ICO (UK) - Colour Car Sales Limited

From GDPRhub
ICO (UK) - Colour Car Sales Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Decided: 24.05.2021
Published: 08.06.2021
Fine: 170000 GBP
Parties: Colour Car Sales Limited
National Case Number/Name: Colour Car Sales Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: n/a

The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending unsolicited direct marketing messages without obtaining valid consent.

English Summary[edit | edit source]

Facts[edit | edit source]

Colour Car Sales Limited (CCSL) is a company acting as a credit intermediary for finance on used cars. It traded under serveral names, including 'immediatecarfinance.co.uk'; 'carfinancetoday.net'; 'achillesuk.com'; and 'taxifinancetoday.com'.

Between 2018 and 2019, the UK DPA (Information Commissioner's Office; ICO) received nearly 200 complaints over unsolicited electronic direct marketing text messages. The ICO started a preliminary investigation and contacted CCSL for further evidence. The letter sent was returned undelivered. The company director was then contacted who provided an alternative contact address.

CCSL confirmed it had sent over 3 million direct marketing messages between 2018 and 2019. CCSL claimed to have gathered consent through an application form with the following statement: "By starting an application you agree that immediatecarfinance may/will pass your details on to a third party lender or broker, and they may wish to contact you by phone, post, SMS or other electronic means". CCSL explained that an opt-out would be possible by calling the CCSL office.

The ICO investigated the privacy notice available and found that the privacy notice stated that marketing communication was only sent where there was consent of a "legitimate business interest"

Following initial cooperation, CCSL did not respond to the ICO any further.

Dispute[edit | edit source]

What classifies as valid consent to send direct marketing messages?

Holding[edit | edit source]

The UK DPA first outlined the definition of consent as defined by Article 4(11) of the GDPR. It also outlined the rules under Regulation 22 PECR which address consent.

Analysing the application form, the ICO considered that there was no specific reference to direct marketing nor purposes of contact from third parties. Additionally, the UK DPA found that there was no method for the individual to send an application without consenting to being contacted, nor any option for them to select who may contact them.

The ICO therefore found CCSL in contravention of Regulation 22 of PECR for instigating unsolicited direct marketing messages. Individuals did not have the option other than agreeing to receiving direct marketing. Consent was therefore not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from. Finally, it was not informed (the information provided was too vague).

The ICO found that the "soft opt-in", where organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services, was also not available to CCSL. This is because individuals were not given the opportunity to refuse or opt-out in the first place.

The ICO took into account the seriousness and the deliberate or negligent nature of the infraction, as well as the lack of cooperation by CCSL. It therefore imposed a fine of approximately €198,000 on CCSL.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                            •

                                                           ICO.
                                                           Information Commissioner's Office


                     DATA PROTECTION    ACT 1998


   SUPERVISORY    POWERS OF THE INFORMATION        COMMISSIONER



                        ENFORCEMENT    NOTICE




To:  Colour Car Sales Limited

Of:  Unit 1 & 2 Mossfield Road, Stoke-on-TrenEngland ST3 SBW

1.   The Information Commissioner ("the Commissioner")has decided to

     issue Colour Car Sales Limited ("CCSL") with an enforcement notice

     under section 40 of the Data Protection Act 1998 ("DPA"). The notice is
     in relation to a serious contravenof Regulation 22 of the Privacy

     and Electronic Communications(EC Directive) Regulations 2003
     ("PECR").



2.   This notice explains the Commissioner's decision.


     Legal framework


3.   CCSL, whose registered office is given above (Companies House

     Registration Number: 10382413) is the organisation stated in this
     notice to have instigated the transmissof unsolicited

     communications  by means of electronic mail to individual subscribers

     for the purposes of direct marketing contrary to regulation 22 of PECR.


