|
|
| Line 78: |
Line 78: |
| ==Further Resources== | | ==Further Resources== |
| ''Share blogs or news articles here!'' | | ''Share blogs or news articles here!'' |
|
| |
| ==English Machine Translation of the Decision==
| |
| The decision below is a machine translation of the English original. Please refer to the English original for more details.
| |
|
| |
| <pre>
| |
| •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| DATA PROTECTION ACT 1998
| |
|
| |
|
| |
| SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
| |
|
| |
|
| |
|
| |
| MONETARY PENAL TY NOTICE
| |
|
| |
|
| |
|
| |
|
| |
| To: Valca Vehicle and Life Cover Agency Limited
| |
|
| |
| Of: 281 Palatine Road, Manchester, England M22 4ET
| |
|
| |
| 1. The InformationCommissioner ("Commissioner") has decided to issue
| |
|
| |
| Valca Vehicle and Life Cover Agency Limited ("Valca") with a monetary
| |
|
| |
| penalty under section SSA of the Data Protection Act 1998 ("DPA"). The
| |
| penalty is in relation to a serious contravof Regulations 22 and
| |
|
| |
| 23 of the Privacy and Electronic Communicatio(EC Directive)
| |
| Regulations 2003 ("PECR").
| |
|
| |
|
| |
|
| |
| 2. This notice explains the Commissioner's decision.
| |
|
| |
|
| |
| Legal framework
| |
|
| |
|
| |
| 3. Valca, whose registered office is given above (Companies House
| |
|
| |
| Registration Number: 11013461) is the organisation stated in this
| |
| notice to have transmitteunsolicited communicationby means of
| |
|
| |
| electronic mail to individual subscribers for the purposes of direct
| |
|
| |
| marketing contrary to regulation 22 of PECR.
| |
|
| |
|
| |
| 4. Regulation 22 of PECRstates:
| |
|
| |
|
| |
|
| |
|
| |
| 1 •
| |
|
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| "(l) This regulation applies to the transmission of unsolicited
| |
| communications by means of electronic mail to individual
| |
|
| |
| subscribers.
| |
|
| |
| (2) Except in the circumstances referred to in paragraph (3), a person
| |
|
| |
| shall neither transmit, nor instigate the transmission of, unsolicited
| |
| communications for the purposes of direct marketing by means of
| |
|
| |
| electronic mail unless the recipient of the electronic mail has
| |
|
| |
| previously notified the sender that he consents for the time being
| |
| to such communications being sent by, or at the instigation of, the
| |
|
| |
| sender.
| |
|
| |
| (3) A person may send or instigate the sending of electronic mail for
| |
|
| |
| the purposes of direct marketing where-
| |
|
| |
| (a) that person has obtained the contact details of the recipient
| |
| of that electronic mail in the course of the sale or
| |
|
| |
| negotiations for the sale of a product or service to that
| |
|
| |
| recipient;
| |
|
| |
| (b) the direct marketing is in respect of that person's similar
| |
| products and services only; and
| |
|
| |
| (c) the recipient has been given a simple means of refusing
| |
|
| |
| (free of charge except for the costs of the transmission of
| |
|
| |
| the refusal) the use of his contact details for the purposes
| |
| of such direct marketing, at the time that the details were
| |
|
| |
| initially collected, and, where he did not initially refuse the
| |
|
| |
| use of the details, at the time of each subsequent
| |
| communication.
| |
|
| |
| (4) A subscriber shall not permit his line to be used in contraventioof
| |
|
| |
| paragraph (2)."
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 2 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 5. Regulation 23 of PECRstates that "A person shall neither transminor
| |
| instigate the transmission of, a communicatifor the purposes of
| |
|
| |
| direct marketing by means of electronic mail -
| |
|
| |
|
| |
| (a) where the identity of the person on whose behalf the
| |
| communication has been sent has been disguised or
| |
|
| |
| concealed;
| |
|
| |
| (b) where a valid address to which the recipient of the
| |
|
| |
| communication may send a request that such
| |
| communications cease has not been provided
| |
|
| |
| (c) where that electronic mail would contravene regulation 7 of
| |
|
| |
| the Electronic Commerce (EC Directive) Regulations 2002;
| |
| or
| |
|
| |
| (d) where that electronic mail encourages recipients to visit
| |
|
| |
| websites which contravene that regulation."
| |
|
| |
|
| |
|
| |
| 6. Section 122(5) of the DPA 2018 defines direct marketing as "the
| |
| communication (by whatever means) of advertising material which is
| |
|
| |
| directed to particular individuals". This definition also applies for the
| |
| purposes of PECR(see regulation 2(2) PECR; and Schedule 19,
| |
|
| |
| paragraph 430 and 432(6) DPA18).
| |
|
| |
|
| |
| 7. Consent is defined in Article 4(11) the General Data Protection
| |
|
| |
| Regulation 2016/679 as "any freely given, specific, informed and
| |
| unambiguous indication of the data subject's wishes by which he or
| |
|
| |
| she, by a statement or by a clear affirmative action, signifies
| |
| agreement to the processing of personal data relating to him or her.
