ICO (UK) - Virgin Media Limited: Difference between revisions
No edit summary |
Sharmapankaj (talk | contribs) No edit summary |
||
Line 10: | Line 10: | ||
|ECLI= | |ECLI= | ||
|Original_Source_Name_1= | |Original_Source_Name_1=ICO | ||
|Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4019153/virgin-media-limited-monetary-penalty-notice.pdf | |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/mpns/4019153/virgin-media-limited-monetary-penalty-notice.pdf | ||
|Original_Source_Language_1=English | |Original_Source_Language_1=English | ||
|Original_Source_Language__Code_1=EN | |Original_Source_Language__Code_1=EN | ||
|Type= | |Type=Other | ||
|Outcome= | |Outcome= | ||
|Date_Started= | |||
|Date_Decided=06.12.2021 | |Date_Decided=06.12.2021 | ||
|Date_Published= | |Date_Published= | ||
|Year=2021 | |Year=2021 | ||
|Fine= | |Fine=50,000 | ||
|Currency=GBP | |Currency=GBP | ||
|National_Law_Name_1= | |National_Law_Name_1=Data Protection Act 2018 | ||
|National_Law_Link_1=https://www.legislation.gov.uk/ukpga/2018/12/ | |National_Law_Link_1=https://www.legislation.gov.uk/ukpga/2018/12/contents | ||
|National_Law_Name_2= | |National_Law_Name_2=The Privacy and Electronic Communications (EC Directive) Regulations 2003 | ||
|National_Law_Link_2=https://www.legislation.gov.uk/ | |National_Law_Link_2=https://www.legislation.gov.uk/uksi/2003/2426/contents/made/data.htm | ||
|Party_Name_1=Virgin Media Limited | |Party_Name_1=Virgin Media Limited | ||
Line 50: | Line 47: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor= | |Initial_Contributor=n/a | ||
| | | | ||
}} | }} | ||
The ICO fined | The UK DPA (ICO) fined Virgin Media limited GBP 50,000 for sending direct marketing emails in violation of Regulation 22 PECR. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Virgin Media | Virgin Media is a British telecommunications company. It first came to the attention of the ICO in connection with this matter on 10 August 2020. The ICO received a complaint (the “Complaint”) about a direct marketing email they had received from Virgin Media on 4 August 2020. | ||
=== Holding === | === Holding === | ||
The Price Freeze Emails containing the Marketing Preference Reminder fell within the definition of direct marketing | The Commissioner found that Virgin Media contravened regulation 22 of PECR for the following reasons. | ||
1. On or around 4 August 2020 there were 451,217 direct marketing emails containing the Marketing Preference Reminder received by subscribers. | |||
2. The Marketing Preference Reminder sought to entice or encourage customers to update their marketing preferences. It also marketed Virgin Media’s commercial offerings, i.e. “the great Virgin Media stuff we have on offer for you…our latest TV, broadband, phone and mobile news, competitions, product and bundle offers.” | |||
3. As such, the Price Freeze Emails containing the Marketing Preference Reminder fell within the definition of direct marketing as set out at paragraph 6 above. | |||
4..Virgin Media, as the sender of the direct marketing, was required to ensure that it was acting in compliance with the requirements of regulation 22 of PECR, and that valid consent to send those messages had been acquired. | |||
5. The requisite consent was not obtained because the 451,217 recipients of the direct marketing had opted out of marketing communications. No issue arises as to whether consent was “freely given”, “specific”, “informed” and “unambiguous”, because consent was not given. | |||
6. In the course of the investigation, Virgin Media stated that in deciding (i) which customers would receive Price Freeze Emails, and (ii) the wording for the same, Virgin Media relied on the ICO Direct Marketing Guidance (v. 2.3). Virgin Media noted that the ICO Direct Marketing Guidance provides [at paragraph 194] that people can change their minds and that marketing strategies also change, and that there is some merit in making sure that the information about people’s preferences is accurate and up-to-date. That does not, however, constitute an exception to regulation 22 of PECR. Further, it is noted that paragraph 193 of the same Guidance states: “Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the DPA, and will also breach PECR if the contact is by phone, text or email.” | |||
7. Virgin Media also noted that in the two weeks following the Price Freeze Emails containing the Marketing Preference Reminder, 6,539 customers elected to adjust their preferences and opt in to marketing. This does not constitute an exception to regulation 22 of PECR either. Rather, the fact that Virgin Media had the potential for financial gain from its breach of the regulation (by signing up more clients to direct marketing) is an aggravating factor, not a defence. | |||
The | 8. The Commissioner is therefore satisfied from the evidence he has seen that Virgin Media did not have the necessary valid consent for the 451,217 direct marketing messages received by subscribers. | ||
Thus, the ICO issued a monetary penalty of GBP 50,000. | |||
== Comment == | == Comment == | ||
Line 80: | Line 90: | ||
<pre> | <pre> | ||
1 | |||
DATA PROTECTION ACT 1998 | |||
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER | |||
MONETARY PENALTY NOTICE | |||
To: Virgin Media Limited | |||
Of: 500 Brook Drive, Reading RG2 6UU | |||
1. The Information Commissioner (“the Commissioner”) has decided to | |||
issue Virgin Media Limited (“Virgin Media”) with a monetary penalty | |||
under section 55A of the Data Protection Act 1998 (“DPA”). The penalty | |||
is in relation to a serious contravention of Regulation 22 of the Privacy | |||
and Electronic Communications (EC Directive) Regulations 2003 | |||
To: | (“PECR”). | ||
2. This notice explains the Commissioner’s intended decision. | |||
Legal framework | |||
Of: | 3. Virgin Media, whose registered office address is given above | ||
(Companies House Registration Number: 02591237) is the organisation | |||
stated in this notice to have transmitted unsolicited communications by | |||
1. | means of electronic mail to individual subscribers for the purposes of | ||
direct marketing contrary to regulation 22 of PECR. | |||
4. Regulation 22 of PECR states: | |||
2. | |||
3. | |||
4. | |||
2 | |||
“(1) This regulation applies to the transmission of unsolicited | |||
communications by means of electronic mail to individual | |||
subscribers. | |||
(2) Except in the circumstances referred to in paragraph (3), a person | (2) Except in the circumstances referred to in paragraph (3), a person | ||
shall neither transmit, nor instigate the transmission of, unsolicited | |||
communications for the purposes of direct marketing by means of | |||
electronic mail unless the recipient of the electronic mail has | |||
previously notified the sender that he consents for the time being | |||
to such communications being sent by, or at the instigation of, the | |||
sender. | |||
(3) A person may send or instigate the sending of electronic mail for | |||
the purposes of direct marketing where— | |||
(a) that person has obtained the contact details of the recipient | |||
of that electronic mail in the course of the sale or | |||
negotiations for the sale of a product or service to that | |||
recipient; | |||
(3) A person may send or instigate the | (b) the direct marketing is in respect of that person’s similar | ||
products and services only; and | |||
(c) the recipient has been given a simple means of refusing | |||
(free of charge except for the costs of the transmission of | |||
