
| | |
| 'third party policy' and lists approximat40 companies with whom
| |
| data may be shared. LWL are not listed in the privacy policy, instead
| |
| | |
| 'UK - Avon' are listed; this listing is hyperlinked to LWL's privacy policy.
| |
| In representationsmade to the Commissioner in response to the Notice
| |
| | |
| of Intent, LWL provided a letter from - which stated that LWL
| |
| should be considered to fall within the category of 'health and beauty
| |
| | |
| tips'.Given that LWL are not directly named in any list, and the
| |
| policies are convoluted, individuals could not reasonably be expected to
| |
| | |
| know that LWL were linked to Avon. For the reasons above the
| |
| Commissioner found that the consent statements did not constitute
| |
| | |
| informed and specific consent.
| |
| | |
| | |
| 28. In relation to the volume of texts sent to each data source, LWL stated
| |
| it was not possible to produce an entirely accurate figure, however
| |
| | |
| provided an approximation of volumes in a further email to the
| |
| | |
| Commissioner dated 24 June 2020. Between 1 May 2019 and 15 May
| |
| 2020 LWL approximated that it sent in excess of 25 million texts to
| |
| | |
| data sourced from __ , --- and•••· The vast
| |
| majority of the texts, as well as the complaints evidenced in the
| |
| | |
| Commissioner's second investigation letter, were related to data
| |
| | |
| supplied by --·
| |
| | |
| | |
| | |
| 9 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 29. A further request for information was sent by the Commissioner to LWL
| |
| | |
| on 26 June 2020 seeking evidence of consent in relation to another
| |
| 4,703 complaints received through the 7726 SPAM reporting service,
| |
| | |
| information regarding data supplier'••• ,and an accurate
| |
| number of texts sent though each source between 16 May 2020 and 26
| |
| | |
| June 2020.
| |
| | |
| | |
| 30. LWL's director responded on 3 July 2020, providing further opt-ins. In
| |
| relation to he said the use of this data preceded his time as
| |
| | |
| director, and so would need to contact directly or his
| |
| predecessors for information.
| |
| | |
| | |
| 31. LWL went onto verify that between 16 May 2020 and 26 June 2020, a
| |
| | |
| total of 3,486,716 messages were sent, of which 3,327,573 were
| |
| received. Of these,3,013,096 texts were sent, and 2,670,140
| |
| | |
| connected, to data sourced by -- and ---
| |
| (comprising 1,911,493 to -- data and 758,647 to'-
| |
| | |
| -'data).
| |
| | |
| | |
| 32. On 10 July 2020 LWL supplied the Commissioner with information
| |
| regarding the ' ' data source. LWL identified the domains used
| |
| | |
| by '(also used by -- and
| |
| previously reviewed by the Commissioner - see para. 20 above) and
| |
| | |
| '. Thelatter is operated by - - and its
| |
| consent statement lists 240 companies who may contact individuals.
| |
| | |
| LWL are not included in the list. The privacy policy does name LWL, but
| |
| within a list of hundreds of other sponsors. The Commissioner found
| |
| | |
| that consent in those circumstances was not specific and informed.
| |
| | |
| | |
| 33. In conclusion the Commissioner considers that LWL relied upon invalid
| |
| consents to send direct marketing texts to individuals whose data was
| |
| | |
| 10 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| sourced by __ , ___ , and
| |
| LWL's business
| |
| model is inextricably linked to direct marketing, and whilst it did make
| |
| | |
| some attempt to comply with data protection legislation, it had no
| |
| discernible policiesr procedures relevant to PECRcompliance, and any
| |
| | |
| due diligence was insufficient.
| |
| | |
| | |
| 34. During the period 16 May 2020 to 26 June 2020, a total of 12,281
| |
| | |
| complaints from 11,733 individuals about unsolicited texts from LWL
| |
| | |
| were received via the 7726 reporting service. 4 complaints were
| |
| received though the Commissioner's online reporting tool. The vast
| |
| | |
| majority of complaints (10,570) relate to data sourced by - -·
| |
| It is also noteworthy that LWL began receiving a significant number of
| |
| | |
| complaints from May 2020 onwards, shortly after the UK entered
| |
| | |
| lockdown in response to the pandemic.
| |
| | |
| | |
| 35. The Commissioner has made the above findings of fact on the balance
| |
| of probabilities.