| |
|
| |
|
| |
|
| |
| 8. "Individual"is defined in regulation 2(1) of PECRas "a living individual
| |
| and includes an unincorporatedbody of such individuals".
| |
|
| |
| 3 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
|
| |
| 9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
| |
| a party to a contract with a provider of public electronic
| |
|
| |
| communications services for the supply of such services".
| |
|
| |
| 10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text,
| |
|
| |
| voice, sound or image message sent over a public electronic
| |
| communications network which can be stored in the network or in the
| |
|
| |
| recipient's terminal equipment until it is collected by the recipient and
| |
|
| |
| includes messages sent using a short message service".
| |
|
| |
|
| |
| 11. Section SSA of the DPA (as amended by the Privacy and Electronic
| |
| Communications (EC Directive)(Amendment) Regulations 2011 and the
| |
|
| |
| Privacy and Electronic Communications (Amendment) Regulations
| |
| 2015) states:
| |
|
| |
|
| |
|
| |
| "(1) The Commissioner may serve a person with a monetary penalty if
| |
| the Commissioner is satisfied that -
| |
|
| |
| (a) there has been a serious contraventioof the requirements
| |
|
| |
| of the Privacy and Electronic Communications(EC
| |
| Directive) Regulations 2003 by the person,
| |
|
| |
| (b) subsection (2) or (3) applies.
| |
|
| |
| (2) This subsection applies if the contraventiwas deliberate.
| |
|
| |
|
| |
| (3) This subsection applies if the person -
| |
|
| |
| (a) knew or ought to have known that there was a risk that
| |
| the contravention would occur, but
| |
|
| |
| (b) failed to take reasonable steps to prevent the
| |
|
| |
| contravention."
| |
|
| |
|
| |
|
| |
|
| |
| 4 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
| 12. The Commissioner has issued statutory guidance under section SSC (1)
| |
| of the DPA about the issuing of monetary penalties that has been
| |
|
| |
| published on the ICO's website. The Data Protection (Monetary
| |
| Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
| |
|
| |
| that the amount of any penalty determined by the Commissioner must
| |
| not exceed £500,000.
| |
|
| |
|
| |
|
| |
| 13. PECRimplements European legislation (Directive 2002/58/EC) aimed at
| |
| the protection of the individual's fundamentright to privacy in the
| |
|
| |
| electronic communications sector. PECRwas amended for the purpose
| |
| of giving effect to Directive 2009/136/which amended and
| |
|
| |
| strengthened the 2002 provisions. The Commissioner approaches PECR
| |
|
| |
| so as to give effect to the Directives.
| |
|
| |
|
| |
| 14. The provisions of the DPA remain in force for the purposes of PECR
| |
| notwithstanding the introductionof the Data Protection Act 2018 (see
| |
|
| |
| paragraph 58(1) of Part 9, Schedule 20 of that Act).
| |
|
| |
|
| |
| Background to the case
| |
|
| |
|
| |
| 15. Phone users can report the receipt of unsolicited marketing text
| |
|
| |
| messages to the GSMA's Spam Reporting Service by forwarding the
| |
| message to 7726 (spelling out "SPAM"). The GSMA is an organisation
| |
|
| |
| that represents the interests of mobile operators worldwidThe
| |
| Commissioner is provided with access to the data on complaints made
| |
|
| |
| to the 7726 service and this data is incorporated into a Monthly Threat
| |
|
| |
| Assessment (MTA) used to ascertain organisations in breach of PECR.
| |
|
| |
|
| |
| 16. Valca are a company specialising in lead generation for financial
| |
| products. They currently operate as 'Debtquitto generate leads for
| |
|
| |
|
| |
|
| |
| 5 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| Individual Voluntary Agreements ("IVA's") and other debt management
| |
| products.
| |
|
| |
|
| |
| 17. Valca came to the attention of the Commissioner after an initial 22
| |
| complaints were received via the 7726 complaints tool about
| |
|
| |
| unsolicited text messages between 15 June 2020 and 23 June 2020.
| |
| These text messages contained, or contained slight variations of, the
| |
|
| |
| following text:
| |
|
| |
|
| |
| "*firstname*Affected by Covid? Struggling with finances? lost job
| |
| /furloughed? Were here to help! Gvnmnt backed support see if you
| |
|
| |
| qualify http ://www.debtquity.org"
| |
|
| |
|
| |
| 18. It was noted that these texts did not offer individuals an ability to 'opt
| |
|
| |
| out' of future unsolicited text messages.
| |
|
| |
|
| |
| 19. An initial investigatiletter was sent to Valca on 24 June 2020,
| |
| highlighting the Commissioner's concerns with Valca's PECRcompliance
| |
|
| |
| and requesting informationrelating to the volumes of texts sent, the
| |
| source of data used to send said texts, details of any due diligence
| |
|
| |
| undertaken, together with questions regarding the lack of an opt-out in
| |
|
| |
| the text messages for which there had been complaints.An appendix
| |
| detailing the complaints received was also sent to Valca.
