ICO - Leads Work Limited (Monetary Penalty): Difference between revisions
Mariam-hwth (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=L...") |
No edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The UK DPA fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR. | The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name. | Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name. | ||
Line 67: | Line 67: | ||
LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites. | LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites. | ||
=== Dispute === | ===Dispute=== | ||
Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR? | Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR? | ||
=== Holding === | ===Holding=== | ||
The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR. | The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR. | ||
Line 81: | Line 81: | ||
As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited. | As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the English original. Please refer to the English original for more details. | The decision below is a machine translation of the English original. Please refer to the English original for more details. | ||
Revision as of 18:45, 14 April 2021
ICO - Leads Work Limited (Monetary Penalty) | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Regulation 22 Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.03.2021 |
Published: | 05.03.2021 |
Fine: | 250000 GBP |
Parties: | Leads Work Limited |
National Case Number/Name: | Leads Work Limited (Monetary Penalty) |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | n/a |
The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR.
English Summary
Facts
Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name.
The UK DPA (Information Commissioner's Office or ICO) received various complaints from individuals concerning text messages/SMS sent under the Avon name. During the Covid-19 pandemic, individuals complained again about Avon sending them unsolicited text messages. Between April 2020 and May 2020, 835 complaints of this nature were recorded by the ICO.
Upon investigating further, the ICO identified LWL as the sender of these messages. The ICO notified LWL of the growing complaints concerning these texts. LWL responded to the investigation with information on how they acquired the individuals' data: by purchasing this from third parties and through a website (avon.leadsword.co.uk).
The ICO identified that the core data supplier was from an organisation who's website had an opti-in , a privacy notice and an option to unsubscribe. LWL was included as one of the third parties with who data was shared. However, LWL was not included within the list of organisations from whom individuals could expect marketing from. Additionally, it was not possible for individuals to submit details without selecting a marketing channel. The website was also vague, confusing and lengthy.
The ICO also identified other websites that contributed to collecting personal data used by LWL to send direct marketing SMS. LWL stated that lawyers had create the website's legal framework and believed it to be compliant with the legal requirements.
LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites.
Dispute
Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR?
Holding
The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR.
It then went on to clarify that consent to direct marketing was not freely given, specific or informed because the website indicating LWL as a recipient of personal data was vague, confusing and lengthy.
Similar conclusions were reached regarding other websites used to collect personal data used for direct marketing purposes by LWL. These websites had vague consent statements and did not refer to LWL in their policies (listing Avon instead in certain cases). Even where Avon was listed, the ICO highlighted that individuals could not be reasonably expected to know that Avon was linked to LWL. Therefore, consent was not informed and specific.
The ICO therefore concluded that LWL relied on invalid consent to send direct marketing texts to individuals. It found that LWL was in breach of Regulation 22 of the PECR. The UK DPA highlighted the gravity of the contravention due to the amount of messaged sent without the recipients' consent. It also noted LWL's deliberate or foreseeable infringement of the law without taking reasonable steps to prevent them.
As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Leads Work Limited Of: Suite C Underwood House, 235 Three Bridges Road, Crawley, West Sussex RH10 1LU 1. The InformationCommissioner ("Commissioner")has decided to issue Leads Work Limited ("LWL") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation to a serious contravention of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). 2. This notice explains the Commissioner's decision. Legal framework 3. LWL, whose registered office is given above (companies house registration number: 10853169), is the organisation (person) stated in this notice to have transmitunsolicited communicatioby means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECRprovides that: 1 • ICO. Information Commissioner's Office "(l)This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmitnor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where - (a) That person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or device to that recipient; (b) The direct marketing is in respect of that person's similar products and services only; and (c) The recipient has been given a simple means of refusing (free of charge except for the costs of transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contraventofn paragraph (2)." 