| |
| | |
| | |
| 36. The Commissioner has considered whether those facts constitute a
| |
| | |
| contravention of regulation 22 of PECRby LWL and, if so, whether the
| |
| conditions of section SSA DPA are satisfied.
| |
| | |
| | |
| The contravention
| |
| | |
| | |
| | |
| 37. The Commissioner finds that LWL has contravened Regulation 22 of
| |
| PECR.The Commissioner finds that the contravention was as follows:
| |
| | |
| | |
| 38. Between 16 May 2020 and 26 June 2020 LWL transmitted 2,670,140
| |
| texts over a public electronic communicationnetwork by means of
| |
| | |
| electronic mail to individual subscribers for the purposes of direct
| |
| | |
| marketing contrary to regulation 22 of PECR.
| |
| | |
| | |
| 11 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| 39. Organisations cannot generally send marketing texts unless the
| |
| recipient has notified the sender that they consent to such texts being
| |
| | |
| sent by, or at the instigation of, that sender.
| |
| | |
| 40. The Commissioner is satisfied that the consent relied on by
| |
| | |
| LWL did not amount to valid consent for the purposes of regulation 22
| |
| | |
| PECR.
| |
| | |
| 41. The Commissioner is satisfied that LWL was responsible for this
| |
| | |
| contravention.
| |
| | |
| 42. The Commissioner has gone on to consider whether the conditions
| |
| | |
| under section SSA DPA were met.
| |
| | |
| | |
| Seriousness of the contravention
| |
| | |
| | |
| | |
| 43. The Commissioner is satisfied that the contraventioidentified above
| |
| was serious.
| |
| | |
| | |
| 44. This is because LWL sent 2,670,140 marketing text messages to
| |
| | |
| individuals without their consent, resulting in excess of 10,000
| |
| | |
| complaints, over a period of 41 days. The volume of texts and
| |
| complaints over such a short period is substantial. Indeed, the
| |
| | |
| Commissioner would go so far as to say that the ratio of complaints to
| |
| the volume of data subjects in receipt of unlawful texts far exceeds any
| |
| | |
| contravention she has witnessed to date.
| |
| | |
| | |
| 45. It is reasonable to suppose that the volume of contraventionis
| |
| | |
| actually significantly higher, and spanned a broader period of time. LWL
| |
| | |
| approximated that during the period 1 May 2019 and 15 May 2020, it
| |
| sent 17.23 million texts to--data, 6.43 million texts to.
| |
| | |
| -- data and 1.37 million texts to data. All these data
| |
| | |
| 12 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| sources have been deemed non-compliant, however as LWL's system
| |
| overwrites data after a period of time, LWL have been unable to verify
| |
| | |
| these figures.
| |
| | |
| | |
| 46. The Commissioner's Direct Marketing Guidance available on the ICO's
| |
| | |
| website states that: "Organisations can generally only send marketing
| |
| texts or emails to individuals (including sole traders and some
| |
| | |
| partnerships) if that person has specifically consented to receiving
| |
| | |
| them". Point 60 of the Guidance refers to the fact that freely given
| |
| consent should be demonstrated where it is the "condition of
| |
| | |
| subscribing to a service", however it is apparent that consent is not
| |
| freely given in the case of data sourced by - - (LWL's largest
| |
| | |
| provider of data) through ' ', because individuals are
| |
| | |
| not able to register without subscribing to at least one marketing
| |
| channel.
| |
| | |
| | |
| 47. Furthermore, the Commissioner's guidance in relation to PECRstates
| |
| | |
| that "making a large number of marketing calls based on recorded
| |
| | |
| messages or sending large numbers of marketing text messages to
| |
| individuals who have not consented to receive them [...] is likely to
| |
| | |
| constitute a serious contraventioof the Regulations".
| |
| | |
| | |
| 48. The Commissioner is therefore satisfied that condition (a) from section
| |
| | |
| SSA (1) DPA is met.
| |
| | |
| | |
| Deliberate or foreseeable contravention
| |
| | |
| | |
| 49. The Commissioner has considered whether the contravention identified
| |
| | |
| above was deliberate. In the Commissioner's view, this means that
| |
| LWL's actions which constituted that contraventionwere deliberate
| |
| | |
| | |
| | |
| 13 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| actions (even if LWL did not actually intethereby to contravene
| |
| PECR).