| |
|
| |
|
| |
| 20. The director of Valca provided a partial response on 24 June 2020
| |
| stating that "all data we use is fully compliant and purchased from
| |
|
| |
| credible UK data suppliers that we carried out full due diligence against
| |
|
| |
| prior to point of supply, in relation to not listing an opt out on said SMS
| |
| messages this is down to human error and has been amended now for
| |
|
| |
| future broadcasts, we are happy to send out an opt out message to the
| |
| complaints made to date which is a total of 23 from a one of broadcast
| |
|
| |
| of 30. 000 lines of opted in data. We only commenced the sms
| |
|
| |
| 6 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| th
| |
| campaign on the 15 June 2020 so we have nipped this in the bud
| |
| extremely early" [sic].
| |
|
| |
|
| |
| 21. The Commissioner, on 25 June 2020, advised Valca not to contact the
| |
|
| |
| complainants again, but to add them to a suppression list, and asked
| |
| that Valca respond to all of the initial questions asked by the
| |
|
| |
| Commissioner in full.
| |
|
| |
| 22. A further substantive response was provided by Valca on 7 July 2020.
| |
|
| |
| This response advised that two platforms were used to send Valca's
| |
|
| |
| direct marketing messages: _,and_, with reports being
| |
| provided to show the volumes of messages sent via those platforms.
| |
|
| |
|
| |
| 23. Valca confirmed that its data was purchased from a third party: •
| |
|
| |
| Limited (the "third-partydata provider"), and that
| |
| regarding its due diligence with the third-padata provider, it
| |
|
| |
| "matched our campaign and Company requirements against fully opted
| |
| in data, due diligence wise we run various checks on any Company that
| |
|
| |
| we consider using from the ICO MOJ and other governing bodies to
| |
|
| |
| ensure that there are no outstanding concerns relating to them as a
| |
| potential supplier, we also look at financials, recommendatiofrom
| |
|
| |
| other Companies within this arena and finally check out any online
| |
| listings for any bad press".
| |
|
| |
|
| |
| 24. In terms of evidencing how consent is obtained by the third-partdata
| |
|
| |
| provider for Valca to engage in direct marketing, Valca advised that it
| |
| is "on privacy policy and other privacy policies allow for third party
| |
|
| |
| marketing also" [sic].
| |
|
| |
|
| |
| 25. The Commissioner directed further enquiries to Valca on 8 July 2020,
| |
| requesting information as to the data purchased, and the agreement
| |
|
| |
| with the third-partdata provider. An updated complaints spreadsheet
| |
|
| |
|
| |
| 7 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| was provided to Valca, showing that there had now been a total of 68
| |
| complaints recognised in relation to its text messages.
| |
|
| |
|
| |
| 26. Valca provided a further response on 17 July 2020 stating that it had
| |
| purchased 100,000 records from the third-partydata provider which
| |
|
| |
| were "fully opted in for SMS". Valca was unable to produce a contract
| |
| as it had been a "trial order" but did produce an invoice between itself
| |
|
| |
| and its third-pardata provider dated 16 March 2020 confirming the
| |
|
| |
| purchase of 100,000 leads, and payment for a 'privacy policy edit' to
| |
| '. Valca produced updated 'outbound SMS' reports for
| |
|
| |
| its-and - platforms, although it noted that_
| |
| had been used for just one day. Valca also produced a document as
| |
|
| |
| purported evidence of consent for the initial 22 complaints, with each
| |
|
| |
| of the 22 complainant's data having been obtained through
| |
|
| |
|
| |
|
| |
| 27. requires users to register with it to use its services
| |
| and operates by offering 'deals'. At the point of registrausers
| |
|
| |
| agree to a consent statement where they are able to select whether
| |
|
| |
| they wish to be contacted by email, SMS, post, and/or telephone,
| |
| together with a further option to agree to being contacted by 'the
| |
|
| |
| following partners' using the agreed methods.The 'Partners' link takes
| |
| users to a 'brands page' which lists 16 distinct companies, none of
| |
|
| |
| which are Valca. There appears to be no option for users to
| |
|
| |
| select/deselect partners.
| |
|
| |
| 28. Upon viewing Privacy Policy, users are told:
| |
|
| |
|
| |
| "Once you register with the our website you consent to
| |
| its sponsor question clients and website sponsors being able to send
| |
|
| |
| you communications via the channel(s) you selected as part of the sign
| |
|
| |
|
| |
|
| |
| 8 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| up until such time as you exercise your right to opt-out of receiving
| |
| such communications"
| |
|
| |
|
| |
| 29. The Privacy Policy proceeds to provide two further lists of companies: a
| |
| 'marketing service providers' list containing 7 distinct companies, and a
| |
|
| |
| list of 'direct clients' containing 443 distinct companies. The Privacy
| |
| Policy's 'Data Collection Notice' advises that and its
| |
|
| |
| partners operate in over 40 areas, spanning a wide range of sectors
| |
|
| |
| including fashion, automotivegambling, construction,legal services
| |
| etc. The Commissioner noted that Valca were not visible at all as of
| |
|
| |
| checks carried out on the website's privacy policy separately on 22
| |
| June 2020 but were visible as one of the 443 'direct clients' on 21 July
| |
|
| |
| 2020. The precise date on which Valca became visible is not known.
