ICO (UK) - We Buy Any Car Limited
From GDPRhub
| ICO (UK) - We Buy Any Car Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 13.09.2021 |
| Published: | 15.09.2021 |
| Fine: | 200000 GBP |
| Parties: | We Buy Any Car Limited |
| National Case Number/Name: | We Buy Any Car Limited |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | MH |
The Information Comissioner's Office imposed a fine of around €234,000 on a car valuation and purchasing company, We Buy Any Car Ltd. WBAC infringed Regulation 22 PECR by sending unsolicited marketing emails and SMS.
English Summary
Facts
We Buy Any Car Limited (WBAC) is a car purchasing company. Individuals can input details about their vehicle to get a fixed-price valuation.
Individuals complained that they received unsolicited marketing texts from WBAC. The UK DPA, the Information Commissioner's Office (ICO), started an investigation on the basis of complaints between October 2019 and January 2020. WBAC stated that they only contact individuals that request vehicle valuation. They claimed that these messages were either sent on the request of indivduals or on the basis of the "soft opt-in".
WBAC informed the ICO that 207.7 million email messages were sent (205.5m delivered) between Apil 2019 and April 2020. These messages were: - 92.3 million “journey” emails requested by the individuals asking for a valuation; - 107.6 million “batch” emails sent to customers between 30 days and 4 years since their last valuation; and - 7.8 million “good news” emails where the valuation offer has increased.
WBAC also sent 16.3 million SMS between April 2019 and April 2020. 4.2 million ("batch" and "good news" messages) were marketing, 3.6 million of which were delivered.
Dispute
Holding
The Information Commisioner's Office considered that the "journey" messages were unsolicited marketing because the individuals had not specifically requested them, even if WBAC had informed individuals about them. The ICO concluded that the emails were marketing emails rather than services messages, as defined in the ICO's Direct Marketing Code of Practice, because they contained marketing elements even if it wasn't the main purpose. Of all the messages delivered, the ICO considered that only 14.1 million were solicited versus 191.4 million unsolicited marketing emails. WBAC was therefore found in contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter: PECR) as WBAC did not satisfy the requirement of getting valid consent
The ICO also considered the “batch” and “good news” SMS to be direct marketing. Although WBAC claimed this was under the soft opt-in rule (Regulation 22(3) PECR), the ICO disagreed. The DPA held that the possibility of opt-in out was not presented to customers during process of collecting their details. Instead, it was only presented to them after they had received a vehicle valuation. There was no meaningful possibility to opt-out, which therefore lead the ICO to conclude that WBAC did not coply with the requirements of regulation 22(3) PECR. The ICO also concluded that WBAC had misunderstood the definition of service messages in relation to the SMS they sent, which the DPA deemed to be marketing ones.
The ICO also found that complainants were unsuccessful when attempting to unsubscribe from emails and SMS.
The ICO took into account the large number of emails and text sent over the 1 year period investigated and deemed it a serious contravention of the regulation. The ICO also concluded that WBAC "knew or ought reasonably to have known that there was a risk that this contravention would occur" and therefore considered this contravention to be negligent. The ICO therefore imposed a fine of around €234,000
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To: We Buy Any Car Limited
Of: Headway House, Crosby Way, Farnham, Surrey, GU9 7XG
1. The Information Commissioner (“Commissioner”) has decidedto issue
We Buy Any Car Limited (”WBAC”) with a monetary penalty under
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in
relation to a serious contravention of regulation 22 of the Privacy and
Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
2. This notice explains the Commissioner’s decision.
Legal framework
3. WBAC, whose registered office is given above (companies house
registration number: 05727953), is the organisation (person) stated in
this notice to have transmitted unsolicited communications by means
of electronic mail to individual subscribers for the purposes of direct
marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECR provides that:
1 “(1) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has previously
notified the sender that he consents for the time being to such
communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where–
(a) That person has obtained the contact details of the recipient of
that electronic mail in the course of the sale or negotiations for
the sale of a product or device to that recipient;
(b) The direct marketing is in respect of that person’s similar
products and services only; and
(c) The recipient has been given a simple means of refusing (free of
charge except for the costs of transmission of the refusal) the
use of his contact details for the purposes of such direct
marketing, at the time that the details were initially collected,
and, where he did not initially refuse the use of the details, at the
time of each subsequent communication.