4.   Regulation 22 of PECRstates:




                                   1                                                            •


                                                           ICO.
                                                           Information Commissioner's Office
"(1) This  regulation  applies  to   the  transmission   of  unsolicited
     communications    by  means    of  electronic  mail  to  individual

     subscribers.

(2)  Except in the circumstances referred to in paragraph (3), a person

     shall neither transmit, nor instigate the transmission of, unsolicited
     communications   for the purposes of direct marketing by means of

     electronic mail unless the recipient   of the electronic  mail has

     previously notified the sender that he consents for the time being
     to such communications   being sent by, or at the instigation of, the

     sender.

(3)  A person may send or instigate the sending of electronic mail for

     the purposes of direct marketing where-

        (a) that person has obtained the contact details of the recipient
            of that electronic mail in the course of the sale or

            negotiations for the sale of a product or service to that

            recipient;

        (b) the direct marketing is in respect of that person's similar
            products and services only; and

        (c) the recipient has been given a simple means of refusing

            (free of charge except for the costs of the transmission of

            the refusal) the use of his contact details for the purposes
            of such direct marketing, at the time that the details were

            initially collected, and, where he did not initially refuse the

            use of the details, at the time of each subsequent
            communication.

(4)  A subscriber shall not permit his line to be used in contraventioof

     paragraph (2)."





                                2                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

5.    Section 122(5) of the DPA18 defines direct marketing as "the
      communication  (by whatever means) of any advertising material which

      isdirected to particular individuals". This definition also applies for the
      purposes of PECR(see regulation 2(2) PECR& Schedule 19 paragraphs

      430 & 432(6) DPA18).


6.    Priorto 29 March 2019, the European Directive 95/46/EC defined

      'consent' as "any freely given specific and informed indication of his

      wishes by which the data subject signifies his agreement to personal
      data relating to him being processed".


7.    Consent in PECRis now defined, from 29 March 2019, by reference to
      the concept of consent in Regulation 2016/679 ("the GDPR"):

      regulation 8(2) of the Data Protection, Privacy and Electronic

      Communications  (Amendments   etc) (EU Exit) Regulations 2019. Article
      4(11) of the GDPR sets out the following definition: "'consent' of the

      data subject means any freely given, specific, informed and
      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmative action, signifies

      agreement to the processing of personal data relating to him or her".

8.    Recital 32 of the GDPR materially states that "When the processing has

      multiple purposes, consent should be given for all of them". Recital 42

      materiallyprovides that "For consent to be informed, the data subject
      should be aware at least of the identity of the controllRecital 43

      materially states that "Consent is presumed not to be freely given if it
      does not allow separate consent to be given to different personal data

      processing operations despite it being appropriate in the individual

      case".


9.    "Individual"is defined in regulation 2(1) of PECRas "a living individual
      and includes an unincorporated body of such individuals".

                                     3                                                              •

                                                              ICO.
                                                              Information Commissioner's Office


10.  A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
     a party to a contract with a provider of public electronic

     communications services for the supply of such services".

11.  "Electronic mail' is defined in regulation 2(1) of PECRas "any text,

     voice, sound or image message sent over a public electronic

     communications network which can be stored in the network or in the
     recipient's terminal equipment until it is collected by the recipient and

     includes messages sent using a short message service".


12.  The term "soft opt-in" is used to describe the rule set out in in

     Regulation 22(3) of PECR.In essence, an organisation may be able to
     e-mail its existing customers even if they haven't specifically consented

     to electronic mail. The soft opt-in rule can only be relied upon by the

     organisation that collected the contact details.


13.  The  DPA contains enforcement provisions at Part V which are
     exercisable bythe Commissioner. Those provisions are modified and

     extended  for the purposes of PECRby Schedule 1 PECR.


14.  Section 40(1)(a) of the DPA (as extended and modified by PECR)
     provides that if the Commissioner is satisfied that a person has

     contravened  or is contravening any of the requirementof the

     Regulations, she may serve him with an Enforcement Notice requiring
     him  to take within such time as may be specified in the Notice, or to

     refrain from taking after such time as may be so specified, such steps
     as are so specified.