| |
| | |
| | |
| 50. The Commissioner considers that in this case that LWL's actions were
| |
| | |
| deliberate, as despite having been notified that it was under
| |
| | |
| investigatioby the Commissioner, and given her concerns about
| |
| LWL's compliance with PECR, LWL has continued its marketing
| |
| | |
| campaign without making any adjustments to its business model. LWL
| |
| | |
| continues to send unlawful text messages even after the investigation
| |
| was completed, and a Notice of Intent served upon LWL in which it's
| |
| | |
| practices were deemed non-compliant.
| |
| | |
| | |
| 51. Further, and in the alternatithe Commissioner has gone on to
| |
| | |
| consider whether the contraventionidentified above was negligent.
| |
| | |
| | |
| 52. First, she has considered whether LWL knew or ought reasonably to
| |
| have known that there was a risk that this contraventiowould occur.
| |
| | |
| She is satisfiedhat this condition is met, given that LWL's business
| |
| | |
| model relied heavily on direct marketing.
| |
| | |
| | |
| 53. LWL is registered with the ICO as a data controller and as such should
| |
| be aware of the Regulations.As the sender of the texts it was the
| |
| | |
| responsibility of LWL to ensure valid consent had been obtained prior to
| |
| | |
| their transmission.
| |
| | |
| | |
| 54. The Commissioner has published detailed guidance for those carrying
| |
| | |
| out direct marketing explaining their legal obligations under PECR.This
| |
| guidance explains the circumstances under which organisations are
| |
| | |
| able to carry out marketing over the phone, by text, by email, by post,
| |
| or by fax.
| |
| | |
| | |
| | |
| 14 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| 55. Furthermore, the issue of unsolicited marketing has been widely
| |
| publicised by the media as being a problem.
| |
| | |
| | |
| 56. LWL had a DPIA in place dated 20 October 2019 which demonstrates
| |
| | |
| awareness on the part of LWL as to its statutory obligatioIt.contains
| |
| | |
| the following statement:
| |
| | |
| LW have considered the fact that there is a degree of public concern
| |
| over the sales of personal data. The legislation is clear on the point of
| |
| consent and the subsequent enforcement action brought by the
| |
| | |
| Regulator (ICO) has reinforced the legislation and demonstrated a clear
| |
| pathway to take for businesses engaged in the sale of personal data
| |
| | |
| This unambiguously references public concern regarding data sales,
| |
| | |
| and an awareness of enforcement action taken by the ICO.
| |
| | |
| | |
| 57. It is therefore reasonable to suppose that LWL knew or ought
| |
| | |
| reasonably to have known that there was a risk that these
| |
| contraventions would occur.
| |
| | |
| | |
| | |
| 58. The Commissioner has also considered whether LWL failed to take
| |
| reasonable steps to prevent the contraventions.
| |
| | |
| | |
| 59. Reasonable steps could have included seeking appropriate guidance on
| |
| the rules in relation to electronic direct marketing and ensuring the
| |
| | |
| consent on which it sought to rely on was valid, putting in place
| |
| | |
| contractual arrangements to ensure the veracity of the data, and
| |
| conducting sufficient due diligence in relation to its data providers.
| |
| | |
| | |
| 60. In this case, LWL failed to put in place contractual arrangements with
| |
| data suppliers despite sourcing significant volumes of data from these
| |
| | |
| suppliers. Any due diligence appears to be minimal and there is a lack
| |
| | |
| of evidence in relation to thisBy their own admission, LWL conducted
| |
| most of their due diligence checks on ' ', by looking
| |
| | |
| 15 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| at the website and testing the registration pages, however had these
| |
| checks been sufficient LWL should have known that the website was
| |
| | |
| non-compliant. In fact, LWL only became aware of a page that sourced
| |
| | |
| a significantmount of-- data when the ICO investigation
| |
| commenced. LWL purports to rely on their entry to the S.H.I.E.L.D.
| |
| | |
| scheme as reassurance of compliance, however no evidence in relation
| |
| to this has been provided.