| |
|
| |
|
| |
| 30. On 22 July 2020 the Commissioner served a third-party Information
| |
|
| |
| Notice ("3PIN") on - - to establish, inter
| |
| alia, the number of connected messages sent by Valca between 1 June
| |
|
| |
| 2020 and 20 July 2020.
| |
|
| |
|
| |
| 31. The response to the 3PIN advised that there had been 104,550
| |
| messages sent by Valca between 15 June 2020 and 20 July 2020, of
| |
|
| |
| which 95,004 were delivered to a subscriber.
| |
|
| |
| 32. The 3PIN also provided details of the content for each of the messages
| |
|
| |
| sent, of which a trend could be identified that none of the messages
| |
|
| |
| sent contained an opt-out link until 25 June 2020 - the first day
| |
| following the Commissioner's initial investigatletter.It can
| |
|
| |
| therefore be determined that between 15 June 2020 and 24 June 2020
| |
| there were 24,995 text messages sent without an opt-out link, of which
| |
|
| |
| 18,393 were delivered.
| |
|
| |
|
| |
|
| |
|
| |
| 9 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
| 33. The Commissioner is aware, from information provided by Valca on 7
| |
| July 2020, of a further 2,025 text messages being sent by Valca over
| |
|
| |
| the period of contraventionusing the - platform, although this
| |
| platform was used for just one day, and the number of received
| |
|
| |
| messages is unknown and is unlikely to be obtainable.
| |
|
| |
|
| |
| 34. As of 20 July 2020, the Commissioner was able to identify a total of
| |
| 114 complaints concerning Valca's unsolicited direct marketing text
| |
|
| |
| messages over the relevant period.
| |
|
| |
| 35. An 'end of investigationletter was sent to Valca on 21 July 2020.
| |
|
| |
|
| |
| 36. The Commissioner has since identified that between 21 July 2020 and
| |
|
| |
| 13 November 2020 there were a further 165 complaints made about
| |
| Valca via the 7726 service.
| |
|
| |
|
| |
| 37. The Commissioner has made the above findings of fact on the
| |
|
| |
| balance of probabilities.
| |
|
| |
|
| |
| 38. The Commissioner has considered whether those facts constitute
| |
|
| |
| a contraventionof regulations 22 and 23 of PECRby Valca and, if so,
| |
| whether the conditions of section SSA DPA are satisfied.
| |
|
| |
|
| |
| The contravention
| |
|
| |
|
| |
|
| |
| 39. The Commissioner finds that Valca contravened regulations 22 and 23
| |
| of PECR.
| |
|
| |
|
| |
| 40. The Commissioner finds that the contraventionwas as follows:
| |
|
| |
|
| |
| 41. The Commissioner finds that between 15 June 2020 and 20 July 2020
| |
|
| |
| there were 95,004 unsolicited direct marketing text messages received
| |
|
| |
| 10 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| by subscribers.This resulted in a total of 114 complaints being
| |
| received via the 7726 service. The Commissioner finds that Valca
| |
|
| |
| transmitted the direct marketing messages received, contrary to
| |
| regulation 22 of PECR.
| |
|
| |
|
| |
| 42. The Commissioner is satisfied that the contraventicould have been
| |
| higher, with a total of 104,550 unsolicited text messages being sent
| |
|
| |
| over the relevant time using the-platform, and a further 2,025
| |
|
| |
| being sent using -·
| |
|
| |
| 43. Of the messages known to have been received, 18,393 (i.e., all of
| |
|
| |
| those received before 25 June 2020) did not contain an opt-out link,
| |
| contrary to the requirements of regulation 23 PECR.
| |
|
| |
|
| |
| 44. Valca, as the sender of the direct marketing, is required to ensure that
| |
|
| |
| it is acting in compliance with the requirements of regulation 22 of
| |
| PECR,and to ensure that valid consent to send those messages had
| |
|
| |
| been acquired.
| |
|
| |
|
| |
| 45. Valca relied on consent obtained by another organisation for its own
| |
|
| |
| purposes, i.e., 'indirect conseThe Commissioner's direct marketing
| |
| guidance says "organisationneed to be aware that indirect consent
| |
|
| |
| will not be enough for texts, emails or automated calls. This is because
| |
| the rules on electronic marketing are stricter, to reflect the more
| |
|
| |
| intrusive nature of electronic messages."
