ICO (UK) - Colour Car Sales Limited
ICO (UK) - Colour Car Sales Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Reguations 2003 Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulation 22 of the Privacy and Electronic Communications (EC Directive) Reguations 2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 24.05.2021 |
Published: | 08.06.2021 |
Fine: | 170000 GBP |
Parties: | Colour Car Sales Limited |
National Case Number/Name: | Colour Car Sales Limited |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending unsolicited direct marketing messages without obtaining valid consent.
English Summary
Facts
Colour Car Sales Limited (CCSL) is a company acting as a credit intermediary for finance on used cars. It traded under serveral names, including 'immediatecarfinance.co.uk'; 'carfinancetoday.net'; 'achillesuk.com'; and 'taxifinancetoday.com'.
Between 2018 and 2019, the UK DPA (Information Commissioner's Office; ICO) received nearly 200 complaints over unsolicited electronic direct marketing text messages. The ICO started a preliminary investigation and contacted CCSL for further evidence. The letter sent was returned undelivered. The company director was then contacted who provided an alternative contact address.
CCSL confirmed it had sent over 3 million direct marketing messages between 2018 and 2019. CCSL claimed to have gathered consent through an application form with the following statement: "By starting an application you agree that immediatecarfinance may/will pass your details on to a third party lender or broker, and they may wish to contact you by phone, post, SMS or other electronic means". CCSL explained that an opt-out would be possible by calling the CCSL office.
The ICO investigated the privacy notice available and found that the privacy notice stated that marketing communication was only sent where there was consent of a "legitimate business interest"
Following initial cooperation, CCSL did not respond to the ICO any further.
Dispute
What classifies as valid consent to send direct marketing messages?
Holding
The UK DPA first outlined the definition of consent as defined by Article 4(11) of the GDPR. It also outlined the rules under Regulation 22 PECR which address consent.
Analysing the application form, the ICO considered that there was no specific reference to direct marketing nor purposes of contact from third parties. Additionally, the UK DPA found that there was no method for the individual to send an application without consenting to being contacted, nor any option for them to select who may contact them.
The ICO therefore found CCSL in contravention of Regulation 22 of PECR for instigating unsolicited direct marketing messages. Individuals did not have the option other than agreeing to receiving direct marketing. Consent was therefore not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from. Finally, it was not informed (the information provided was too vague).
The ICO found that the "soft opt-in", where organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services, was also not available to CCSL. This is because individuals were not given the opportunity to refuse or opt-out in the first place.
The ICO took into account the seriousness and the deliberate or negligent nature of the infraction, as well as the lack of cooperation by CCSL. It therefore imposed a fine of approximately €198,000 on CCSL.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE To: Colour Car Sales Limited Of: Unit 1 & 2 Mossfield Road, Stoke-on-TrenEngland ST3 SBW 1. The Information Commissioner ("the Commissioner")has decided to issue Colour Car Sales Limited ("CCSL") with an enforcement notice under section 40 of the Data Protection Act 1998 ("DPA"). The notice is in relation to a serious contravenof Regulation 22 of the Privacy and Electronic Communications(EC Directive) Regulations 2003 ("PECR"). 2. This notice explains the Commissioner's decision. Legal framework 3. CCSL, whose registered office is given above (Companies House Registration Number: 10382413) is the organisation stated in this notice to have instigated the transmissof unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECRstates: 1 • ICO. Information Commissioner's Office "(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where- (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contraventioof paragraph (2)." 2 • ICO. Information Commissioner's Office 5. Section 122(5) of the DPA18 defines direct marketing as "the communication (by whatever means) of any advertising material which isdirected to particular individuals". This definition also applies for the purposes of PECR(see regulation 2(2) PECR& Schedule 19 paragraphs 430 & 432(6) DPA18). 6. Priorto 29 March 2019, the European Directive 95/46/EC defined 'consent' as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". 7. Consent in PECRis now defined, from 29 March 2019, by reference to the concept of consent in Regulation 2016/679 ("the GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR sets out the following definition: "'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". 8. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materiallyprovides that "For consent to be informed, the data subject should be aware at least of the identity of the controllRecital 43 materially states that "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case". 9. "Individual"is defined in regulation 2(1) of PECRas "a living individual and includes an unincorporated body of such individuals". 3 • ICO. Information Commissioner's Office 10. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". 11. "Electronic mail' is defined in regulation 2(1) of PECRas "any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service". 12. The term "soft opt-in" is used to describe the rule set out in in Regulation 22(3) of PECR.In essence, an organisation may be able to e-mail its existing customers even if they haven't specifically consented to electronic mail. The soft opt-in rule can only be relied upon by the organisation that collected the contact details. 13. The DPA contains enforcement provisions at Part V which are exercisable bythe Commissioner. Those provisions are modified and extended for the purposes of PECRby Schedule 1 PECR. 14. Section 40(1)(a) of the DPA (as extended and modified by PECR) provides that if the Commissioner is satisfied that a person has contravened or is contravening any of the requirementof the Regulations, she may serve him with an Enforcement Notice requiring him to take within such time as may be specified in the Notice, or to refrain from taking after such time as may be so specified, such steps as are so specified. 