5. Section 122(5) of the DPA 2018 defines "direct marketing" as "the communication (by whatever means) of any advertising material which 2 • ICO. Information Commissioner's Office is directed to particular individualThis definition also applies for the purposes of PECR. 6. "Electronic mail" is defined in regulation 2(1) PECRas" any text, voice, sound or image sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service". 7. Consent is defined in Article 4(11) the General Data Protection Regulation 2016/679 as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmativaction, signifies agreement to the processing of personal data relating to him or her". 8. Section SSA of the DPA (as amended by the Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015) states: "(l) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that - (a) there has been a serious contraventionof the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, and (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventiwas deliberate. (3) This subsection applies if the person - (a) knew or ought to have known that there was a risk that the contravention would occur, but 3 • ICO. Information Commissioner's Office (b) failed to take reasonable steps to prevent the contravention." 9. The Commissioner has issued statutory guidance under section SSC (1) of the DPA about the issuing of monetary penalties that has been published on the ICO's website. The Data Protection (Monetary Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 10. PECRimplements European legislation (Directive 2002/58/EC) aimed at the protection of the individual's fundamentright to privacy in the electronic communications sector. PECRwas amended for the purpose of giving effect to Directive 2009/136/which amended and strengthened the 2002 provisions. The Commissioner approaches PECR so as to give effect to the Directives. 11. The provisionsof the DPA remain in force for the purposes of PECR notwithstanding the introductioof the Data Protection Act 2018 (see paragraph 58(1) of part 9, Schedule 20 of that Act). Background to the case 12. LWL is a lead generation company which operates primarily in the 'multi-levemarketing' sector. It generates leads under the Avon brand for the purpose of enlisting downstream recruits, and which are passed directly to independent Avon sales representatives. 4 • ICO. Information Commissioner's Office 13. LWL first came to the attention of the Commissioner in connection with complaints about text messages seemingly sent by Avon Cosmetics Limited ("Avon"). The investigatifound that Avon did not send or instigate the texts. LWL were contacted, but not investigated at that time. 14. LWL came to the attention of the Commissioner again during the Covid- 19 pandemic, when a significant number of complaints were received about the following text message: In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out. 15. Between 14 April 2020 and 14 May 2020, 835 complaints were received by the 7726 SPAM reporting tool. Significant daily totals of complaints were also seen, including 329 on 13 May 2020, 345 on 14 May 2020 and 370 on 15 May 2020. 16. Given the rapid rise in complaint volumes, and as LWL were known to send messages of this type, the Commissioner contacted LWL by telephone on 13 May 2020, who confirmed that the messages had been sent by LWL. This was subsequently supported by evidence from LWL's mobile network provider. 17. On 15 May 2020, the ICO sent an investigatioletter to LWL detailing the Commissioner's concerns regarding LWL's compliance with PECR, and containing a number of enquiries. The letter attached an index of complaints received both by the 7726 SPAM reporting service, and by the ICO. 5 • ICO. Information Commissioner's Office 18. On 4 June 2020, the ICO received a response from LWL. This provided a list of CLI's used by LWL and text volumes, identified the bodies of 19 different texts sent, and confirmation that texts were sent internally through a platform operated by LWL. LWL explained that data was both purchased from third parties and driven to websites such as 'Avon.leadswork.co.uk'. The third parties from whom data was purchased were said to be' , - - - and _,_ Advertising was also operated extensively on '-,--and--'· 19. In response to enquiries about contractual agreements, LWL stated that before working with a partner they 'review their terms and conditions and see the URL where the opt-in will occur', later adding that they also go through the registration process on a test basis to ensure necessary opt-ins were present. No contractual agreements were said to be in place or provided. LWL said that they had generated leads for Avon representatives for a 'very long time'. 20. A review by the Commissioner of the information provided by LWL revealed that its dominant data supplier was - - whose data capture website was' '. This website consists of a landing page to opt-in, a privacy notice, and an option to unsubscribe. The website states that it is 'part of the - • - _', which is a company quite distinct from - -· LWL is named in the consent statement; by clicking the 'partners' link in the consent statement, individuals are directed to the privacy policy in which LWL are named in the 'marketing service providers' section.A further link to 'direct clients' presents individuals with a further list of 457 distinct organisations from whom individuals may expect to receive marketing, in which LWL is not included. The website does not allow individuals to submit their details without checking 'at least one' marketing channel. 