| |
| | |
| | |
| | |
| 61. LWL appear to have placed great reliance upon due diligence
| |
| conducted by third parties in relation to data capture websites, and the
| |
| | |
| fact that there had been legal input from lawyers engaged by other
| |
| organisations who also utilised those same websites. LWL have
| |
| | |
| provided minimal evidence in relation to any due diligence provided by
| |
| | |
| others and appear to have assumed that as others were reliant upon it,
| |
| then their own business model must also have been compliant. It would
| |
| | |
| have been reasonable for LWL to carry out its own checks as to
| |
| how consent was being obtained via the websites, notwithstandingany
| |
| | |
| assurances by its third-partdata providers - such checks would have
| |
| | |
| alerted LWL to the inadequacy of the consents being obtained via the
| |
| sites for the purposes of third-pardirect marketing. In short, simple
| |
| | |
| reliance on assurances of indirect consent alone without undertaking
| |
| proper due diligence is not acceptable.
| |
| | |
| | |
| | |
| 62. Furthermore, LWL has continued to send significant numbers of
| |
| marketing texts to individuals throughoutand since, the course of the
| |
| | |
| Commissioner's investigation,incurring a substantial amount of
| |
| | |
| complaints. This would suggest that no remedial measures have been
| |
| taken to prevent further contraventionsand an apparent continuing
| |
| | |
| disregard for its obligations under PECR. Indeed, since August 2020 to
| |
| the date of this Notice, a further 28,350 complaints about marketing
| |
| | |
| texts from LWL have been received by the 7726 reporting service.
| |
| | |
| 16 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| 63. In representations made to the Commissioner, LWL states that at no
| |
| | |
| time was it made aware that its practices were non-compliant.The
| |
| Commissioner views the fact that an organisation is under investigation
| |
| | |
| should be sufficient impetus for that organisation to review its own
| |
| | |
| practices in lineith the Regulations. Irrespective of the timing of any
| |
| awareness on LWL's part, it is apparent that LWL has not heeded the
| |
| | |
| Commissioner's concerns and has continued its campaign in blatant
| |
| | |
| disregard for the Regulations.
| |
| | |
| | |
| 64. The Commissioner is therefore satisfied that condition (b) from section
| |
| SSA (1) DPA is met.
| |
| | |
| | |
| The Commissioner's decision to impose a monetary penalty
| |
| | |
| | |
| 65. The Commissioner has taken into account the following aggravating
| |
| | |
| features of this case:
| |
| | |
| | |
| • The texts misleadingly appeared to be sent by Avon. LWL accepts that
| |
| | |
| it deliberately did not identify itself in the body of the texts as the
| |
| sender so as to not "confuse" recipients, and as such were in breach of
| |
| | |
| regulation 23 of PECR.
| |
| | |
| | |
| • LWL has continued to run the marketing campaign both during, and
| |
| | |
| since,the Commissioner's investigation and despite the ICO's
| |
| concerns,without attempting to amend or review its practices. Indeed,
| |
| | |
| all the contraventionwhich are the subject of this Notice occurred
| |
| | |
| after LWL were notified it was under investigatioFurthermore, LWL
| |
| has continued to send unlawful marketing texts after the Commissioner
| |
| | |
| completed her investigationon 26 June 2020, and issued a Notice of
| |
| Intent in which LWL's practices were deemed non-compliant.
| |
| | |
| | |
| 17 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| • Since August 2020 to the present time, an additional 28,350
| |
| complaints have been received by the 7726 SPAM reporting tool about
| |
| | |
| texts sent by LWL.
| |
| | |
| | |
| • LWL sought to capitalise on the pandemic by sending a significant
| |
| | |
| number of text messages relating to, and directly referencing, the
| |
| ensuant lockdown when the population was at its most vulnerable and
| |
| | |
| advertising the potential financial gains by becoming an Avon
| |
| | |
| representative.1,698 complaints were received regarding this
| |
| particular message.
| |
| | |
| | |
| • LWL repeatedly indicated long standing compliance with PECRin its
| |
| | |
| communications with the Commissioner which was blatantly untrue.
| |
| | |
| LWL also failed to be completely transparentduring the course of the
| |
| investigation.For example, when asked to provide details of the body
| |
| | |
| of texts sent by LWL, it initially provided only 19, when it later
| |
| | |
| transpired 65 separate texts were utilised. In representatioto the
| |
| Commissioner, LWL stated that those omitted were simply variants of
| |
| | |
| the original texts however the Commissioner's view remains that LWL
| |
| were not completely open and transparent in relation to her enquiry.