(4) A subscriber shall not permit his line to be used in contravention of
paragraph (2).”
5. Section 122(5) of the DPA 2018 defines “direct marketing” as “the
communication (by whatever means) of any advertising material which
2 is directed to particular individuals”. This definition also applies for the
purposes of PECR.
6. “Electronic mail” is defined in regulation 2(1) PECR as “ any text, voice,
sound or image sent over a public electronic communications network
which can be stored in the network or in the recipient’s terminal
equipment until it is collected by the recipient and includes messages
sent using a short message service”.
7. Consent in PECR is now defined, from 29 March 2019, by reference to
the concept of consent in Regulation 2016/679 (“the GDPR”):
Regulation 8(2) of the Data Protection, P rivacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Ar ticle
4(11) of the GDPR sets out the following definition: “‘consent’ of the
data subject means any freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her”.
8. Section 55A of the DPA (as amended by the Privacy and Electronic
Communications (EC Directive)(Amendment) Regulations 2011 and the
Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2015) states:
“(1) The Commissioner may serve a person with a monetary penalty if
the Commissioner is satisfied that –
(a) there has been a serious contravention of the requirements
of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 by the person, and
(b) subsection (2) or (3) applies.
3 (2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the person –
(a) knew or ought to have known that there was a risk that
the contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention.”
9. The Commissioner has issued statutory guidance under section 55C (1)
of the DPA about the issuing of monetary penalties that has been
published on the ICO’s website. The Data Protection (Monetary
Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
10. PECR were enacted to protect the individual’s fundamental right to
privacy in the electronic communications sector. PECR were
subsequently amended and strengthened. The Commissioner will
interpret PECR in a way which is consistent with the Regulations’
overall aim of ensuring high levels of protection for individuals’ privacy
rights.
11. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introduction of the Data Protection Act 2018 (see
paragraph 58(1) of part 9, Schedule 20 of that Act).
4 Background to the case
12. WBAC is a vehicle purchasing and wholesale company with branches
across the UK. Individuals use the WBAC website to input details about
their vehicle and obtain a fixed-price valuation.
13. Phone users can report the receipt of unsolicited marketing text
messages to the GSMA’s Spam Reporting Service by forwarding the
message to 7726 (spelling out “SPAM”). The GSMA is an organisation
that represents the interests of mobile operators worldwide. The
Commissioner is provided with access to the data on complaints made
to the 7726 service and this data is incorporated into a Monthly Threat
Assessment (MTA) used to ascertain organisations in breach of PECR.
14. WBAC came to the attention of the Commissioner following monitoring
of spam email complaints received directly via the ICO spam email
reporting tool. Between 29 October 2019 and 17 January 2020, 10
complaints from individuals, and a further two from the same
individual, had been recorded.
15. On 7 April 2020, the ICO sent an investigation letter to WBAC via email
requesting the volume of marketing messages sent and delivered
between 7 April 2019 and 7 April 2020, the source of the data, and
evidence of consent relied upon to send marketing messages. The
letter also provided an index of the twelve complaints and asked for an
explanation in relation to each one.
16. On 3 July 2020, the ICO received a response from WBAC in which it
explained the service provided. WBAC advised that it does not initiate
contact with individuals and only responds to individuals who request a
5 vehicle valuation. The vehicle valuation is guaranteed for a set period
of time, within which the individual can sell their vehicle to WBAC. If
the guarantee period expires then WBAC contacts individuals to give
them the opportunity to update their valuation. WBAC explained that
emails are sent either at the request of individuals, or in accordance
with the ‘soft opt-in’.
17. The Commissioner’s investigation accordingly focussed on the
marketing emails and SMS WBAC say were sent after the initial
valuation email, and whether those communications satisfied the ‘soft
opt-in’ criteria.
18. WBAC went on to inform the Commissioner that during the period 7
April 2019 to 7 April 2020 it sent 207.7 million email messages, of
which 205.5 were delivered. These messages were split into three
categories:
(a) 92.3 million “journey” emails. Up to 12 emails over a 30 day
period were sent to customers of its website in response to
14.1 million valuation requests. WBAC explained that
customers specifically requested “journey” emails when
completing the valuation process and so believed that this
category of emails were not “unsolicited” emails regulated by
PECR.