the refusal) the use of his contact details for the purposes | |||
of such direct marketing, at the time that the details were | |||
initially collected, and, where he did not initially refuse the | |||
use of the details, at the time of each subsequent | |||
communication. | |||
(4) A subscriber shall not permit his line to be used in contravention of | (4) A subscriber shall not permit his line to be used in contravention of | ||
paragraph (2).” | |||
3 | |||
5. The provisions of the DPA and subordinate legislation made under the | |||
DPA remain in force for the purposes of PECR notwithstanding the | |||
introduction of the Data Protection Act 2018 (“DPA18”): see | |||
paragraphs 58(1) and 58(2) of Schedule 20 to the DPA18. | |||
6. Section 122(5) of the DPA18 defines direct marketing as “the | |||
communication (by whatever means) of advertising or marketing | |||
material which is directed to particular individuals”. This definition also | |||
applies for the purposes of PECR (see regulation 2(2) PECR and | |||
paragraphs 430 & 432(6) to Schedule 19 of the DPA18). | |||
7. Consent in PECR is now defined, from 29 March 2019, by reference to | |||
the concept of consent in Regulation 2016/679 (“the GDPR”): | |||
regulation 8(2) of the Data Protection, Privacy and Electronic | |||
Communications (Amendments etc) (EU Exit) Regulations 2019. Article | |||
4(11) of the GDPR sets out the following definition: “‘consent’ of the | |||
data subject means any freely given, specific, informed and | |||
unambiguous indication of the data subject's wishes by which he or | |||
she, by a statement or by a clear affirmative action, signifies | |||
agreement to the processing of personal data relating to him or her”. | |||
8. Recital 32 of the GDPR materially states that “When the processing has | |||
multiple purposes, consent should be given for all of them”. Recital 43 | |||
materially states that “Consent is presumed not to be freely given if it | |||
does not allow separate consent to be given to different personal data | |||
processing operations despite it being appropriate in the individual case”. | |||
9. “Individual” is defined in regulation 2(1) of PECR as “a living individual | |||
and includes an unincorporated body of such individuals”. | |||
4 | |||
10. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is | |||
a party to a contract with a provider of public electronic | |||
communications services for the supply of such services”. | |||
11. “Electronic mail” is defined in regulation 2(1) of PECR as “any text, | |||
voice, sound or image message sent over a public electronic | |||
communications network which can be stored in the network or in the | |||
recipient’s terminal equipment until it is collected by the recipient and | |||
includes messages sent using a short message service”. | |||
12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to | |||
PECR, as variously amended) states (in material part): | |||
“(1) The Commissioner may serve a person with a monetary penalty | |||
notice if the Commissioner is satisfied that – | |||
(a) there has been a serious contravention of the requirements | |||
of the Privacy and Electronic Communications (EC | |||
Directive) Regulations 2003 by the person, | |||
(b) subsection (2) or (3) applies. | |||
(2) This subsection applies if the contravention was deliberate. | |||
(3) This subsection applies if the person – | |||
(a) knew or ought to have known that there was a risk that the | |||
contravention would occur, but | |||
(b) failed to take reasonable steps to prevent the | |||
contravention.” | |||
13. The Commissioner has issued statutory guidance under section 55C(1) | |||
of the DPA about the issuing of monetary penalties that has been | |||
published on the ICO’s website. The Data Protection (Monetary | |||
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe | |||
5 | |||
that the amount of any penalty determined by the Commissioner must | |||
not exceed £500,000. | |||
14. PECR were enacted to protect individuals’ fundamental right to privacy | |||
in the electronic communications sector. PECR were subsequently | |||
amended and strengthened. The Commissioner will interpret PECR in a | |||
way which is consistent with the Regulations’ overall aim of ensuring | |||
high levels of protection for individuals’ privacy rights. | |||
15. The provisions of the DPA remain in force for the purposes of PECR | |||
notwithstanding the introduction of the DPA18: see paragraph 58(1) of | |||
Schedule 20 to the DPA18. | |||
Background to the case | |||
16. This Notice concerns 451,217 marketing emails sent to persons who | |||
had previously opted out of marketing communications from Virgin | |||
Media. | |||
17. Virgin Media is a British telecommunications company. It first came to | |||
the attention of the ICO in connection with this matter on 10 August | |||
2020. The ICO received a complaint (the “Complaint”) from someone | |||
complaining about a direct marketing email they had received from | |||
Virgin Media on 4 August 2020. | |||
18. The email stated (in material part, with emphasis added): | |||
“We want to let you know that we won’t be raising your price this | |||
year. | |||
6 | |||
This means the price you pay for your current package right now | |||
will stay the same in 2020. | |||
We’d like to stay in touch about all the great Virgin Media | |||
stuff we have on offer for you. You have currently said no | |||
to receiving marketing messages from us, which means | |||
that we are not able to keep you up to date with our latest | |||
TV, broadband, phone and mobile news, competitions, | |||
product and bundle offers via online, email, post, SMS, | |||
phone. | |||
You can change your preferences by simply registering or | |||
signing in to virginmedia.com/optin. Click ‘My Profile’, then | |||
‘My Preferences’.” | |||
19. The text in bold will be referred to in this document as the “Marketing | |||
Preference Reminder”. | |||
20. The complainant said that this email was “basically a service message | |||
dressed up as an attempt to get me to opt back in to marketing | |||
communications”. | |||
21. The ICO opened an investigation. | |||
22. In outline, the correspondence proceeded as follows: | |||
a. On 13 August 2020, the ICO sent an initial investigation letter | |||
to Virgin Media. This letter explained the relevant legislation, | |||
set out the ICO’s powers, and made some requests for | |||
information. | |||
7 | |||
b. On 5 October 2020, Virgin Media provided its response to the | |||
ICO’s letter of 13 August 2020. The material details of that | |||
response are set out further below. | |||
c. On 16 October 2020, the ICO responded seeking further | |||
information (including evidence of Virgin Media’s consent | |||
statements). | |||
d. On 21 October 2020, the ICO spoke with Virgin Media. Virgin | |||
Media asked why the ICO needed to see its consent | |||
statements. The ICO explained that it needed to assess | |||
whether Virgin Media had obtained the requisite consent for | |||
the Marketing Email. | |||
e. On 23 October 2020, Virgin Media provided its response to the | |||
ICO’s letter of 16 October 2020. The material details of that | |||
response are set out further below. | |||
f. On 24 November 2020, the ICO asked Virgin Media to provide | |||
further information. | |||
g. On 8 December 2020, Virgin Media provided its response to | |||
the ICO’s letter of 24 November 2020. The material details of | |||