6 • ICO. Information Commissioner's Office Furthermore, the website is vague and confusing given the discursive and lengthy nature of the consent statement and the extensive list of sectors and companies contained within both it and the privacy policy. For these reasons the Commissioner concluded that consent was not freely given, specific and informed. 21. In response to a request by the Commissioner for evidence of consent, LWL explained that a suppression list was in place should anyone reply 'Stop' to a message. In respect of the customer journey LWL explained that should a customer consent to be contacted by LWL then they are sent an initial message asking whether they want to be contacted by a local Avon representativeIf they respond positively then their data is shared with the local representative. 22. LWL provided the Commissioner with a 'GDPR pack' containing a Data Protection Impact Assessment ("DPIA") and a 'company compliance document'. The latter discusses LWL's data protection obligations as a company, and whilst robust for the purpose it sets out to achieve, at no point is PECRreferenced. The DPIA, dated 20 October 2019, explicitly refersto PECRand consent, acknowledges that there is a 'degree of public concern over personal data sales', and refers to regulatory action by the ICO. 23. LWL proclaimed their membership of 'S.H.I.E.L.D.' as an indicator of their compliance. This is a scheme operated by a law firm who appear to audit companies' GDPR compliance, and if deemed compliant, they are entered into the scheme. No evidence of due diligence conducted by this law firm on behalf of the company has been provided by LWL. 24. Having reviewed LWL's response, the Commissioner sent a further set of detailed enquiries to LWL on 9 June 2020, attaching evidence of an 7 • ICO. Information Commissioner's Office additional 8,089 complaints identified through the 7726 SPAM reporting system since the initial enquiries were sent. 25. A substantive response was provided by LWL on 19 June 2020. This included the body of 64 distinct texts sent during the investigation period (over three times the amount identified in LWL's initial response). As was seen from those messages, LWL did not identify itself as the sender. LWL also provided volumes of data purchased since 1 May 2019. Further capture domains were identified. In particular, was identified as also capturing the data that - - supplied. LWL prefaced this by stating that they were previously unaware of this website being a capture domain, and so had immediately enquired as to the compliance and opt-in of this website. It was explained that this website directs individuals to a registration page where their details are inputted, and agreement to the privacy policy obtained.LWL stated that lawyers had been involved in creation of the website's legal framework on behalf of another client, and so were confident it would be compliant. 26. The Commissioner reviewed the privacy policy on ' which has granular opt-ins for each channel and a third party opt-in. The policy states that the website is owned and operated by a differentlynamed company than - ., who sold the data to LWL. The third party opt-in on the registratiopage contains a link to 'partners' where 16 companies are listed, in which LWL does not appear. LWL does appear in the privacy policy, in a list of 7 'marketing service providers'. A further 442 companies are then listed under 'direct clients' followed by the following statement"at registration you have the option to opt-in to sponsors of our website". The Commissioner found the consent statements to be vague and confusing. Further, LWL are not named at the point of consent and in view of the extensive list 8 • ICO. Information Commissioner's Office of companies in the privacy policy, the Commissioner considered that consent was not specific or informed. 27. Data was also stated to be purchased by LWL from ,. ? - _, ('-"), the second largest of LWL's data suppliers, through websites' 'and' '. These sites share the same vague consent statement, which contains a link to identical privacy policies. The privacy policies contain no distinguishable 'third party policy' and lists approximat40 companies with whom data may be shared. LWL are not listed in the privacy policy, instead 'UK - Avon' are listed; this listing is hyperlinked to LWL's privacy policy. In representationsmade to the Commissioner in response to the Notice of Intent, LWL provided a letter from - which stated that LWL should be considered to fall within the category of 'health and beauty tips'.Given that LWL are not directly named in any list, and the policies are convoluted, individuals could not reasonably be expected to know that LWL were linked to Avon. For the reasons above the Commissioner found that the consent statements did not constitute informed and specific consent. 28. In relation to the volume of texts sent to each data source, LWL stated it was not possible to produce an entirely accurate figure, however provided an approximation of volumes in a further email to the Commissioner dated 24 June 2020. Between 1 May 2019 and 15 May 2020 LWL approximated that it sent in excess of 25 million texts to data sourced from __ , --- and•••· The vast majority of the texts, as well as the complaints evidenced in the Commissioner's second investigation letter, were related to data supplied by --· 9 • ICO. Information Commissioner's Office 29. A further request for information was sent by the Commissioner to LWL on 26 June 2020 seeking evidence of consent in relation to another 4,703 complaints received through the 7726 SPAM reporting service, information regarding data supplier'••• ? ,and an accurate number of texts sent though each source between 16 May 2020 and 26 June 2020. 