(b) 107.6 million “batch” emails. These are occasional emails sent
to customers after the 30 day “journey” and up to 4 years
since their last valuation was provided.
6 (c) 7.8 million “good news” emails. These were emails whereby
customers are informed that the offer for their vehicle has
been increased.
19. With regard to the “journey” emails the Commissioner’s view is that for
a marketing message to be solicited it must be actively requested. The
Commissioner therefore accepts that the initial valuation emails (of
which 14.1 million were sent during the period under investigation)
constitute solicited marketing and so are not subject to the
requirements of PECR.
20. WBAC asserted in representations to the Notice of Intent that the
remaining “journey” emails are also solicited, as in their view recipients
took an ‘active step’ in requesting a vehicle valuation, at which point
they were informed about the receipt of vehicle valuation and
guarantee reminders. The Commissioner however does not agree, and
finds that the subsequent “journey” messages are unsolicited, because
they are not specifically requested by individuals, even if informed
about them by WBAC.
21. Furthermore, the Commissioner’s Direct Marketing Guidance states that
the definition of direct marketing includes any message which includes
some marketing element, even if that is not its main purpose. The
Commissioner considers that these messages contain an element of
marketing because they contain material promoting WBAC’s service and
encouraging recipients to continue the valuation journey, and so are
subject to the provisions of PECR.
22. On the basis that 205.5 million emails from all categories were
delivered in total, of which 14.1 million were solicited valuation emails,
7 this equates to 191.4 million unsolicited marketing emails having been
sent by WBAC.
23. In addition to emails WBAC also informed the Commissioner that it sent
16.3 million SMS over the same period, of which 4.2 million were
marketing messages. 3.6 million of these were delivered. WBAC later
confirmed that 2 million of the marketing messages were “batch”
messages and 2.2 were “good news” messages, examples being as
follows:
Batch SMS: It takes less than 60 seconds to get an updated quote for
your ~MANUFACTURER~! Click here > ~LINK~. Text STOP to 65800 to
optout
Good news SMS: Price alert: We can offer more for your
~MANUFACTURER~! Don’t miss out on your higher valuation, click
~LINK~. Text STOP to 65800 to optout.
24. The Commissioner considers that the “batch” and “good news” SMS
clearly encourage customers to continue with their valuation journey
and therefore constitute directmarketing, as they promote WBAC’s
service.
25. With regard to consent to send marketing messages, WBAC informed
the Commissioner that “where we do send emails that customers have
not specifically requested, we do so relying on the ‘soft opt in’ under
Regulation 22(3) PECR ”.
26. The Commissioner went onto consider whether WBAC either had valid
consent to send the marketing emails and SMS, or in particular, based
on assertions made by WBAC, whether it satisfied the criteria for
8 reliance upon regulation 22(3) of PECR – the ‘soft opt-in’. In this regard
WBAC stated: “Customer details are collected in the course of the
customer choosing to use our service, with the opportunity to object
presented to them once they have been presented with their valuation
by email.”
27. From a review of WBAC’s website, information presented to customers
at the point of submitting their details to WBAC is as follows:
“When you obtain a valuation, you agree to Webuyanycar’s Terms &
Conditions, Privacy & Cookies Policy, and our Data & Communication
Policy, which includes marketing communications regarding your
vehicle. You can update our communication preferences at any time by
visiting our Contact Preference Centre. We provide links to this in each
of our emails.”
“We will send you a copy of your valuation to your email address and
mobile phone, along with reminders of how long your valuation is valid
for. You will also receive updates that we believe will be of interest to
you, such as significant marketing activity or limited offers in respect of
your vehicle. You can choose not to receive any further communication
from us at any time. All our emails have unsubscribe li nks, SMS
messages accept STOP replies to 65800. Alternatively, you can visit our
contact preference centre to opt-out of all or specific communications.”
28. It is apparent from the above that whilst customers are informed of
future ways to opt out at the point of collection of their details, the
opportunity to actually object to marketing messages is presented only
after provision of the vehicle valuation . Individuals have no opportunity
to refuse marketing when initially inputting their details. WBAC accept
that the opt-out provision does not occur until receipt of the first
9 valuation email however believe that as there is a ‘minor temporal gap’
between the two events it is ‘simultaneous’. The Commissioner does
not accept WBAC’s position on this point and remains satisfied that
WBAC do not comply with the requirements of Regulation 22(3)(c) in
relation to the timing of the opt-out.