that response are set out further below. | |||
h. On 10 December 2020, the ICO sent an end of investigation | |||
letter to Virgin. | |||
23. The ICO notes the following material facts, as supplied by Virgin Media | |||
in the correspondence summarised above: | |||
23. | |||
8 | |||
a. On 4 August 2020, Virgin Media sent 1,964,562 emails | |||
concerning a price freeze (the “Price Freeze Emails”). Of | |||
these: | |||
i. Virgin Media sent 1,303,671 Price Freeze Emails to | |||
customers who had opted in to marketing | |||
communications (“opt-in customers”), 1,303,361 of | |||
which were received. | |||
ii. Virgin Media sent 209,376 Price Freeze Emails to | |||
customers who had opted out to marketing | |||
communications (“opt-out customers”) without the | |||
Marketing Preference Reminder, 209,254 of which were | |||
received. | |||
iii. Virgin Media sent 451,515 Price Freeze Emails to opt-out | |||
customers with the Marketing Preference Reminder, | |||
451,217 of which were received. The email received by | |||
the individual who had complained to the ICO was | |||
within this category. | |||
b. The data for the Prize Freeze Emails was obtained directly | b. The data for the Prize Freeze Emails was obtained directly | ||
from customers. | |||
c. Virgin Media stated that it received “feedback” from customers | c. Virgin Media stated that it received “feedback” from customers | ||
(it is not specified how many) that “a number of them would | |||
like to be informed about packages, products and discounts | |||
that may be available and some customers are unaware that | |||
they have not opted-in to all forms of marketing.” | |||
d. Virgin Media stated that, based on that feedback, and the ICO | d. Virgin Media stated that, based on that feedback, and the ICO | ||
Direct Marketing Guidance at paragraph 32 below, it “selected | |||
9 | |||
a segment of opted-out customers who we reasonably | |||
considered might have changed their marketing preferences. | |||
The customers selected were those who had opted out over a | |||
year ago.” | |||
e. Virgin Media does operate a suppression list for marketing | e. Virgin Media does operate a suppression list for marketing | ||
communications, but the suppression process was only applied | |||
“for opted-out customers who Virgin Media considered were | |||
unlikely to have changed their mind about their marketing | |||
preferences.” | |||
f. Virgin Media uses a “one time opt in to all channels’ sales | f. Virgin Media uses a “one time opt in to all channels’ sales | ||
journey”. Virgin Media has the following procedure for | |||
obtaining consent from customers: | |||
“a. All sales journeys capture consent preferences which | |||
are recorded within that journey. A customer is not able to | |||
complete a sale without confirming whether they consent | |||
to receiving marketing communications. Virgin Media | |||
currently operates an opt in approach and new customers | |||
are required to tick the box to opt-in to marketing | |||
communications; | |||
b. A customer’s consent preference is captured and | |||
recorded within internal Virgin Media systems; | |||
c. Virgin Media does not have channel (i.e. email SMS) | |||
specific preference capability, therefore a customer | |||
consents to all marketing communications as set out in | |||
the consent statement (which explains that Virgin Media | |||
may provide marketing information by email or SMS, as | |||
well as other channels); | |||
d. A customer can change their marketing preference in | |||
different ways (speaking to an agent, emailing the DPO, | |||
through their My VM account on the website), or by | |||
clicking ‘unsubscribe’ (via email or SMS).” | |||
10 | |||
g. None of the consent statements presented to individuals by | |||
Virgin Media (Telesales Inbound, Inbound Retentions, Inbound | |||
Care, Online, VM store, Bafta Competition, Virgin Media Portal | |||
General Customer, Virgin Media General Agent), nor the Virgin | |||
Media account preferences, permit individuals to choose | |||
specific communications by which to receive marketing | |||
communications. Virgin Media also stated: “…if an individual | |||
consents to receive marketing, they are opted in to all | |||
communication methods. Virgin Media does not currently have | |||
channel (i.e. email, SMS) specific preference capability, | |||
therefore a customer consents to all marketing | |||
communications as set out in the consent statement.” | |||
24. The Commissioner has made the above findings of fact on the | |||
balance of probabilities. | |||
25. The Commissioner has considered whether those facts constitute | |||
a contravention of regulation 22 of PECR by Virgin Media and, if so, | |||
whether the conditions of section 55A DPA are satisfied. | |||
The contravention | |||
26. The Commissioner finds that Virgin Media contravened regulation 22 of | |||
PECR. | |||
27. The Commissioner finds that the contravention was as follows: | |||
28. The Commissioner finds that on or around 4 August 2020 there were | |||
451,217 direct marketing emails containing the Marketing Preference | |||
Reminder received by subscribers. The Commissioner finds that Virgin | |||
Media transmitted those direct marketing messages. | |||
11 | |||
29. The Marketing Preference Reminder sought to entice or encourage | |||
customers to update their marketing preferences. It also marketed | |||
Virgin Media’s commercial offerings, i.e. “the great Virgin Media stuff | |||
we have on offer for you…our latest TV, broadband, phone and mobile | |||
news, competitions, product and bundle offers.” | |||
30. As such, the Price Freeze Emails containing the Marketing Preference | |||
Reminder fell within the definition of direct marketing as set out at | |||
paragraph 6 above. | |||
31. Virgin Media, as the sender of the direct marketing, was required to | |||
ensure that it was acting in compliance with the requirements of | |||
regulation 22 of PECR, and that valid consent to send those messages | |||
had been acquired. | |||
32. In this instance, the requisite consent was not obtained because the | |||
451,217 recipients of the direct marketing had opted out of marketing | |||
communications. No issue arises as to whether consent was “freely | |||
given”, “specific”, “informed” and “unambiguous”, because consent was | |||
not given. | |||
33. In the course of the investigation, Virgin Media stated that in deciding | |||
(i) which customers would receive Price Freeze Emails, and (ii) the | |||
wording for the same, Virgin Media relied on the ICO Direct Marketing | |||
Guidance (v. 2.3). Virgin Media noted that the ICO Direct Marketing | |||
Guidance provides [at paragraph 194] that people can change their | |||
minds and that marketing strategies also change, and that there is some | |||
merit in making sure that the information about people’s preferences is | |||
accurate and up-to-date. That does not, however, constitute an | |||
exception to regulation 22 of PECR. Further, it is noted that paragraph | |||
193 of the same Guidance states: “Organisations must not contact | |||
people on a suppression list at a later date to ask them if they want to | |||
12 | |||
opt back in to receiving marketing. This contact would involve using their | |||
personal data for direct marketing purposes and is likely to breach the | |||
DPA, and will also breach PECR if the contact is by phone, text or email.” | |||