30. LWL's director responded on 3 July 2020, providing further opt-ins. In relation to he said the use of this data preceded his time as director, and so would need to contact directly or his predecessors for information. 31. LWL went onto verify that between 16 May 2020 and 26 June 2020, a total of 3,486,716 messages were sent, of which 3,327,573 were received. Of these,3,013,096 texts were sent, and 2,670,140 connected, to data sourced by -- and --- (comprising 1,911,493 to -- data and 758,647 to'- ? -'data). 32. On 10 July 2020 LWL supplied the Commissioner with information regarding the ' ' data source. LWL identified the domains used by '(also used by -- and previously reviewed by the Commissioner - see para. 20 above) and '. Thelatter is operated by - - and its consent statement lists 240 companies who may contact individuals. LWL are not included in the list. The privacy policy does name LWL, but within a list of hundreds of other sponsors. The Commissioner found that consent in those circumstances was not specific and informed. 33. In conclusion the Commissioner considers that LWL relied upon invalid consents to send direct marketing texts to individuals whose data was 10 • ICO. Information Commissioner's Office sourced by __ , ___ , and LWL's business model is inextricably linked to direct marketing, and whilst it did make some attempt to comply with data protection legislation, it had no discernible policiesr procedures relevant to PECRcompliance, and any due diligence was insufficient. 34. During the period 16 May 2020 to 26 June 2020, a total of 12,281 complaints from 11,733 individuals about unsolicited texts from LWL were received via the 7726 reporting service. 4 complaints were received though the Commissioner's online reporting tool. The vast majority of complaints (10,570) relate to data sourced by - -· It is also noteworthy that LWL began receiving a significant number of complaints from May 2020 onwards, shortly after the UK entered lockdown in response to the pandemic. 35. The Commissioner has made the above findings of fact on the balance of probabilities. 36. The Commissioner has considered whether those facts constitute a contravention of regulation 22 of PECRby LWL and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 37. The Commissioner finds that LWL has contravened Regulation 22 of PECR.The Commissioner finds that the contravention was as follows: 38. Between 16 May 2020 and 26 June 2020 LWL transmitted 2,670,140 texts over a public electronic communicationnetwork by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 11 • ICO. Information Commissioner's Office 39. Organisations cannot generally send marketing texts unless the recipient has notified the sender that they consent to such texts being sent by, or at the instigation of, that sender. 40. The Commissioner is satisfied that the consent relied on by LWL did not amount to valid consent for the purposes of regulation 22 PECR. 41. The Commissioner is satisfied that LWL was responsible for this contravention. 42. The Commissioner has gone on to consider whether the conditions under section SSA DPA were met. Seriousness of the contravention 43. The Commissioner is satisfied that the contraventioidentified above was serious. 44. This is because LWL sent 2,670,140 marketing text messages to individuals without their consent, resulting in excess of 10,000 complaints, over a period of 41 days. The volume of texts and complaints over such a short period is substantial. Indeed, the Commissioner would go so far as to say that the ratio of complaints to the volume of data subjects in receipt of unlawful texts far exceeds any contravention she has witnessed to date. 45. It is reasonable to suppose that the volume of contraventionis actually significantly higher, and spanned a broader period of time. LWL approximated that during the period 1 May 2019 and 15 May 2020, it sent 17.23 million texts to--data, 6.43 million texts to. -- data and 1.37 million texts to data. All these data 12 • ICO. Information Commissioner's Office sources have been deemed non-compliant, however as LWL's system overwrites data after a period of time, LWL have been unable to verify these figures. 46. The Commissioner's Direct Marketing Guidance available on the ICO's website states that: "Organisations can generally only send marketing texts or emails to individuals (including sole traders and some partnerships) if that person has specifically consented to receiving them". Point 60 of the Guidance refers to the fact that freely given consent should be demonstrated where it is the "condition of subscribing to a service", however it is apparent that consent is not freely given in the case of data sourced by - - (LWL's largest provider of data) through ' ', because individuals are not able to register without subscribing to at least one marketing channel. 47. Furthermore, the Commissioner's guidance in relation to PECRstates that "making a large number of marketing calls based on recorded messages or sending large numbers of marketing text messages to individuals who have not consented to receive them [...] is likely to constitute a serious contraventioof the Regulations". 48. The Commissioner is therefore satisfied that condition (a) from section SSA (1) DPA is met. Deliberate or foreseeable contravention 49. The Commissioner has considered whether the contravention identified above was deliberate. In the Commissioner's view, this means that LWL's actions which constituted that contraventionwere deliberate 13 • ICO. Information Commissioner's Office actions (even if LWL did not actually intethereby to contravene PECR). 