| |
| | |
| | |
| • Furthermore, LWL failed to inform the Commissioner in its response to
| |
| | |
| enquiries about marketing methods that it also conducted email
| |
| | |
| marketing. The Commissioner has since been made aware that·
| |
| - conducted hosted marketing for LWL, and that over a 12 month
| |
| | |
| period had sent 7.5 million emails on LWL's behalf, including activity
| |
| | |
| during the contravention period. Between the contravention period 16
| |
| May 2020 - 26 June 2020 the number of emails transmitted was
| |
| | |
| 1,006,000.
| |
| | |
| | |
| | |
| 18 •
| |
| | |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| 66. The Commissioner considers there are no mitigating factors to be
| |
| | |
| considered in this case.
| |
| | |
| | |
| 67. For the reasons explained above, the Commissioner is satisfied that the
| |
| | |
| conditions from section SSA(l) DPA have been met in this case. She is
| |
| also satisfiedthat the procedural rights under section 55B have been
| |
| | |
| complied with.
| |
| | |
| | |
| 68. This has included the issuing of a Notice of Intent, in which the
| |
| | |
| Commissioner set out her preliminary thinking, and invited LWL to make
| |
| representations in response.
| |
| | |
| | |
| | |
| 69. The Commissioner has received and considered Representations in
| |
| response to the Notice of Intent dated 9th & 22nd December 2020, and
| |
| | |
| 5th, 13th & 20th January 2021.
| |
| | |
| | |
| 70. The Commissioner is accordingly entitled to issue a monetary penalty in
| |
| | |
| this case.
| |
| | |
| | |
| 71. The Commissioner has considered whether, in the circumstances, she
| |
| | |
| should exercise her discretion so as to issue a monetary penalty. She
| |
| | |
| has decided that a monetary penalty is an appropriate and proportionate
| |
| response to the finding of a serious contraventionof regulation22 of
| |
| | |
| PECRby LWL.
| |
| | |
| | |
| 72. The Commissioner's underlying objective in imposing a monetary
| |
| | |
| penalty notice is to promote compliance with PECR. The making of
| |
| | |
| unsolicited direct marketing calls is a matter of significant public concern.
| |
| A monetary penalty in this case should act as a general encouragement
| |
| | |
| towards compliance with the law, or at least as a deterrent against non
| |
| | |
| compliance, on the part of all persons running businesses currently
| |
| | |
| 19 •
| |
| | |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| engaging in these practices. This is an opportuto reinforce the need
| |
| for businesses to ensure that they are only telephoning consumers who
| |
| | |
| want to receive these calls.
| |
| | |
| | |
| 73. The Commissioner has also considered the likely impact of a monetary
| |
| | |
| penalty on LWL and in doing so has reviewed financial evidence supplied
| |
| | |
| by LWL.
| |
| | |
| | |
| The amount of the penalty
| |
| | |
| | |
| 74. Taking into account all of the above, the Commissioner has decided that
| |
| | |
| the amount of the penalty is £250,000 (Two hundred and fifty
| |
| thousand pounds).
| |
| | |
| | |
| Conclusion
| |
| | |
| | |
| | |
| 75. The monetary penalty must be paid to the Commissioner's office by
| |
| BACS transfer or cheque by 1 April 2021 at the latest. The monetary
| |
| | |
| penalty is not kept by the Commissioner but will be paid into the
| |
| Consolidated Fund which is the Government'sgeneral bank account at
| |
| | |
| the Bank of England.
| |
| | |
| | |
| 76. If the Commissioner receives full payment of the monetary penalty by
| |
| | |
| 31 March 2021 the Commissioner will reduce the monetary penalty by
| |
| | |
| 20% to £200,000 (Two hundred thousand pounds). However, you
| |
| should be aware that the early payment discount is not available if you
| |
| | |
| decide to exercise your right of appeal.
| |
| | |
| | |
| 77. There is a right of appeal to the First-tier Tribunal (InfoRights)
| |
| | |
| against:
| |
| | |
| | |
| | |
| 20 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| a) the imposition of the monetary penalty
| |
| | |
| and/or;
| |
| | |
| | |
| b) the amount of the penalty specified in the monetary penalty
| |
| notice.
| |
| | |
| | |
| 70. Any notice of appeal should be received by the Tribunal within 28 days
| |
| | |
| of the date of this monetary penalty notice.
| |
| | |
| | |
| 71. Informationabout appeals is set out in Annex 1.