34. Virgin Media also noted that in the two weeks following the Price Freeze | |||
Emails containing the Marketing Preference Reminder, 6,539 customers | |||
elected to adjust their preferences and opt in to marketing. This does | |||
not constitute an exception to regulation 22 of PECR either. Rather, the | |||
fact that Virgin Media had the potential for financial gain from its breach | |||
of the regulation (by signing up more clients to direct marketing) is an | |||
aggravating factor, not a defence. | |||
35. The Commissioner is therefore satisfied from the evidence he has seen | |||
that Virgin Media did not have the necessary valid consent for the | |||
451,217 direct marketing messages received by subscribers. | |||
36. The Commissioner has gone on to consider whether the conditions | |||
under section 55A DPA are met. | |||
Seriousness of the contravention | |||
37. The Commissioner is satisfied that the contravention identified | |||
above was serious. This is because on one day, a confirmed total of | |||
451,217 direct marketing messages were sent by Virgin Media. These | |||
messages contained direct marketing material for which subscribers | |||
had not provided valid consent. | |||
38. The Commissioner is therefore satisfied that condition (a) from | |||
section 55A(1) DPA is met. | |||
13 | |||
Deliberate or negligent contraventions | |||
39. The Commissioner has considered whether the contravention identified | |||
above was deliberate. In the Commissioner’s view, this means that | |||
Virgin Media’s actions which constituted that contravention were | |||
deliberate actions (even if Virgin Media did not actually intend thereby | |||
to contravene PECR). | |||
40. The Commissioner considers that in this case Virgin Media did | |||
deliberately contravene regulation 22 of PECR. Virgin Media does not | |||
say that it did not know that the 451,217 recipients of the email in | |||
question had not provided valid consent. On the contrary, its position is | |||
that these recipients were selected, in part, because they had opted | |||
out of marketing communications (and, Virgin Media says, because it | |||
reasonably considered that they might wish to change that preference). | |||
It is noted that on the same day as the contravention, Virgin Media | |||
sent 209,254 emails without the Marketing Preference Reminder to | |||
opt-out customers, and so was self-evidently selecting recipients on | |||
the basis of known criteria. | |||
41. For the above reasons, the Commissioner is satisfied that this breach | |||
was deliberate. | |||
42. In the alternative, the Commissioner has gone on to consider whether | |||
the contravention identified above was negligent. This consideration | |||
comprises two elements. | |||
43. Firstly, he has considered whether Virgin Media knew or ought | |||
reasonably to have known that there was a risk that these | |||
contraventions would occur. He is satisfied that this condition is met, for | |||
the following reasons. Unsolicited direct marketing emails are widely | |||
14 | |||
known to be a problem. Virgin Media is a large organisation with a | |||
longstanding, positive working relationship with the ICO. Further, the | |||
Commissioner has published detailed guidance for those carrying out | |||
direct marketing explaining their legal obligations under PECR. This | |||
guidance gives clear advice regarding the requirements of consent for | |||
direct marketing and explains the circumstances under which | |||
organisations are able to carry out marketing over the phone, by text, | |||
by email, by post, or by fax. In particular it states that organisations can | |||
generally only send, or instigate, marketing messages to individuals if | |||
that person has specifically consented to receiving them. The | |||
Commissioner has also published detailed guidance on consent under | |||
the GDPR. In case organisations remain unclear on their obligations, the | |||
ICO operates a telephone helpline. ICO communications about previous | |||
enforcement action where businesses have not complied with PECR are | |||
also readily available. Virgin Media could have sought clarification or | |||
guidance if it was unsure as to any particular issue. | |||
44. It is therefore reasonable to suppose that Virgin Media should have been | |||
aware of its responsibilities in this area. | |||
45. Secondly, the Commissioner has gone on to consider whether Virgin | |||
Media failed to take reasonable steps to prevent the contraventions. | |||
Again, he is satisfied that this condition is met. | |||
46. This is not a case in which communications were sent inadvertently. | |||
They were targeted at users who had opted out from receiving such | |||
communications. That demonstrates in itself that no reasonable steps | |||
were taken to prevent the contraventions. Further, if there was doubt | |||
about whether the emails in question would contravene regulation 22, | |||
Virgin Media could legitimately have sought advice from the | |||
Commissioner. It failed to do so. | |||
15 | |||
47. In the circumstances, the Commissioner is satisfied that Virgin Media | |||
failed to take reasonable steps to prevent the contraventions. | |||
48. The Commissioner is therefore satisfied that condition (b) from section | |||
55A (1) DPA is met. | |||
The Commissioner’s decision to issue a monetary penalty | |||
49. For the reasons explained above, the Commissioner is satisfied that the | |||
conditions from section 55A (1) DPA have been met in this case. He is | |||
also satisfied that the procedural rights under section 55B have been | |||
complied with. The latter has included the issuing of a Notice of Intent, | |||
in which the Commissioner set out his preliminary thinking. In reaching | |||
his final view, the Commissioner has taken into account the | |||
representations made by Virgin Media on this matter. | |||
50. The Commissioner is accordingly entitled to issue a monetary penalty | |||
in this case. The Commissioner has considered whether, in the | |||
circumstances, he should exercise his discretion so as to issue a | |||
monetary penalty. | |||
51. The Commissioner’s underlying objective in imposing a monetary | |||
penalty notice is to promote compliance with PECR. The sending of | |||
unsolicited direct marketing messages is a matter of significant public | |||
concern. A monetary penalty in this case should act as a general | |||
encouragement towards compliance with the law, or at least as a | |||
deterrent against non-compliance, on the part of all persons running | |||
businesses currently engaging in these practices. The issuing of a | |||
monetary penalty will reinforce the need for businesses to ensure that | |||
they are only messaging those who specifically consent to receive | |||
direct marketing. | |||
16 | |||
52. For these reasons, the Commissioner has decided to issue a monetary | |||
penalty in this case. | |||
The amount of the penalty | |||
53. In determining the amount of the penalty, the Commissioner first | |||
considered the nature and seriousness of the contravention. He | |||
concluded that an appropriate starting point for the penalty should be | |||
£50,000. | |||
54. The Commissioner went on to consider whether there were any | |||
aggravating or mitigating factors which would warrant an increase or | |||
reduction to this starting point. | |||
55. The Commissioner identified the following aggravating features of this | |||
case: | |||
• The business generated from the emails in question would have the | |||