15.  PECRwere enacted to protect the individual's fundamental right to
     privacy in the electronic communicationssector. PECRwere

     subsequently amended and   strengthened. The Commissioner will

                                    4                                                               •

                                                              ICO.
                                                              Information Commissioner's Office

      interpret PECRin a way which is consistent with the Regulations'
      overall aim of ensuring high levels of protection for individuals' privacy

      rights.


16.  The provisions of the DPA remain in force for the purposes of PECR

      notwithstandingthe introductionof the Data Protection Act 2018 (see
      paragraph 58(1) of Part 9, Schedule 20 of that Act).



     The contravention


17.  The Commissioner finds that CCSL contravened regulation 22 of PECR.


18.  The Commissioner finds that the contravention was as follows:


19.  The Commissioner finds that between 1 October 2018 and 21 January

      2020 there were 274 direct marketing text messages received by
      subscribers which are capable of being evidenced by complaintsThe

      Commissioner finds that CCSL instigated the transmissioof the direct

      marketing messages sent, contrary to regulation 22 of PECR.

20.  The Commissioner is not assisted by CCSL's failure to engage with her

      during this investigatito explain the relationship between CCSL and
                              However she is satisfied that for the purposes

      of the direct marketing messages sent from

     Text Local account, CCSL positively encouraged the sending of those
      messages.  She makes this finding in light of the informatprovided

      by Text Local in response to the Commissioner's 3PIN, and in view of

     the content of the unsolicited direct marketing messages sent which
      resulted in 274 complaints.


21.   CCSL, as the instigator of the direct marketiis required to ensure
     that it is acting in compliance with the requiremenof regulation 22 of

                                     5                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

      PECR,and to ensure that valid consent to send those messages had
      been acquired.


22.   In this instance, individuals applying for finance via one of CCSL's sites

      were given no option but to agree to receive direct marketing from
      CCSL and its unnamed third parties. Indeed, the statement that would

      accompany the applications did not indicate in any manner that the
      individual's personal details would be used for direct marketing

      purposes. Furthermore,  individuals could not specify the type of direct

      marketing that they might be willing to receive, rather they were
      requiredto agree to a suite of contact methods, from an unknown

      number of third parties.

23.   For consent to be valid it is required to be "freely given", by which it

      follows that if consent to marketing is a condition of subscribing to a

      service, the organisation will have to demonstrate how the consent can
      be saidto have been given freely. In this instance, CCSL has failed to

      explain how its consent could be said to be freely given.

24.   Consent is also required to be "specific" as to the type of marketing

      communication  to be received, and the organisation, or specific type of

      organisation, that will be sending it. Again, this requirement does not
      appear to be met in CCSL's case.


25.   Consent will not be "informed"if individuals do not understand what

      they are consenting to. Organisations should therefore always ensure
      that the language used is clear, easy to understand, and not hidden

      away in a privacy policyr small print.Consent will not be valid if
      individuals are asked to agree to receive marketing from "similar

      organisations","partners","selected third parties" or other similar

      generic description.



                                     6                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

26.  The Commissioner is satisfied that CCSL cannot avail itself to the "solt
     opt-in" exemption provided by regulation 22(3) PECR. This exemption

     means  that organisations can send marketing messages by text and e­
     mail to individuals whose details had been obtained in the course or

     negotiation of a sale and in respect of similar products and services.

     The organisation must also give the person a simple opportunity to
     refuse or opt out of the marketing, both when first collecting the details

     and in every message alter that.It is apparent from the sign-up page

     on CCSL's websites that individuals were not provided a simple
     opportunity to refuse or opt out of the marketing, nor were they

     offered an opt-out in the subsequent direct marketing messages that
     they received. The Commissioner therefore finds that CCSL is unable to

     rely on this exemption.