| |
|
| |
|
| |
| 46. It goes on to say that indirect consent can be valid but only if it is clear
| |
| and specific enough. Moreover, "the customer must have anticipated
| |
|
| |
| that their details would be passed to the organisation in question, and
| |
| that they were consenting to messages from that organisation. This will
| |
|
| |
| depend on what exactly they were told when consent was obtained".
| |
|
| |
|
| |
|
| |
| 11 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 47. Consent will not be "informedif individuals do not understand what
| |
| they are consenting to. Organisations should therefore always ensure
| |
|
| |
| that the language used is clear, easy to understand, and not hidden
| |
| away in a privacy policy or small prinThe Commissioner is concerned
| |
|
| |
| that at the point of consent being obtained, subscribers are asked to
| |
|
| |
| tick a box which gives a misleading impression that only a limited
| |
| number of 16 organisations may contact them (duly named within the
| |
|
| |
| 'partners' link on the registration pagHowever, it is only if
| |
|
| |
| subscribers drill down into the separate privacy policy that they are
| |
| advised that any one of 450 companies may in fact contact them, none
| |
|
| |
| of which the subscriber has any ability to refuse contact from.
| |
|
| |
| 48. It is the Commissioner's position that consent will not be valid if
| |
|
| |
| individuals are asked to agree to receive marketing from "similar
| |
|
| |
| organisations", "partners""selected third parties" or other similar
| |
| generic description.Further, and relevantly, consent will not be valid
| |
|
| |
| where an individual is presented with a long, seemingly exhaustive list
| |
| of general categories of organisations. The Commissioner finds that
| |
|
| |
| 450 organisations, concerning 40 sectors, is far too exhaustive a list to
| |
|
| |
| enable individuals to give valid consent.
| |
|
| |
| 49. During the course of the investigatioValca provided an invoice dated
| |
|
| |
| 16 March 2020 between it and its third-partdata provider to
| |
|
| |
| demonstrate that it had paid to be added to the privacy policy for
| |
| , the website from which its third-pardata provider
| |
|
| |
| obtained data. The date on which Valca were added to the privacy
| |
| policy is unclear, however the Commissioner has evidence that it was
| |
|
| |
| not listed as a 'direct client', or apparently at all on
| |
|
| |
| by 22 June 2020, by which point Valca had already sent 16,759
| |
| unsolicited text messages using data obtained from that site. In any
| |
|
| |
| event, even after Valca had been added to the privacy policy, the
| |
|
| |
|
| |
| 12 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
| Commissioner has concerns that any consents relied on by Valca
| |
|
| |
| cannot be said to be valid.
| |
|
| |
|
| |
| 50. There is nothing immediately in the consent statement at registration
| |
| that would inform an individual that by agreeing to the privacy policy
| |
|
| |
| and terms and conditions, they are in fact agreeing for their data to be
| |
| passed to 450 companies spanning 40 various sectors. Whilst there is a
| |
|
| |
| third-partyconsent opt-in box, this only lists 16 companies at the point
| |
| of consent and gives individuals no indication that for a more
| |
|
| |
| comprehensive list they will need to consult the privacy policy. This
| |
| cannot constitute informed consent.
| |
|
| |
|
| |
|
| |
| 51. The Commissioner is therefore satisfied from the evidence she has
| |
| seen that Valca did not have the necessary valid consent to send the
| |
|
| |
| 95,004 unsolicited direct marketing messages received by subscribers.
| |
| This constitutes a contraventioof regulation 22 PECR.
| |
|
| |
|
| |
| 52. The Commissioner is also concerned that 18,393 of those received
| |
| messages (i.e., all of those received before the Commissioner's initial
| |
|
| |
| investigation letter) did not contain an opt-out link. As such, the
| |
|
| |
| Commissioner is satisfied that the actions of Valca in respect of these
| |
| 18,393 messages have also contravened regulation 23 PECR.
| |
|
| |
|
| |
| 53. The Commissioner has gone on to consider whether the conditions
| |
|
| |
| under section SSA DPA are met.
| |
|
| |
|
| |
| Seriousness of the contravention
| |
|
| |
|
| |
| 54. The Commissioner is satisfied that the contraventiidentified
| |
|
| |
| above was serious. This is because between 15 June 2020 and 20 July
| |
| 2020 a total of 95,004 connected unsolicited direct marketing
| |
|
| |
| messages were received by subscribers, resulting in 114 complaints.
| |
| 13 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| 55. Valca has failed to provide any evidence of valid consent for any of the
| |
|
| |
| 95,004 unsolicited direct marketing messages received by subscribers.
| |
|
| |
| 56. In addition, the Commissioner is concerned by the content of the
| |
|
| |
| unsolicited text messages which reference the Covid-19 pandemic and
| |
| appeal to individuals whose finances have been adversely affected.
| |
|
| |
| This, in the Commissioner's view, is a clear attempt to capitalise on,
| |
| and profiteer from, the national health crisis.