potential of Virgin Media benefitting from financial gain. | |||
• The ICO produces clear guidance via its website on the rules of direct | |||
marketing and that guidance on current regulations has been in | |||
existence for a considerable amount of time. The ICO also operates a | |||
helpline, should organisations be unsure and require further clarification. | |||
56. The Commissioner did not consider that there are any mitigating | |||
factors of this case. | |||
57. The Commissioner also considered the likely impact of a monetary | |||
penalty on Virgin Media. He has decided on the information that is | |||
available to him, that Virgin Media has access to sufficient financial | |||
17 | |||
resources to pay the proposed monetary penalty without causing | |||
undue financial hardship and that a penalty remains the appropriate | |||
course of action in the circumstances of this case. | |||
58. The Commissioner did not consider that any of the above factors | |||
warranted an increase or decrease in the starting point for the penalty. | |||
59. Taking into account all of the above, the Commissioner has decided | |||
that a penalty in the sum of £50,000 (fifty thousand pounds) is | |||
reasonable and proportionate given the particular facts of the case and | |||
the underlying objective in imposing the penalty. | |||
Conclusion | |||
60. The monetary penalty must be paid to the Commissioner’s office by | |||
BACS transfer or cheque by 10 January 2022 at the latest. The | |||
monetary penalty is not kept by the Commissioner but will be paid into | |||
the Consolidated Fund which is the Government’s general bank account | |||
at the Bank of England. | |||
61. If the Commissioner receives full payment of the monetary penalty by | |||
9 January 2022 the Commissioner will reduce the monetary penalty by | |||
20% to £40,000 (forty thousand pounds). However, you should be | |||
aware that the early payment discount is not available if you decide to | |||
exercise your right of appeal. | |||
62. There is a right of appeal to the First-tier Tribunal (Information Rights) | |||
against: | |||
(a) the imposition of the monetary penalty | |||
and/or; | |||
58. | |||
59. | |||
60. | |||
61. | |||
62. | |||
18 | |||
(b) the amount of the penalty specified in the monetary penalty | |||
notice. | |||
63. Any notice of appeal should be received by the Tribunal within 28 days | |||
of the date of this monetary penalty notice. | |||
64. Information about appeals is set out in Annex 1. | |||
65. The Commissioner will not take action to enforce a monetary penalty | |||
unless: | |||
• the period specified within the notice within which a monetary | |||
penalty must be paid has expired and all or any of the monetary | |||
penalty has not been paid; | |||
• all relevant appeals against the monetary penalty notice and any | |||
variation of it have either been decided or withdrawn; and | |||
• the period for appealing against the monetary penalty and any | |||
variation of it has expired. | |||
66. In England, Wales and Northern Ireland, the monetary penalty is | |||
recoverable by Order of the County Court or the High Court. In | |||
Scotland, the monetary penalty can be enforced in the same manner as | |||
an extract registered decree arbitral bearing a warrant for execution | |||
issued by the sheriff court of any sheriffdom in Scotland. | |||
Dated the 6th December 2021 | |||
Andy Curry | Andy Curry | ||
Head of Investigations | Head of Investigations | ||
Information Commissioner’s Office | Information Commissioner’s Office | ||
Wycliffe House | Wycliffe House | ||
19 | |||
Water Lane | |||
Wilmslow | Wilmslow | ||
Cheshire | Cheshire | ||
Line 1,110: | Line 601: | ||
20 | |||
ANNEX 1 | |||
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 | |||
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER | |||
1. Section 55B(5) of the Data Protection Act 1998 gives any person | |||
upon whom a monetary penalty notice has been served a right of | |||
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) | |||
against the notice. | |||
2. If you decide to appeal and if the Tribunal considers:- | |||
a) that the notice against which the appeal is brought is not in | |||
accordance with the law; or | |||
b) to the extent that the notice involved an exercise of | |||
discretion by the Commissioner, that he ought to have exercised | |||
her discretion differently, | |||
the Tribunal will allow the appeal or substitute such other decision as | |||
could have been made by the Commissioner. In any other case the | |||
Tribunal will dismiss the appeal. | |||
3. You may bring an appeal by serving a notice of appeal on the | |||
Tribunal at the following address: | |||
General Regulatory Chamber | |||
HM Courts & Tribunals Service | |||
PO Box 9300 | |||
Leicester | |||
LE1 8DJ | |||
21 | |||
Telephone: 0203 936 8963 | |||
Email: grc@justice.gov.uk | |||
a) The notice of appeal should be sent so it is received by the | |||
Tribunal within 28 days of the date of the notice. | |||
b) If your notice of appeal is late the Tribunal will not admit it | |||
unless the Tribunal has extended the time for complying with this | |||
rule. | |||
4. The notice of appeal should state:- | |||
a) your name and address/name and address of your | |||
representative (if any); | |||
b) an address where documents may be sent or delivered to | |||
you; | |||
c) the name and address of the Information Commissioner; | |||
d) details of the decision to which the proceedings relate; | |||
e) the result that you are seeking; | |||
f) the grounds on which you rely; | |||
g) you must provide with the notice of appeal a copy of the | |||
monetary penalty notice or variation notice; | |||
h) if you have exceeded the time limit mentioned above the | |||
notice of appeal must include a request for an extension of time | |||
22 | |||
and the reason why the notice of appeal was not provided in | |||
time. | |||
5. Before deciding whether or not to appeal you may wish to consult | |||
5. | |||
your solicitor or another adviser. At the hearing of an appeal a party | your solicitor or another adviser. At the hearing of an appeal a party | ||
may conduct his case himself or may be represented by any person | may conduct his case himself or may be represented by any person | ||
whom he may appoint for that purpose. | whom he may appoint for that purpose. | ||
6. The statutory provisions concerning appeals to the First-tier | |||
6. | |||
Tribunal (Information Rights) are contained in section 55B(5) of, and | Tribunal (Information Rights) are contained in section 55B(5) of, and | ||
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure | Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure | ||
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 | (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 | ||
(Statutory Instrument 2009 No. 1976 (L.20)). | (Statutory Instrument 2009 No. 1976 (L.20)). | ||
</pre> | </pre> |
Revision as of 05:26, 14 February 2022
ICO (UK) - Virgin Media Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Data Protection Act 2018 The Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 06.12.2021 |
Published: | |
Fine: | 50,000 GBP |
Parties: | Virgin Media Limited |
National Case Number/Name: | Virgin Media Limited |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | n/a |
The UK DPA (ICO) fined Virgin Media limited GBP 50,000 for sending direct marketing emails in violation of Regulation 22 PECR.