50. The Commissioner considers that in this case that LWL's actions were deliberate, as despite having been notified that it was under investigatioby the Commissioner, and given her concerns about LWL's compliance with PECR, LWL has continued its marketing campaign without making any adjustments to its business model. LWL continues to send unlawful text messages even after the investigation was completed, and a Notice of Intent served upon LWL in which it's practices were deemed non-compliant. 51. Further, and in the alternatithe Commissioner has gone on to consider whether the contraventionidentified above was negligent. 52. First, she has considered whether LWL knew or ought reasonably to have known that there was a risk that this contraventiowould occur. She is satisfiedhat this condition is met, given that LWL's business model relied heavily on direct marketing. 53. LWL is registered with the ICO as a data controller and as such should be aware of the Regulations.As the sender of the texts it was the responsibility of LWL to ensure valid consent had been obtained prior to their transmission. 54. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR.This guidance explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. 14 • ICO. Information Commissioner's Office 55. Furthermore, the issue of unsolicited marketing has been widely publicised by the media as being a problem. 56. LWL had a DPIA in place dated 20 October 2019 which demonstrates awareness on the part of LWL as to its statutory obligatioIt.contains the following statement: LW have considered the fact that there is a degree of public concern over the sales of personal data. The legislation is clear on the point of consent and the subsequent enforcement action brought by the Regulator (ICO) has reinforced the legislation and demonstrated a clear pathway to take for businesses engaged in the sale of personal data This unambiguously references public concern regarding data sales, and an awareness of enforcement action taken by the ICO. 57. It is therefore reasonable to suppose that LWL knew or ought reasonably to have known that there was a risk that these contraventions would occur. 58. The Commissioner has also considered whether LWL failed to take reasonable steps to prevent the contraventions. 59. Reasonable steps could have included seeking appropriate guidance on the rules in relation to electronic direct marketing and ensuring the consent on which it sought to rely on was valid, putting in place contractual arrangements to ensure the veracity of the data, and conducting sufficient due diligence in relation to its data providers. 60. In this case, LWL failed to put in place contractual arrangements with data suppliers despite sourcing significant volumes of data from these suppliers. Any due diligence appears to be minimal and there is a lack of evidence in relation to thisBy their own admission, LWL conducted most of their due diligence checks on ' ', by looking 15 • ICO. Information Commissioner's Office at the website and testing the registration pages, however had these checks been sufficient LWL should have known that the website was non-compliant. In fact, LWL only became aware of a page that sourced a significantmount of-- data when the ICO investigation commenced. LWL purports to rely on their entry to the S.H.I.E.L.D. scheme as reassurance of compliance, however no evidence in relation to this has been provided. 61. LWL appear to have placed great reliance upon due diligence conducted by third parties in relation to data capture websites, and the fact that there had been legal input from lawyers engaged by other organisations who also utilised those same websites. LWL have provided minimal evidence in relation to any due diligence provided by others and appear to have assumed that as others were reliant upon it, then their own business model must also have been compliant. It would have been reasonable for LWL to carry out its own checks as to how consent was being obtained via the websites, notwithstandingany assurances by its third-partdata providers - such checks would have alerted LWL to the inadequacy of the consents being obtained via the sites for the purposes of third-pardirect marketing. In short, simple reliance on assurances of indirect consent alone without undertaking proper due diligence is not acceptable. 62. Furthermore, LWL has continued to send significant numbers of marketing texts to individuals throughoutand since, the course of the Commissioner's investigation,incurring a substantial amount of complaints. This would suggest that no remedial measures have been taken to prevent further contraventionsand an apparent continuing disregard for its obligations under PECR. Indeed, since August 2020 to the date of this Notice, a further 28,350 complaints about marketing texts from LWL have been received by the 7726 reporting service. 16 • ICO. Information Commissioner's Office 63. In representations made to the Commissioner, LWL states that at no time was it made aware that its practices were non-compliant.The Commissioner views the fact that an organisation is under investigation should be sufficient impetus for that organisation to review its own practices in lineith the Regulations. Irrespective of the timing of any awareness on LWL's part, it is apparent that LWL has not heeded the Commissioner's concerns and has continued its campaign in blatant disregard for the Regulations. 