ICO (UK) - Colour Car Sales Limited
|ICO (UK) - Colour Car Sales Limited|
|Relevant Law:||Article 4(11) GDPR|
Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
|Parties:||Colour Car Sales Limited|
|National Case Number/Name:||Colour Car Sales Limited|
|European Case Law Identifier:||n/a|
|Original Source:||Information Commissioner's Office (in EN)|
The UK DPA fined a car finance company approximately €198,000 (£170,000) for sending unsolicited direct marketing messages without obtaining valid consent.
English Summary[edit | edit source]
Facts[edit | edit source]
Colour Car Sales Limited (CCSL) is a company acting as a credit intermediary for finance on used cars. It traded under serveral names, including 'immediatecarfinance.co.uk'; 'carfinancetoday.net'; 'achillesuk.com'; and 'taxifinancetoday.com'.
Between 2018 and 2019, the UK DPA (Information Commissioner's Office; ICO) received nearly 200 complaints over unsolicited electronic direct marketing text messages. The ICO started a preliminary investigation and contacted CCSL for further evidence. The letter sent was returned undelivered. The company director was then contacted who provided an alternative contact address.
CCSL confirmed it had sent over 3 million direct marketing messages between 2018 and 2019. CCSL claimed to have gathered consent through an application form with the following statement: "By starting an application you agree that immediatecarfinance may/will pass your details on to a third party lender or broker, and they may wish to contact you by phone, post, SMS or other electronic means". CCSL explained that an opt-out would be possible by calling the CCSL office.
The ICO investigated the privacy notice available and found that the privacy notice stated that marketing communication was only sent where there was consent of a "legitimate business interest"
Following initial cooperation, CCSL did not respond to the ICO any further.
Dispute[edit | edit source]
What classifies as valid consent to send direct marketing messages?
Holding[edit | edit source]
The UK DPA first outlined the definition of consent as defined by Article 4(11) of the GDPR. It also outlined the rules under Regulation 22 PECR which address consent.
Analysing the application form, the ICO considered that there was no specific reference to direct marketing nor purposes of contact from third parties. Additionally, the UK DPA found that there was no method for the individual to send an application without consenting to being contacted, nor any option for them to select who may contact them.
The ICO therefore found CCSL in contravention of Regulation 22 of PECR for instigating unsolicited direct marketing messages. Individuals did not have the option other than agreeing to receiving direct marketing. Consent was therefore not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from. Finally, it was not informed (the information provided was too vague).
The ICO found that the "soft opt-in", where organisations can send marketing messages by text and e-mail to individuals whose details had been obtained in the course or negotiation of a sale and in respect of similar products and services, was also not available to CCSL. This is because individuals were not given the opportunity to refuse or opt-out in the first place.
The ICO took into account the seriousness and the deliberate or negligent nature of the infraction, as well as the lack of cooperation by CCSL. It therefore imposed a fine of approximately €198,000 on CCSL.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.