| |
|
| |
|
| |
| 57. The Commissioner is therefore satisfied that condition (a) from
| |
|
| |
| section 55A(l) DPA is met.
| |
|
| |
|
| |
| Deliberate or negligent contraventions
| |
|
| |
|
| |
| 58. The Commissioner has considered whether the contravention identified
| |
|
| |
| above was deliberate.
| |
|
| |
|
| |
| 59. The Commissioner considers that Valca deliberately set out to
| |
| contravene PECRin this instance. The data relied on by Valca was not
| |
|
| |
| validly opted-in, and beyond paying a small sum for its inclusion on a
| |
| privacy policy there is no indication that they sought to undertake any
| |
|
| |
| additional steps to ensure protection of individuals' privacy rights, i.e.,
| |
|
| |
| by observing the 'customer journey'doing so would likely have raised
| |
| concerns with Valca regarding its reliance on the data being obtained.
| |
|
| |
| It is also concerning that Valca continued to send its unsolicited direct
| |
| marketing text messages (albeit with an opt-out link) even following
| |
|
| |
| the Commissioner's initial investigation correspondence which
| |
| highlighted real concerns with the organisation's compliance with PECR.
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 14 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 60. Further, and in any event, the Commissioner has gone on to consider
| |
| whether the contraventionidentified above was negligent. This
| |
|
| |
| consideration comprises two elements:
| |
|
| |
|
| |
| 61. Firstly, she has considered whether Valca knew or ought reasonably to
| |
| have known that there was a risk that these contraventionwould
| |
|
| |
| occur. She is satisfied that this condition is met, not least since the
| |
|
| |
| issue of unsolicited text messages have been widely publicised by the
| |
| media as being a problem.
| |
|
| |
|
| |
| 62. The Commissioner has published detailed guidance for those carrying
| |
|
| |
| out direct marketing explaining their legal obligations under PECR.
| |
| This guidance gives clear advice regarding the requirements of consent
| |
|
| |
| for direct marketing and explains the circumstances under which
| |
|
| |
| organisations are able to carry out marketing over the phone, by text,
| |
| by email, by post, or by fax. In particular it states that organisations
| |
|
| |
| can generally only send, or instigate, marketing messages to
| |
| individuals if that person has specifically consented to receiving them.
| |
|
| |
| The guidance is also clear about the significant risks of relying on
| |
|
| |
| indirect consent, as Valca did in this instance.
| |
|
| |
| 63. The Commissioner also notes that the company's sole director, in a
| |
|
| |
| self-writtebiography on f6s.com, describes himself as a 'serial
| |
| entrepreneur with vast experience in sales and marketing'.
| |
|
| |
|
| |
| 64. It is therefore reasonable to suppose that Valca should have been
| |
| aware of its responsibilities in this area.
| |
|
| |
|
| |
| 65. Secondly, the Commissioner has gone on to consider whether Valca
| |
|
| |
| failed to take reasonable steps to prevent the contraventioAgain,
| |
| she is satisfied that this condition is met.
| |
|
| |
|
| |
|
| |
| 15 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| 66. Valca used a bought-in list of data and relied on indirect consent for its
| |
| unsolicited direct marketing messages.It claimed during the
| |
|
| |
| investigation that it had carried out "full due diligence", however the
| |
| Commissioner has seen little evidence of this in ensuring the veracity
| |
|
| |
| of the data being purchased aside from the production of an invoice to
| |
|
| |
| show that Valca were to be added to the privacy policy of
| |
| on an unknown date (which was, in any event,
| |
|
| |
| evidently not before 22 June 2020).
| |
|
| |
|
| |
| 67. Whilst Valca advised in the course of the investigation that "due
| |
| diligence wise we run various checks on any Company that we consider
| |
|
| |
| using from the ICO MOJ and other governing bodies to ensure that
| |
| there are no outstanding concerns relating to them as a potential
| |
|
| |
| supplier, we also look at financials, recommendationsfrom other
| |
|
| |
| Companies within this arena and finally check out any online listings for
| |
| any bad press" [sic], such checks do nothing to ensure that the data
| |
|
| |
| being obtained by Valca is compliant for its own marketing purposes.
| |
|
| |
| 68. Such reasonable steps which the Commissioner might expect in these
| |
|
| |
| circumstances could have included ensuring a comprehensive contract
| |
|
| |
| was in place with the third-partdata provider for the provision of the
| |
| data to be relied upon, to ensure its reliability and valiItwould
| |
|
| |
| also have been reasonable for Valca to carry out its own checks as to
| |
| how consent was being obtained via the site,
| |
|
| |
| notwithstanding any assurances by its third-partydata provider - such
| |
|
| |
| checks would have alerted Valca to the inadequacy of the consents
| |
| being obtained via this site for the purposes of third-padirect
| |
|
| |
| marketing. In short, simple reliance on assurances of indirect consent
| |
|
| |
| alone without undertaking proper due diligence is not acceptable.