64. The Commissioner is therefore satisfied that condition (b) from section SSA (1) DPA is met. The Commissioner's decision to impose a monetary penalty 65. The Commissioner has taken into account the following aggravating features of this case: • The texts misleadingly appeared to be sent by Avon. LWL accepts that it deliberately did not identify itself in the body of the texts as the sender so as to not "confuse" recipients, and as such were in breach of regulation 23 of PECR. • LWL has continued to run the marketing campaign both during, and since,the Commissioner's investigation and despite the ICO's concerns,without attempting to amend or review its practices. Indeed, all the contraventionwhich are the subject of this Notice occurred after LWL were notified it was under investigatioFurthermore, LWL has continued to send unlawful marketing texts after the Commissioner completed her investigationon 26 June 2020, and issued a Notice of Intent in which LWL's practices were deemed non-compliant. 17 • ICO. Information Commissioner's Office • Since August 2020 to the present time, an additional 28,350 complaints have been received by the 7726 SPAM reporting tool about texts sent by LWL. • LWL sought to capitalise on the pandemic by sending a significant number of text messages relating to, and directly referencing, the ensuant lockdown when the population was at its most vulnerable and advertising the potential financial gains by becoming an Avon representative.1,698 complaints were received regarding this particular message. • LWL repeatedly indicated long standing compliance with PECRin its communications with the Commissioner which was blatantly untrue. LWL also failed to be completely transparentduring the course of the investigation.For example, when asked to provide details of the body of texts sent by LWL, it initially provided only 19, when it later transpired 65 separate texts were utilised. In representatioto the Commissioner, LWL stated that those omitted were simply variants of the original texts however the Commissioner's view remains that LWL were not completely open and transparent in relation to her enquiry. • Furthermore, LWL failed to inform the Commissioner in its response to enquiries about marketing methods that it also conducted email marketing. The Commissioner has since been made aware that· - conducted hosted marketing for LWL, and that over a 12 month period had sent 7.5 million emails on LWL's behalf, including activity during the contravention period. Between the contravention period 16 May 2020 - 26 June 2020 the number of emails transmitted was 1,006,000. 18 • ICO. Information Commissioner's Office 66. The Commissioner considers there are no mitigating factors to be considered in this case. 67. For the reasons explained above, the Commissioner is satisfied that the conditions from section SSA(l) DPA have been met in this case. She is also satisfiedthat the procedural rights under section 55B have been complied with. 68. This has included the issuing of a Notice of Intent, in which the Commissioner set out her preliminary thinking, and invited LWL to make representations in response. 69. The Commissioner has received and considered Representations in response to the Notice of Intent dated 9th & 22nd December 2020, and 5th, 13th & 20th January 2021. 70. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 71. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. She has decided that a monetary penalty is an appropriate and proportionate response to the finding of a serious contraventionof regulation22 of PECRby LWL. 72. The Commissioner's underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The making of unsolicited direct marketing calls is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non compliance, on the part of all persons running businesses currently 19 • ICO. Information Commissioner's Office engaging in these practices. This is an opportuto reinforce the need for businesses to ensure that they are only telephoning consumers who want to receive these calls. 73. The Commissioner has also considered the likely impact of a monetary penalty on LWL and in doing so has reviewed financial evidence supplied by LWL. The amount of the penalty 74. Taking into account all of the above, the Commissioner has decided that the amount of the penalty is £250,000 (Two hundred and fifty thousand pounds). Conclusion 75. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 1 April 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government'sgeneral bank account at the Bank of England. 76. If the Commissioner receives full payment of the monetary penalty by 31 March 2021 the Commissioner will reduce the monetary penalty by 20% to £200,000 (Two hundred thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 77. There is a right of appeal to the First-tier Tribunal (InfoRights) against: 20 • ICO. Information Commissioner's Office a) the imposition of the monetary penalty and/or; b) the amount of the penalty specified in the monetary penalty notice. 70. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 71. Informationabout appeals is set out in Annex 1. 72. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdraand • period for appealing against the monetary penalty and any variation of it has expired. 73. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. 21 • Information Commissioner's Office Dated the 1 day of March 2021 Andy Curry Head of Investigations InformatioCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 22 • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 48 of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRPTribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LEl 8DJ a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. 23 • ICO. Information Commissioner's Office b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) detailsof the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in sections 48 and 49 of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 24