English Summary
Facts
Virgin Media is a British telecommunications company. It first came to the attention of the ICO in connection with this matter on 10 August 2020. The ICO received a complaint (the “Complaint”) about a direct marketing email they had received from Virgin Media on 4 August 2020.
Holding
The Commissioner found that Virgin Media contravened regulation 22 of PECR for the following reasons.
1. On or around 4 August 2020 there were 451,217 direct marketing emails containing the Marketing Preference Reminder received by subscribers.
2. The Marketing Preference Reminder sought to entice or encourage customers to update their marketing preferences. It also marketed Virgin Media’s commercial offerings, i.e. “the great Virgin Media stuff we have on offer for you…our latest TV, broadband, phone and mobile news, competitions, product and bundle offers.”
3. As such, the Price Freeze Emails containing the Marketing Preference Reminder fell within the definition of direct marketing as set out at paragraph 6 above.
4..Virgin Media, as the sender of the direct marketing, was required to ensure that it was acting in compliance with the requirements of regulation 22 of PECR, and that valid consent to send those messages had been acquired.
5. The requisite consent was not obtained because the 451,217 recipients of the direct marketing had opted out of marketing communications. No issue arises as to whether consent was “freely given”, “specific”, “informed” and “unambiguous”, because consent was not given.
6. In the course of the investigation, Virgin Media stated that in deciding (i) which customers would receive Price Freeze Emails, and (ii) the wording for the same, Virgin Media relied on the ICO Direct Marketing Guidance (v. 2.3). Virgin Media noted that the ICO Direct Marketing Guidance provides [at paragraph 194] that people can change their minds and that marketing strategies also change, and that there is some merit in making sure that the information about people’s preferences is accurate and up-to-date. That does not, however, constitute an exception to regulation 22 of PECR. Further, it is noted that paragraph 193 of the same Guidance states: “Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the DPA, and will also breach PECR if the contact is by phone, text or email.”
7. Virgin Media also noted that in the two weeks following the Price Freeze Emails containing the Marketing Preference Reminder, 6,539 customers elected to adjust their preferences and opt in to marketing. This does not constitute an exception to regulation 22 of PECR either. Rather, the fact that Virgin Media had the potential for financial gain from its breach of the regulation (by signing up more clients to direct marketing) is an aggravating factor, not a defence.
8. The Commissioner is therefore satisfied from the evidence he has seen that Virgin Media did not have the necessary valid consent for the 451,217 direct marketing messages received by subscribers.
Thus, the ICO issued a monetary penalty of GBP 50,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1 DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Virgin Media Limited Of: 500 Brook Drive, Reading RG2 6UU 1. The Information Commissioner (“the Commissioner”) has decided to issue Virgin Media Limited (“Virgin Media”) with a monetary penalty under section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in relation to a serious contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 2. This notice explains the Commissioner’s intended decision. Legal framework 3. Virgin Media, whose registered office address is given above (Companies House Registration Number: 02591237) is the organisation stated in this notice to have transmitted unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECR states: 2 “(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person’s similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contravention of paragraph (2).” 3 5. The provisions of the DPA and subordinate legislation made under the DPA remain in force for the purposes of PECR notwithstanding the introduction of the Data Protection Act 2018 (“DPA18”): see paragraphs 58(1) and 58(2) of Schedule 20 to the DPA18. 6. Section 122(5) of the DPA18 defines direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This definition also applies for the purposes of PECR (see regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 7. Consent in PECR is now defined, from 29 March 2019, by reference to the concept of consent in Regulation 2016/679 (“the GDPR”): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR sets out the following definition: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. 8. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them”. Recital 43 materially states that “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case”. 9. “Individual” is defined in regulation 2(1) of PECR as “a living individual and includes an unincorporated body of such individuals”. 4 10. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is a party to a contract with a provider of public electronic communications services for the supply of such services”. 11. “Electronic mail” is defined in regulation 2(1) of PECR as “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. 12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to PECR, as variously amended) states (in material part): “(1) The Commissioner may serve a person with a monetary penalty notice if the Commissioner is satisfied that – (a) there has been a serious contravention of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contravention was deliberate. (3) This subsection applies if the person – (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention.” 13. The Commissioner has issued statutory guidance under section 55C(1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 5 that the amount of any penalty determined by the Commissioner must not exceed £500,000. 14. PECR were enacted to protect individuals’ fundamental right to privacy in the electronic communications sector. PECR were subsequently amended and strengthened. The Commissioner will interpret PECR in a way which is consistent with the Regulations’ overall aim of ensuring high levels of protection for individuals’ privacy rights. 15. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introduction of the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case 16. This Notice concerns 451,217 marketing emails sent to persons who had previously opted out of marketing communications from Virgin Media. 17. Virgin Media is a British telecommunications company. It first came to the attention of the ICO in connection with this matter on 10 August 2020. The ICO received a complaint (the “Complaint”) from someone complaining about a direct marketing email they had received from Virgin Media on 4 August 2020. 18. The email stated (in material part, with emphasis added): “We want to let you know that we won’t be raising your price this year. 6 This means the price you pay for your current package right now will stay the same in 2020. We’d like to stay in touch about all the great Virgin Media stuff we have on offer for you. You have currently said no to receiving marketing messages from us, which means that we are not able to keep you up to date with our latest TV, broadband, phone and mobile news, competitions, product and bundle offers via online, email, post, SMS, phone. You can change your preferences by simply registering or signing in to virginmedia.com/optin. Click ‘My Profile’, then ‘My Preferences’.” 19. The text in bold will be referred to in this document as the “Marketing Preference Reminder”. 20. The complainant said that this email was “basically a service message dressed up as an attempt to get me to opt back in to marketing communications”. 21. The ICO opened an investigation. 