| |
|
| |
| 69. In the circumstances, the Commissioner is satisfied that Valca failed to
| |
|
| |
| take reasonable steps to prevent the contraventions.
| |
|
| |
| 16 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| 70. The Commissioner is therefore satisfied that condition (b) from section
| |
|
| |
| SSA (1) DPA is met.
| |
|
| |
|
| |
| The Commissioner's decision to issue a monetary penalty
| |
|
| |
|
| |
| 71. The Commissioner has also taken into account the following
| |
|
| |
| aggravating features of this case:
| |
|
| |
|
| |
| • Valca failed to include an opt-out in its unsolicitedirect marketing
| |
|
| |
| messages up until the Commissioner's initiainvestigation letter,in
| |
| direct contraventionof regulation 23 PECR;
| |
|
| |
|
| |
| • Thereafter, despite being under investigation by the Commissioner
| |
|
| |
| where concerns were raised regarding its PECRcompliance, and where
| |
| it was notified that a number of complaints had already been received,
| |
|
| |
| Valca continued to send unsolicited messages to its data set during the
| |
| period of contravention;
| |
|
| |
|
| |
|
| |
| 72. For the reasons explained above, the Commissioner is satisfied that the
| |
| conditions from section SSA (1) DPA have been met in this case. She is
| |
|
| |
| also satisfied that the procedural rights under section SSB have been
| |
| complied with.
| |
|
| |
|
| |
|
| |
| 73. The latter has included the issuing of a Notice of Intent, in which the
| |
| Commissioner set out her preliminary thinking. In reaching her final
| |
|
| |
| view, the Commissioner has taken into account the representations
| |
|
| |
| made by Valca on this matter.
| |
|
| |
|
| |
| 74. The Commissioner is accordingly entitled to issue a monetary penalty
| |
| in this case.
| |
|
| |
|
| |
| 17 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
|
| |
|
| |
| 75. The Commissioner has considered whether, in the circumstances, she
| |
|
| |
| should exercise her discretion so as to issue a monetary penalty.
| |
|
| |
| 76. The Commissioner has considered the financial representatiomade,
| |
|
| |
| and the likely impact of a monetary penalty on Valca. She has decided
| |
| on the information that is available to her, that a monetary penalty in
| |
|
| |
| the figure proposed remains an appropriate and proportionaresponse
| |
| to the contravention.
| |
|
| |
|
| |
| 77. The Commissioner's underlying objective in imposing a monetary
| |
|
| |
| penalty notice is to promote compliance with PECR.The sending of
| |
|
| |
| unsolicited marketing text messages is a matter of significant public
| |
| concern. A monetary penalty in this case should act as a general
| |
|
| |
| encouragement towards compliance with the law, or at least as a
| |
| deterrent against non-compliance,on the part of all persons running
| |
|
| |
| businesses currently engaging in these practices. The issuing of a
| |
| monetary penalty will reinforce the need for businesses to ensure that
| |
|
| |
| they are only messaging those who specifically consent to receive
| |
| marketing.
| |
|
| |
|
| |
| 78. For these reasons, the Commissioner has decided to issue a monetary
| |
|
| |
| penalty in this case.
| |
|
| |
|
| |
| The amount of the penalty
| |
|
| |
| 79. Taking into account all of the above, the Commissioner has decided
| |
|
| |
| that a penalty in the sum of £80,000(eighty thousand pounds) is
| |
| reasonable and proportionategiven the particular facts of the case and
| |
|
| |
| the underlying objective in imposing the penalty.
| |
|
| |
|
| |
|
| |
|
| |
| 18 •
| |
|
| |
| ICO.
| |
| Information Commissioner 's Office
| |
| Conclusion
| |
|
| |
|
| |
|
| |
| 80. The monetary penalty must be paid to the Commissioner's office by
| |
| BACS transfer or cheque by 23 March 2021 at the latest. The
| |
|
| |
| monetary penalty is not kept by the Commissioner but will be paid into
| |
| the Consolidated Fund which is the Government's general bank account
| |
|
| |
| at the Bank of England.
| |
|
| |
|
| |
| 81. If the Commissioner receives full payment of the monetary penalty by
| |
| 22 March 2021 the Commissioner will reduce the monetary penalty
| |
|
| |
| by 20% to £64,000 (sixty-four thousand pounds). However, you
| |
|
| |
| should be aware that the early payment discount is not available if you
| |
| decide to exercise your right of appeal.
| |
|
| |
|
| |
| 82. There is a right of appeal to the First-tier Tribunal (InforRights)
| |
|
| |
| against:
| |
|
| |
|
| |
| (a) the imposition of the monetary penalty
| |
|
| |
| and/or;
| |
| (b) the amount of the penalty specified in the monetary penalty
| |
|
| |
| notice.
| |
|
| |
|
| |
| 83. Any notice of appeal should be received by the Tribunal within 28 days
| |
| of the date of this monetary penalty notice.
| |
|
| |
|
| |
| 84. Information about appeals is set out in Annex 1.