15. PECRwere enacted to protect the individual's fundamental right to privacy in the electronic communicationssector. PECRwere subsequently amended and strengthened. The Commissioner will 4 • ICO. Information Commissioner's Office interpret PECRin a way which is consistent with the Regulations' overall aim of ensuring high levels of protection for individuals' privacy rights. 16. The provisions of the DPA remain in force for the purposes of PECR notwithstandingthe introductionof the Data Protection Act 2018 (see paragraph 58(1) of Part 9, Schedule 20 of that Act). The contravention 17. The Commissioner finds that CCSL contravened regulation 22 of PECR. 18. The Commissioner finds that the contravention was as follows: 19. The Commissioner finds that between 1 October 2018 and 21 January 2020 there were 274 direct marketing text messages received by subscribers which are capable of being evidenced by complaintsThe Commissioner finds that CCSL instigated the transmissioof the direct marketing messages sent, contrary to regulation 22 of PECR. 20. The Commissioner is not assisted by CCSL's failure to engage with her during this investigatito explain the relationship between CCSL and However she is satisfied that for the purposes of the direct marketing messages sent from Text Local account, CCSL positively encouraged the sending of those messages. She makes this finding in light of the informatprovided by Text Local in response to the Commissioner's 3PIN, and in view of the content of the unsolicited direct marketing messages sent which resulted in 274 complaints. 21. CCSL, as the instigator of the direct marketiis required to ensure that it is acting in compliance with the requiremenof regulation 22 of 5 • ICO. Information Commissioner's Office PECR,and to ensure that valid consent to send those messages had been acquired. 22. In this instance, individuals applying for finance via one of CCSL's sites were given no option but to agree to receive direct marketing from CCSL and its unnamed third parties. Indeed, the statement that would accompany the applications did not indicate in any manner that the individual's personal details would be used for direct marketing purposes. Furthermore, individuals could not specify the type of direct marketing that they might be willing to receive, rather they were requiredto agree to a suite of contact methods, from an unknown number of third parties. 23. For consent to be valid it is required to be "freely given", by which it follows that if consent to marketing is a condition of subscribing to a service, the organisation will have to demonstrate how the consent can be saidto have been given freely. In this instance, CCSL has failed to explain how its consent could be said to be freely given. 24. Consent is also required to be "specific" as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. Again, this requirement does not appear to be met in CCSL's case. 25. Consent will not be "informed"if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policyr small print.Consent will not be valid if individuals are asked to agree to receive marketing from "similar organisations","partners","selected third parties" or other similar generic description. 6 • ICO. Information Commissioner's Office 26. The Commissioner is satisfied that CCSL cannot avail itself to the "solt opt-in" exemption provided by regulation 22(3) PECR. This exemption means that organisations can send marketing messages by text and e mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services. The organisation must also give the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message alter that.It is apparent from the sign-up page on CCSL's websites that individuals were not provided a simple opportunity to refuse or opt out of the marketing, nor were they offered an opt-out in the subsequent direct marketing messages that they received. The Commissioner therefore finds that CCSL is unable to rely on this exemption. 27. The Commissioner is satisfied that this contravention could have been far greater, since there is evidence that a total of 3,650,194 direct marketing messages were sent to individuals at the instigation of CCSL over the contraventionperiod. However, because of CCSL's lack of engagement, and the Communications Service Provider's failure to retain such records, it has not been possible to determine the exact number of those messages which were received by subscribers. The full extent of the contraventiis therefore unknown. 28. The Commissioner is satisfied fromthe evidence she has seen that CCSL did not have the necessary valid consent for the 274 direct marketing messages received by subscribers. 29. The Commissioner has considered, as she is required to do under section 40(2) of the DPA (as extended and modified by PECR)when deciding whether to serve an Enforcement Notice, whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner has decided that it is likely that damage or 7 • ICO. Information Commissioner's Office distress has been caused in this instance, not least because of the sheer number of complaints. 30. In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of her powers under section 40 of the DPA, she requires CCSL to take the steps specified in Annex 1 of this Notice. Right of Appeal 31. There is a right of appeal against this Notice to the First-tier Tribunal (InformationRights), part of the General Regulatory Chamber. Informationabout appeals is set out in the attached Annex 2. Dated the 24tday of May 2021 Andy Curry Head of Investigations InformationCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 8 • ICO. Information Commissioner's Office ANNEX 1 TERMS OF THE ENFORCEMENT NOTICE CCSL shall within 30 days of the date of this notice: • Except in the circumstances referred to in paragraph (3) of regulation 22 of PECR, neither trnor instigate the transmission of, unsolicited communicfor the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified CCSL that he clearly and specifically consentsthe time being to such communications being sent by, or at the instigation of, CCSL. 9 • ICO. Information Commissioner's Office ANNEX 2 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 48 of the Data Protection Act 1998 gives any person upon whom an enforcement notice has been served a right of appeal to the First-tier Tribunal (InformaRights) (the "Tribunalagainst the notice. 2. If you decide to appeal and if the Tribunal considers: - a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts &Tribunals Service PO Box 9300 Leicester LEl 8DJ Telephone: 0300 123 4504 Email: grc@justice.gov.uk 10 • ICO. Information Commissioner's Office • The notice of appeal should be served on the Tribunal within 28 days of the date on which the enforcement notice was sent 4. The statutory provisions concerning appeals to the First-tier Tribunal (General Regulatory Chamber) are contained in sections 48 and 49 of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (StatutoInstrument2009 No. 1976 (L.20)). 11