29. WBAC also presented the Commissioner with a copy of its data
protection impact assessment (“DPIA”) for the three categories of
message as detailed in paragraph 18 above. Questions asked of WBAC
in the DPIA are:
1. Did WBAC obtain individuals’ contact details in the course of a
sale or negotiations of a sale?
2. Is the marketing message in respect of WBAC’s same or similar
products and services?
3. Were individuals given a simple means to refuse marketing when
their details were collected?
4. Have individuals been given a simple means of opting-out in each
subsequent message?
WBAC’s response for each of the three types of marketing message
was:
“Yes. All messages to the customer are in respect of our service.
Customers have the option to update their communication
preferences once they have received their 7 day guarantee
(which is sent immediately), and all our communications contain
an opt-out mechanism.”
30. It appears from WBAC’s response to the DPIA that it failed to comply
with Question 3, and in relation to Question 4 it seems WBAC has
misunderstood or misinterpreted PECR by providing customers an
opportunity to opt out only in messages sent following the initial
valuation email. The Commissioner found that because customers were
10 not able to refuse marketing communications at the initial point of
collection of their data, WBAC had in fact failed to meet the
requirement at Regulation 22(3)(c) of PECR – the ‘soft opt in’.
31. It is noteworthy that upon review of a copy of the unsubscribe journey
also provided by WBAC, the available customer contact preference
options refer to: all WBAC communications, “service” emails and SMS,
and newsletters. It is clear from WBAC’s own interpretation of “service”
as provided during the investigation, that it encompassed “the whole
business and offering to consumers of WBAC to make offers to
purchase used vehicles”. This is an unconventional definition of
“service” and at odds with the Commissioner’s definition of “service
messages” in her own Direct MarketingCode of Practice, which WBAC
acknowledged it had consulted. In this instance the Commissioner
considered that customers may misinterpret the options in the
communication preferences centre, which would lead to them
remaining signed up to receive marketing messages under the
misapprehension that they have only chosen to opt in to receive
genuine service emails. As such the Commissioner considers that WBAC
is unable to satisfy the requirement in Regulation 22(3)(c) relating to
provision of a “simple means” of refusal.
32. In conclusion the Commissioner considers that WBAC’s business model
is fundamentally flawed in that it is unable to satisfy Regulation 22 in
terms of valid consent, nor the requirements of the ‘soft opt-in’ under
Regulation 22(3), in order to send unsolicited marketing messages to
its customers.
33. Further analysis of complaints data established that in addition to 12
complaints received about emails, 26 SMS messages were reported as
11 SPAM to the 7726 service, and the Commissioner received 4 complaints
about SMS directly via her online reporting tool (“OLRT”).
34. Examples of some of the complaints are as follows:
“I’ve tried to unsubscribe twice and I’m still getting emails.”
“Having repeatedly asked them to not send me any more messages, I
continue to receive direct marketing”
“I got a quote from we buy any car last summer and since then I have
been bombarded with emails from them about the car I received the
quote for. I have requested to unsubscribe from their service in full at
least 3 to 4 times possibly more, I have lost count. But still I get emails
from them - I tend to delete them now but today I decided to try again
to remove myself from their service. You never get any confirmation
that you've succeeded either.”
“An email asking me if I wanted to sell my car. I have not consented to
these emails and they have been sent daily despite me unsubscribing
twice.”
“I did use their website to see how much my car is worth, but I did not
consent to being hassled via text messages to bring my car to their
local site to sell it( in 3 texts so far, and numerous emails also). When I
used website to value my car it did not have an opt-out for further
marketing or if it did it was not in an obvious visible place. It seems
that they are not upfront about hassling people who use their website,
the purpose of which seems to be to collect data about people. If there
was an opt-out it was not placed where it was easily visible, so I feel
deceived.” (compilation of three complaints from the same individual).
1235. The Commissioner has made the above findings of fact on the balance
of probabilities.
36. The Commissioner has considered whether those facts constitute a
contravention of regulation 22 of PECR by WBACand, if so, whether the
conditions of section 55A DPA are satisfied.