22. In outline, the correspondence proceeded as follows: a. On 13 August 2020, the ICO sent an initial investigation letter to Virgin Media. This letter explained the relevant legislation, set out the ICO’s powers, and made some requests for information. 7 b. On 5 October 2020, Virgin Media provided its response to the ICO’s letter of 13 August 2020. The material details of that response are set out further below. c. On 16 October 2020, the ICO responded seeking further information (including evidence of Virgin Media’s consent statements). d. On 21 October 2020, the ICO spoke with Virgin Media. Virgin Media asked why the ICO needed to see its consent statements. The ICO explained that it needed to assess whether Virgin Media had obtained the requisite consent for the Marketing Email. e. On 23 October 2020, Virgin Media provided its response to the ICO’s letter of 16 October 2020. The material details of that response are set out further below. f. On 24 November 2020, the ICO asked Virgin Media to provide further information. g. On 8 December 2020, Virgin Media provided its response to the ICO’s letter of 24 November 2020. The material details of that response are set out further below. h. On 10 December 2020, the ICO sent an end of investigation letter to Virgin. 23. The ICO notes the following material facts, as supplied by Virgin Media in the correspondence summarised above: 8 a. On 4 August 2020, Virgin Media sent 1,964,562 emails concerning a price freeze (the “Price Freeze Emails”). Of these: i. Virgin Media sent 1,303,671 Price Freeze Emails to customers who had opted in to marketing communications (“opt-in customers”), 1,303,361 of which were received. ii. Virgin Media sent 209,376 Price Freeze Emails to customers who had opted out to marketing communications (“opt-out customers”) without the Marketing Preference Reminder, 209,254 of which were received. iii. Virgin Media sent 451,515 Price Freeze Emails to opt-out customers with the Marketing Preference Reminder, 451,217 of which were received. The email received by the individual who had complained to the ICO was within this category. b. The data for the Prize Freeze Emails was obtained directly from customers. c. Virgin Media stated that it received “feedback” from customers (it is not specified how many) that “a number of them would like to be informed about packages, products and discounts that may be available and some customers are unaware that they have not opted-in to all forms of marketing.” d. Virgin Media stated that, based on that feedback, and the ICO Direct Marketing Guidance at paragraph 32 below, it “selected 9 a segment of opted-out customers who we reasonably considered might have changed their marketing preferences. The customers selected were those who had opted out over a year ago.” e. Virgin Media does operate a suppression list for marketing communications, but the suppression process was only applied “for opted-out customers who Virgin Media considered were unlikely to have changed their mind about their marketing preferences.” f. Virgin Media uses a “one time opt in to all channels’ sales journey”. Virgin Media has the following procedure for obtaining consent from customers: “a. All sales journeys capture consent preferences which are recorded within that journey. A customer is not able to complete a sale without confirming whether they consent to receiving marketing communications. Virgin Media currently operates an opt in approach and new customers are required to tick the box to opt-in to marketing communications; b. A customer’s consent preference is captured and recorded within internal Virgin Media systems; c. Virgin Media does not have channel (i.e. email SMS) specific preference capability, therefore a customer consents to all marketing communications as set out in the consent statement (which explains that Virgin Media may provide marketing information by email or SMS, as well as other channels); d. A customer can change their marketing preference in different ways (speaking to an agent, emailing the DPO, through their My VM account on the website), or by clicking ‘unsubscribe’ (via email or SMS).” 10 g. None of the consent statements presented to individuals by Virgin Media (Telesales Inbound, Inbound Retentions, Inbound Care, Online, VM store, Bafta Competition, Virgin Media Portal General Customer, Virgin Media General Agent), nor the Virgin Media account preferences, permit individuals to choose specific communications by which to receive marketing communications. Virgin Media also stated: “…if an individual consents to receive marketing, they are opted in to all communication methods. Virgin Media does not currently have channel (i.e. email, SMS) specific preference capability, therefore a customer consents to all marketing communications as set out in the consent statement.” 24. The Commissioner has made the above findings of fact on the balance of probabilities. 25. The Commissioner has considered whether those facts constitute a contravention of regulation 22 of PECR by Virgin Media and, if so, whether the conditions of section 55A DPA are satisfied. The contravention 26. The Commissioner finds that Virgin Media contravened regulation 22 of PECR. 27. The Commissioner finds that the contravention was as follows: 28. The Commissioner finds that on or around 4 August 2020 there were 451,217 direct marketing emails containing the Marketing Preference Reminder received by subscribers. The Commissioner finds that Virgin Media transmitted those direct marketing messages. 11 29. The Marketing Preference Reminder sought to entice or encourage customers to update their marketing preferences. It also marketed Virgin Media’s commercial offerings, i.e. “the great Virgin Media stuff we have on offer for you…our latest TV, broadband, phone and mobile news, competitions, product and bundle offers.” 30. As such, the Price Freeze Emails containing the Marketing Preference Reminder fell within the definition of direct marketing as set out at paragraph 6 above. 31. Virgin Media, as the sender of the direct marketing, was required to ensure that it was acting in compliance with the requirements of regulation 22 of PECR, and that valid consent to send those messages had been acquired. 32. In this instance, the requisite consent was not obtained because the 451,217 recipients of the direct marketing had opted out of marketing communications. No issue arises as to whether consent was “freely given”, “specific”, “informed” and “unambiguous”, because consent was not given. 33. In the course of the investigation, Virgin Media stated that in deciding (i) which customers would receive Price Freeze Emails, and (ii) the wording for the same, Virgin Media relied on the ICO Direct Marketing Guidance (v. 2.3). Virgin Media noted that the ICO Direct Marketing Guidance provides [at paragraph 194] that people can change their minds and that marketing strategies also change, and that there is some merit in making sure that the information about people’s preferences is accurate and up-to-date. That does not, however, constitute an exception to regulation 22 of PECR. Further, it is noted that paragraph 193 of the same Guidance states: “Organisations must not contact people on a suppression list at a later date to ask them if they want to 12 opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the DPA, and will also breach PECR if the contact is by phone, text or email.” 34. Virgin Media also noted that in the two weeks following the Price Freeze Emails containing the Marketing Preference Reminder, 6,539 customers elected to adjust their preferences and opt in to marketing. This does not constitute an exception to regulation 22 of PECR either. Rather, the fact that Virgin Media had the potential for financial gain from its breach of the regulation (by signing up more clients to direct marketing) is an aggravating factor, not a defence. 