| |
|
| |
|
| |
|
| |
| 85. The Commissioner will not take action to enforce a monetary penalty
| |
| unless:
| |
|
| |
|
| |
|
| |
|
| |
| 19 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| • the period specified within the notice within which a monetary
| |
|
| |
| penalty must be paid has expired and all or any of the monetary
| |
| penalty has not been paid;
| |
|
| |
|
| |
| • all relevant appeals against the monetary penalty notice and any
| |
| variation of it have either been decided or withdandn;
| |
|
| |
| • the period for appealing against the monetary penalty and any
| |
|
| |
| variation of it has expired.
| |
|
| |
| 86. In England, Wales and Northern Ireland, the monetary penalty is
| |
|
| |
| recoverable by Order of the County Court or the High Court. In
| |
| Scotland, the monetary penalty can be enforced in the same manner as
| |
|
| |
| an extract registered decree arbitral bearing a warrant for execution
| |
| issued by the sheriff court of any sheriffdom in Scotland.
| |
|
| |
|
| |
| Dated the 18tday of February 2021
| |
|
| |
|
| |
| Andy Curry
| |
| Head of Investigations
| |
| InformationCommissioner's Office
| |
| Wycliffe House
| |
| Water Lane
| |
| Wilmslow
| |
| Cheshire
| |
| SK9 SAF
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 20 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
|
| |
| ANNEX 1
| |
|
| |
|
| |
| SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
| |
|
| |
|
| |
| RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
| |
|
| |
|
| |
| 1. Section 55B(S) of the Data Protection Act 1998 gives any person
| |
|
| |
| upon whom a monetary penalty notice has been served a right of
| |
|
| |
| appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
| |
| against the notice.
| |
|
| |
|
| |
| 2. If you decide to appeal and if the Tribunal considers:-
| |
|
| |
|
| |
|
| |
| a) that the notice against which the appeal is brought is not in
| |
| accordance with the law; or
| |
|
| |
|
| |
| b) to the extent that the notice involved an exercise of
| |
|
| |
| discretion by the Commissioner, that she ought to have exercised
| |
|
| |
| her discretion differently,
| |
|
| |
|
| |
| the Tribunal will allow the appeal or substitute such other decision as
| |
| could have been made by the Commissioner. In any other case the
| |
|
| |
| Tribunal will dismiss the appeal.
| |
|
| |
|
| |
| 3. You may bring an appeal by serving a notice of appeal on the
| |
|
| |
| Tribunal at the following address:
| |
|
| |
|
| |
| General Regulatory Chamber
| |
|
| |
| HM Courts &Tribunals Service
| |
| PO Box 9300
| |
|
| |
| Leicester
| |
|
| |
| 21 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| LEl 8DJ
| |
|
| |
|
| |
|
| |
| Telephone: 0300 123 4504
| |
| Email: grc@justice.gov.uk
| |
|
| |
|
| |
| a) The notice of appeal should be sent so it is received by the
| |
|
| |
| Tribunal within 28 days of the date of the notice.
| |
|
| |
|
| |
| b) If your notice of appeal is late the Tribunal will not admit it
| |
| unless the Tribunal has extended the time for complying with this
| |
|
| |
| rule.
| |
|
| |
|
| |
| 4. The notice of appeal should state:-
| |
|
| |
|
| |
| a) your name and address/name and address of your
| |
|
| |
| representative(if any);
| |
|
| |
|
| |
| b) an address where documents may be sent or delivered to
| |
| you;
| |
|
| |
|
| |
|
| |
| c) the name and address of the Information Commissioner;
| |
|
| |
|
| |
| d) details of the decision to which the proceedings relate;
| |
|
| |
|
| |
| e) the result that you are seeking;
| |
|
| |
|
| |
| f) the grounds on which you rely;
| |
|
| |
|
| |
| g) you must provide with the notice of appeal a copy of the
| |
|
| |
| monetary penalty notice or variation notice;
| |
|
| |
|
| |
| 22 •
| |
|
| |
| ICO.
| |
| Information Commissioner's Office
| |
| h) if you have exceeded the time limit mentioned above the
| |
| notice of appeal must include a request for an extension of time
| |
|
| |
| and the reason why the notice of appeal was not provided in
| |
| time.
| |
|
| |
|
| |
| 5. Before deciding whether or not to appeal you may wish to consult
| |
|
| |
| your solicitor or another adviser. At the hearing of an appeal a party
| |
| may conduct his case himself or may be represented by any person
| |
|
| |
| whom he may appoint for that purpose.
| |
|
| |
| 6. The statutory provisions concerning appeals to the First-tier
| |
|
| |
| Tribunal (InformatiRights) are contained in section 55B(S) of, and
| |
| Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure
| |
|
| |
| (First-tier Tribunal) (General Regulatory Chamber) Rules 2009
| |
| (StatutoryInstrument2009 No. 1976 (L.20)).
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
| 23
| |
| </pre>
| |