The contravention
37. The Commissioner finds that WBAC has contravened Regulation 22 of
PECR. The Commissioner finds that the contravention was as follows:
38. Between 7 April 2019 and 7 April 2020 WBAC transmitted 191.4 million
emails and 3.6 million SMS (totalling 195 million unsolicited
communications) over a public electronic communications network by
means of electronic mail to individual subscribers for the purposes of
direct marketing contrary to regulation 22 of PECR.
39. Organisations cannot generally send marketing emails or SMS unless
the recipient has notified the sender that they consent to such emails
being sent by, or at the instigation of, that sender. The Commissioner
is satisfied that there was no such consent.
40. An organisation which is reliant upon regulation 22(3)of PECR to send
marketing emails and SMS to its customers, as appears to be the case
here, must ensure the recipient has been given a simple means of
refusing the use of their contact details for the purposes of such direct
marketing at the time that the details were initially collected. WBAC
failed to do so.
41. The Commissioner is satisfied that WBAC is unable to satisfy Regulation
22 in terms of valid consent, nor the requirements of the ‘soft opt in’
13 under Regulation 22(3), in order to send unsolicited mar keting
messages to its customers.
42. The Commissioner is satisfied that WBAC was responsible for this
contravention.
43. The Commissioner has gone on to consider whether the conditions
under section 55A DPA were met.
Seriousness of the contravention
44. The Commissioner is satisfied that the contravention identified above
was serious.
45. This is because WBAC sent 191.4 million marketing emails and 3.6
million marketing SMS messages to individuals without fully satisfying
the requirements of the soft opt in, resulting in 42 complaints to the
Commissioner, over a period of twelve months.
46. The Commissioner’s guidance in relation to PECR states that “making a
large number of marketing calls based on recorded messages or
sending large numbers of marketing text messages to individuals who
have not consented to receive them […] is likely to constitute a serious
contravention of the Regulations”. The situation here is analogous in
that substantial numbers of marketing emails and SMS were sent to
individuals who had not consented to receive them and had not been
provided an opportunity to opt out. WBAC conducted a sustained and
long term approach to marketing based upon a flawed soft optin
mechanism.
47. Upon analysis of the 7726 complaints, 83.3% of complainants chose
the option “It made me annoyed and/or anxious ” in response to the
14 question “How did this message affect you?”. From this the
Commissioner can infer that the unsolicited marketing messages have
negatively impacted the recipients.
48. The Commissioner is therefore satisfied that condition (a ) from section
55A (1) DPA is met.
Deliberate or foreseeable contravention
49. The Commissioner has considered whether the contravention identified
above was deliberate. In the Commissioner’s view, this means that
WBAC’s actions which constituted that contravention were deliberate
actions (even if WBAC did not actually intend thereby to contravene
PECR).
50. The Commissioner considers that WBAC’s actions in failing to include a
consent statement at the point of collection of customer’s information
was not a deliberate act.
51. Accordingly the Commissionerhas gone on to consider whether the
contravention identified above was negligent.
52. First, she has considered whether WBAC knew or ought reasonably to
have known that there was a risk that this contravention would occur.
She is satisfied that this condition is met, given that WBAC is a well-
established organisation and its business model relied heavily on direct
marketing.
53. WBAC is registered with the ICO as a data controller and as such
should be aware of the Regulations. As the sender of the emails and
SMS it was the responsibility of WBAC to ensure either valid consent
15 had been obtained prior to their transmission, or all the criteria for the
soft opt in had been satisfied.
54. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligation s under PECR. This
guidance explains the circumstances under which organisations are
able to carry out marketing over the phone, by text, by email, or by
fax. The ICO also operates a helpline should organisations require
further clarification or assistance with specific enquiries.
55. Furthermore, the issue of unsolicited marketing has been widely
publicised by the media as being a problem.
56. WBAC took some steps to ensure compliance by consulting the
Commissioner’s guidance and Direct Marketing Code of Practice, and
completing a DPIA. This demonstrates some awareness on the part of
WBAC as to its statutory obligations.
57. It is therefore reasonable to suppose that WBACknew or ought
reasonably to have known that there was a risk that these
contraventions would occur.
58. The Commissioner has also considered whether WBAC failed to take
reasonable steps to prevent the contraventions.
59. Reasonable steps could have included seeking and fully implementing
appropriate guidance on the rules in relation to electronic direct
marketing. Regulation 22 is clear that a data controller must not send
direct marketing via electronic means unless it can evidence consent or
satisfy all the requirements of the soft opt in.