35. The Commissioner is therefore satisfied from the evidence he has seen that Virgin Media did not have the necessary valid consent for the 451,217 direct marketing messages received by subscribers. 36. The Commissioner has gone on to consider whether the conditions under section 55A DPA are met. Seriousness of the contravention 37. The Commissioner is satisfied that the contravention identified above was serious. This is because on one day, a confirmed total of 451,217 direct marketing messages were sent by Virgin Media. These messages contained direct marketing material for which subscribers had not provided valid consent. 38. The Commissioner is therefore satisfied that condition (a) from section 55A(1) DPA is met. 13 Deliberate or negligent contraventions 39. The Commissioner has considered whether the contravention identified above was deliberate. In the Commissioner’s view, this means that Virgin Media’s actions which constituted that contravention were deliberate actions (even if Virgin Media did not actually intend thereby to contravene PECR). 40. The Commissioner considers that in this case Virgin Media did deliberately contravene regulation 22 of PECR. Virgin Media does not say that it did not know that the 451,217 recipients of the email in question had not provided valid consent. On the contrary, its position is that these recipients were selected, in part, because they had opted out of marketing communications (and, Virgin Media says, because it reasonably considered that they might wish to change that preference). It is noted that on the same day as the contravention, Virgin Media sent 209,254 emails without the Marketing Preference Reminder to opt-out customers, and so was self-evidently selecting recipients on the basis of known criteria. 41. For the above reasons, the Commissioner is satisfied that this breach was deliberate. 42. In the alternative, the Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements. 43. Firstly, he has considered whether Virgin Media knew or ought reasonably to have known that there was a risk that these contraventions would occur. He is satisfied that this condition is met, for the following reasons. Unsolicited direct marketing emails are widely 14 known to be a problem. Virgin Media is a large organisation with a longstanding, positive working relationship with the ICO. Further, the Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirements of consent for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. In particular it states that organisations can generally only send, or instigate, marketing messages to individuals if that person has specifically consented to receiving them. The Commissioner has also published detailed guidance on consent under the GDPR. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement action where businesses have not complied with PECR are also readily available. Virgin Media could have sought clarification or guidance if it was unsure as to any particular issue. 44. It is therefore reasonable to suppose that Virgin Media should have been aware of its responsibilities in this area. 45. Secondly, the Commissioner has gone on to consider whether Virgin Media failed to take reasonable steps to prevent the contraventions. Again, he is satisfied that this condition is met. 46. This is not a case in which communications were sent inadvertently. They were targeted at users who had opted out from receiving such communications. That demonstrates in itself that no reasonable steps were taken to prevent the contraventions. Further, if there was doubt about whether the emails in question would contravene regulation 22, Virgin Media could legitimately have sought advice from the Commissioner. It failed to do so. 15 47. In the circumstances, the Commissioner is satisfied that Virgin Media failed to take reasonable steps to prevent the contraventions. 48. The Commissioner is therefore satisfied that condition (b) from section 55A (1) DPA is met. The Commissioner’s decision to issue a monetary penalty 49. For the reasons explained above, the Commissioner is satisfied that the conditions from section 55A (1) DPA have been met in this case. He is also satisfied that the procedural rights under section 55B have been complied with. The latter has included the issuing of a Notice of Intent, in which the Commissioner set out his preliminary thinking. In reaching his final view, the Commissioner has taken into account the representations made by Virgin Media on this matter. 50. The Commissioner is accordingly entitled to issue a monetary penalty in this case. The Commissioner has considered whether, in the circumstances, he should exercise his discretion so as to issue a monetary penalty. 51. The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing. 16 52. For these reasons, the Commissioner has decided to issue a monetary penalty in this case. The amount of the penalty 53. In determining the amount of the penalty, the Commissioner first considered the nature and seriousness of the contravention. He concluded that an appropriate starting point for the penalty should be £50,000. 54. The Commissioner went on to consider whether there were any aggravating or mitigating factors which would warrant an increase or reduction to this starting point. 55. The Commissioner identified the following aggravating features of this case: • The business generated from the emails in question would have the potential of Virgin Media benefitting from financial gain. • The ICO produces clear guidance via its website on the rules of direct marketing and that guidance on current regulations has been in existence for a considerable amount of time. The ICO also operates a helpline, should organisations be unsure and require further clarification. 56. The Commissioner did not consider that there are any mitigating factors of this case. 57. The Commissioner also considered the likely impact of a monetary penalty on Virgin Media. He has decided on the information that is available to him, that Virgin Media has access to sufficient financial 17 resources to pay the proposed monetary penalty without causing undue financial hardship and that a penalty remains the appropriate course of action in the circumstances of this case. 58. The Commissioner did not consider that any of the above factors warranted an increase or decrease in the starting point for the penalty. 59. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £50,000 (fifty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 60. The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 10 January 2022 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England. 61. If the Commissioner receives full payment of the monetary penalty by 9 January 2022 the Commissioner will reduce the monetary penalty by 20% to £40,000 (forty thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 62. There is a right of appeal to the First-tier Tribunal (Information Rights) against: (a) the imposition of the monetary penalty and/or; 18 (b) the amount of the penalty specified in the monetary penalty notice. 63. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 64. Information about appeals is set out in Annex 1. 65. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and • the period for appealing against the monetary penalty and any variation of it has expired. 66. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 6th December 2021 Andy Curry Head of Investigations Information Commissioner’s Office Wycliffe House 19 Water Lane Wilmslow Cheshire SK9 5AF 20 ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(5) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ 21 Telephone: 0203 936 8963 Email: grc@justice.gov.uk a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 22 and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in section 55B(5) of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)).