| |
| | |
| 72. The Commissioner will not take action to enforce a monetary penalty
| |
| | |
| unless:
| |
| | |
| | |
| • the period specified within the notice within which a monetary penalty
| |
| | |
| must be paid has expired and all or any of the monetary penalty has
| |
| not been paid;
| |
| | |
| | |
| • all relevant appeals against the monetary penalty notice and any
| |
| | |
| variation of it have either been decided or withdraand
| |
| | |
| • period for appealing against the monetary penalty and any variation of
| |
| | |
| it has expired.
| |
| | |
| 73. In England, Wales and Northern Ireland, the monetary penalty is
| |
| | |
| recoverable by Order of the County Court or the High Court. In
| |
| Scotland, the monetary penalty can be enforced in the same manner
| |
| | |
| as an extract registered decree arbitral bearing a warrant for execution
| |
| issued by the sheriff court of any sheriffdom in Scotland.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| 21 •
| |
| | |
| Information Commissioner's Office
| |
| | |
| | |
| Dated the 1 day of March 2021
| |
| | |
| | |
| Andy Curry
| |
| Head of Investigations
| |
| InformatioCommissioner's Office
| |
| Wycliffe House
| |
| Water Lane
| |
| Wilmslow
| |
| Cheshire
| |
| SK9 SAF
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| 22 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| | |
| | |
| ANNEX 1
| |
| | |
| SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
| |
| | |
| | |
| | |
| RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
| |
| | |
| | |
| 1. Section 48 of the Data Protection Act 1998 gives any person upon
| |
| whom a monetary penalty notice or variation notice has been served a right
| |
| of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
| |
| | |
| against the notice.
| |
| | |
| 2. If you decide to appeal and if the Tribunal considers:-
| |
| | |
| | |
| a) that the notice against which the appeal is brought is not in accordance
| |
| with the law; or
| |
| | |
| b) to the extent that the notice involved an exercise of discretion by the
| |
| | |
| Commissioner, that she ought to have exercised her discretion differently,
| |
| | |
| the Tribunal will allow the appeal or substitute such other decision as could
| |
| have been made by the Commissioner. In any other case the Tribunal will
| |
| dismiss the appeal.
| |
| | |
| | |
| 3. You may bring an appeal by serving a notice of appeal on the Tribunal
| |
| at the following address:
| |
| | |
| | |
| | |
| GRC & GRPTribunals
| |
| PO Box 9300
| |
| Arnhem House
| |
| | |
| 31 Waterloo Way
| |
| Leicester
| |
| LEl 8DJ
| |
| | |
| | |
| a) The notice of appeal should be sent so it is received by the Tribunal
| |
| within 28 days of the date of the notice.
| |
| | |
| | |
| 23 •
| |
| | |
| ICO.
| |
| Information Commissioner's Office
| |
| | |
| b) If your notice of appeal is late the Tribunal will not admit it unless the
| |
| Tribunal has extended the time for complying with this rule.
| |
| | |
| 4. The notice of appeal should state:-
| |
| | |
| | |
| a) your name and address/name and address of your representative
| |
| (if any);
| |
| | |
| | |
| b) an address where documents may be sent or delivered to you;
| |
| | |
| c) the name and address of the Information Commissioner;
| |
| | |
| d) detailsof the decision to which the proceedings relate;
| |
| | |
| | |
| e) the result that you are seeking;
| |
| | |
| f) the grounds on which you rely;
| |
| | |
| | |
| g) you must provide with the notice of appeal a copy of the
| |
| monetary penalty notice or variation notice;
| |
| | |
| | |
| h) if you have exceeded the time limit mentioned above the notice
| |
| of appeal must include a request for an extension of time and the
| |
| reason why the notice of appeal was not provided in time.
| |
| | |
| | |
| 5. Before deciding whether or not to appeal you may wish to consult your
| |
| solicitor or another adviser. At the hearing of an appeal a party may conduct
| |
| his case himself or may be represented by any person whom he may
| |
| appoint for that purpose.
| |
| | |
| | |
| 6. The statutory provisions concerning appeals to the First-tier Tribunal
| |
| (Information Rights) are contained in sections 48 and 49 of, and Schedule 6
| |
| to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
| |
| (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.
| |
| | |
| 1976 (L.20)).
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| 24
| |
| </pre>
| |