1660. WBAC confirmed that it had consulted the guidance and outlined the
requirements of the soft opt in in the DPIA, but have not satisfied its
requirements. It has also sought legal advice. Whilst WBAC included
information about marketing activity and how an individual can update
their preferences in the information presented to customers at the point
of inputting their details into the website, it did not allow individuals the
opportunity to opt out of marketing at the time their details are
collected. Proper review and understanding of Regulation 22 would
have made it clear that this option should be presented to individuals at
the point of requesting a valuation to ensure compliance.
61. It is also noteworthy that in relation to its contact preference options
(see paragraph 31 above) WBAC has acknowledged that its own
definition of “service messages” is at odds with general understanding
and ICO guidance but has given no indication that it intends to make
any changes to its contact preference options. Individuals should be
presented with options which clearly distinguish marketing
communications from genuine “service” messages so as to avoid
customers inadvertently signing up to unwanted direct marketing.
62. The Commissioner is therefore satisfied that condition (b ) from section
55A (1) DPA is met.
The Commissioner’s decision to impose a monetary penalty
63. The Commissioner considers there are no aggravating features of
this case.
64. The Commissioner has taken into account the following mitigating
factors:
17 • WBAC made some effort towards ensuring compliance with PECR
such as consulting the ICO Guidance, seeking legal advice and
completing a DPIA, albeit these steps ultimately failed to achieve
compliance.
65. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A(1) DPA have been met in this case. She is
also satisfied that the procedural rights under section 55B have been
complied with.
66. This has included issuing a Notice of Intent on 26 May 2021, in which
the Commissioner set out her preliminary thinking, and invited WB AC
to make representations in response.
67. The Commissioner received and has considered Representations from
WBAC dated 16 July 2021.
68. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
69. The Commissioner has considered whether , in the circumstances, she
should exercise her discretion so as to issue a monetary penalty. She
has decided that a monetary penalty is an appropriate and
proportionate response to the finding of a serious contravention of
Regulation 22 of PECR by WBAC.
70. The Commissioner’s underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The sending of
unsolicited direct marketing emails and SMS is a matter of significant
public concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
18 deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. This is an opportunity
to reinforce the need for businesses to ensure that they are only
contacting consumers who want to receive these emails and SMS.
71. The Commissioner has also considered the likely impact of a monetary
penalty on WBAC.
The amount of the penalty
72. Taking into account all of the above, the Commissioner has decided
that the amount of the penalty is £200,000 (two hundred thousand
pounds).
Conclusion
73. The monetary penalty must be paid to the Commissioner’s office by BACS
transfer or cheque by 12 October 2021 at the latest. The monetary
penalty is not kept by the Commissioner but will be paid into the
Consolidated Fund which is the Government’s general bank account at the
Bank of England.
74. If the Commissioner receives full payment of the monetary penalty by 11
October 2021 the Commissioner will reduce the monetary penalty by
20% to £ 160,000 ( one hundred and sixty thousand pounds).
However, you should be aware that the early payment discount is not
available if you decide to exercise your right of appeal.
75. There is a right of appeal to the Firstier Tribunal (Information Rights)
against:
19 (a) the imposition of the monetary penalty and/or;
(b) the amount of the penalty specified in the monetary penalty
notice.
73. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
74. Information about appeals is set out in Annex 1.
75. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary penalty
must be paid has expired and all or any of the monetary penalty has
not been paid;
• all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and
• period for appealing against the monetary penalty and any variation
of it has expired.
76. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner
as an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
20Dated the 13th day of September 2021
Andy Curry
Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
21ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 55B(5) of the Data Protection Act 1998 gives any person
upon whom a monetary penalty notice has been served a right of
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that she ought to have exercised
her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
General Regulatory Chamber
HM Courts & Tribunals Service
PO Box 9300
Leicester
LE1 8DJ
Telephone: 0203 936 8963
22 Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your
representative (if any);
b) an address where documents may be sent or delivered to
you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the
notice of appeal must include a request for a n extension of time
23 and the reason why the notice of appeal was not provided in
time.
5. Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First- tier
Tribunal (Information Rights) are contained in section 55B(5) of, and
Schedule 6 to, the Data Protection Act 1998, an d Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
24