27.  The Commissioner is satisfied that this contravention could have been
     far greater, since there is evidence that a total of 3,650,194 direct

     marketing messages were sent to individuals at the instigation of CCSL
     over the contraventionperiod. However, because of CCSL's lack of

     engagement, and the Communications Service Provider's failure to

     retain such records, it has not been possible to determine the exact
     number of those messages which were received by subscribers. The

     full extent of the contraventiis therefore unknown.


28.  The Commissioner is satisfied fromthe evidence she has seen that
     CCSL did not have the necessary valid consent for the 274 direct

     marketing messages received by subscribers.


29.  The Commissioner has considered,  as she is required to do under

     section 40(2) of the DPA (as extended and modified by PECR)when
     deciding whether to serve an Enforcement Notice, whether any

     contravention has caused or is likely to cause any person damage or
     distress. The Commissioner has decided that it is likely that damage or

                                    7                                                          •

                                                          ICO.
                                                          Information Commissioner's Office
     distress has been caused in this instance, not least because of the

     sheer number of complaints.

30.  In view of the matters referred to above the Commissioner

     hereby gives notice that, in exercise of her powers under
     section 40 of the DPA, she requires CCSL to take the steps

     specified in Annex 1 of this Notice.

     Right of Appeal


31.  There is a right of appeal against this Notice to the First-tier Tribunal
     (InformationRights), part of the General Regulatory Chamber.

     Informationabout appeals is set out in the attached Annex 2.


Dated the 24tday of May 2021

Andy Curry
Head of Investigations
InformationCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF


















                                  8                                                      •

                                                     ICO.
                                                     Information Commissioner's Office
ANNEX 1

              TERMS OF THE ENFORCEMENT    NOTICE


CCSL shall within 30 days of the date of this notice:


     • Except in the circumstances referred to in paragraph (3) of
       regulation 22 of PECR, neither trnor instigate the

       transmission of, unsolicited communicfor the purposes of
       direct marketing by means of electronic mail unless the recipient of

       the electronic mail has previously notified CCSL that he clearly and
       specifically consentsthe time being to such communications
       being sent by, or at the instigation of, CCSL.



























                               9                                                            •

                                                            ICO.
                                                            Information Commissioner's Office

ANNEX 2

  RIGHTS  OF APPEAL AGAINST     DECISIONS    OF THE COMMISSIONER



1.   Section 48 of the Data Protection Act 1998 gives any person upon

     whom an enforcement notice has been served a right of appeal to the
      First-tier Tribunal (InformaRights) (the "Tribunalagainst the

      notice.


2.   If you decide to appeal and if the Tribunal considers: -



     a)    that the notice against which the appeal is brought is not in
           accordance with the law; or


      b)   to the extent that the notice involved an exercise of discretion by

           the Commissioner, that she ought to have exercised her

           discretion differently,


     the Tribunal will allow the appeal or substitute such other decision as
     could have been made by the Commissioner.  In any other case the

     Tribunal will dismiss the appeal.


3.   You may bring an appeal by serving a notice of appeal on the Tribunal

     at the following address:


           General Regulatory Chamber
           HM Courts &Tribunals Service
           PO Box 9300
           Leicester
           LEl 8DJ

           Telephone: 0300 123 4504
           Email:     grc@justice.gov.uk


                                   10                                                      •
                                                     ICO.
                                                     Information Commissioner's Office
       •  The notice of appeal should be served on the Tribunal within 28

          days of the date on which the enforcement notice was sent

4.   The statutory provisions concerning appeals to the First-tier Tribunal

     (General Regulatory Chamber) are contained in sections 48 and 49 of,
     and Schedule 6 to, the Data Protection Act 1998, and Tribunal
     Procedure(First-tier Tribunal) (General Regulatory Chamber) Rules

     2009 (StatutoInstrument2009 No. 1976 (L.20)).































                               11