ICO (UK) - SportsDirect.com Retail Limited: Difference between revisions

From GDPRhub
(Edited short summary into a single sentence for newsletter. Minor typos and formatting issues fixed (e.g. added commas; italicised quotes).)
 
Line 20: Line 20:
|Date_Published=15.09.2021
|Date_Published=15.09.2021
|Year=2021
|Year=2021
|Fine=70000
|Fine=70,000
|Currency=GBP
|Currency=GBP


Line 50: Line 50:
}}
}}


The UK DPA, Information Commissioner's Office, imposed a fine of approximately €82000 on SportsDirect.com Retail Ltd. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails that was received by just under 2.6 million individuals.
The UK DPA fined SportsDirect.com Retail Ltd approximately €82,000. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails received by almost 2.6 million individuals.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
SportsDirect.com Retail Limited (hereafter: SportsDirect) is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's,  Information Commissioner's Office (ICO), online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints.
SportsDirect.com Retail Limited ('SportsDirect') is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints.


SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "re-engagement campaign". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "re-engagement campaign".  
SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "''re-engagement campaign''". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "''re-engagement campaign''".  


SportsDirect claimed to rely on the soft opt-in for 7 of the 12 complainants and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained.  
SportsDirect claimed to rely on a soft opt-in for 7 of the 12 complainants, and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained.  


During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme.  
During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme.  


Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers.
Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers.
=== Dispute ===
=== Holding ===
=== Holding ===
The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that they had valid consent to send thes emarekting emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR.
The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that it had valid consent to send these marketing emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR.


The ICO determined that the infringement was negligent from SportsDirect as they knew or ought reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done. The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "... you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003".  
The ICO determined that the infringement was negligent from SportsDirect as they knew or ought reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done. The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "''you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003''".  


Considering these factors, the ICO imposed a fine of approximately €82000 on SportsDirect
Considering these factors, the ICO imposed a fine of approximately €82,000 (GBP 70,000) on SportsDirect.


== Comment ==
== Comment ==

Latest revision as of 11:56, 21 September 2021

ICO (UK) - SportsDirect.com Retail Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.09.2021
Published: 15.09.2021
Fine: 70,000 GBP
Parties: SportsDirect.com Retail Limited
National Case Number/Name: SportsDirect.com Retail Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: MH

The UK DPA fined SportsDirect.com Retail Ltd approximately €82,000. The sports retailer infringed Regulation 22 of PECR by sending unsolicited marketing emails received by almost 2.6 million individuals.

English Summary

Facts

SportsDirect.com Retail Limited ('SportsDirect') is a sports retailer in the UK. It was the subject of various complaints via the UK DPA's online reporting tool in relation to unsolicited communications between December 2019 and February 2020. The ICO started an investigation on the basis of these complaints.

SportsDirect outlined that the personal data it used for direct marketing was obtained directly from customers after having given their consent. SportsDirect considered the direct marketing sent to individuals who complained to be a "re-engagement campaign". They claimed that these individuals had opted in to receiving marketing emails (and didn't unsubscribe). The emails sent amounted to a total of 459,882,124 emails, 2,565,513 of which were received as part of the "re-engagement campaign".

SportsDirect claimed to rely on a soft opt-in for 7 of the 12 complainants, and stated that it collected consent directly from 3 others. It did not have a record of having sent marketing to 1 complaints and had recently erased the data of another shortly after they complained.

During the investigation, the ICO uncovered that SportsDirect continued to send messages to customers signed up to a specific scheme even after the scheme had ended. SportsDirect claimed this to be on the basis of legitimate interest for the ex-members of the scheme.

Throughout the investigation, SportsDirect cited the challenges it faced to gather the information requested by the ICO. The ICO responded that some of the information, such as legal bases should be readily available to data controllers.

Holding

The Information Commissioner's Office (ICO) held that SportsDirect infringed Regulation 22 of Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter PECR). 2,565,513 direct market emails sent by SportsDirect were received by subscribers. However, SportsDirect was unable to demonstrate evidence that it had valid consent to send these marketing emails. The ICO did not consider that SportsDirect could rely on the soft opt-in exception under Regulation 22(3) PECR.

The ICO determined that the infringement was negligent from SportsDirect as they knew or ought reasonably to have known that they may infringe PECR. The ICO considered the fact that there is a lot of guidance readily available on PECR for organisations. Additionally, it is clear from this guidance that organisations must keep track of when and how consent was given - which SportsDirect had not done. The ICO also mentioned its concern with regards to SportsDirect's privacy policy which states: "you confirm that you do not and will not consider any of these purposes as a breach of any of your rights under the Privacy and Electronic Communications (EC Directive) Regulations 2003".

Considering these factors, the ICO imposed a fine of approximately €82,000 (GBP 70,000) on SportsDirect.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                      DATA PROTECTION ACT 1998



   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                      MONETARY PENALTY NOTICE




To:   SportsDirect.com Retail Limited


Of:   Unit A, Brook Park East, Shirebrook NG20 8RY


1.    The Information Commissioner (“the Commissioner”) has decided to
      issue SportsDirect.com Retail Limited (“SportsDirect”) with a monetary

      penalty under section 55A of the Data Protection Act 1998 (“DPA”). The

      penalty is in relation to a serious contravention of Regulation 22 of the

      Privacy and Electronic Communications (EC Directive) Regulations 2003

      (“PECR”).


2.    This notice explains the Commissioner’s decision.



      Legal framework



3.    SportsDirect, whose registered office address is given above
      (Companies House Registration Number: 03406347) is the organisation

      stated in this notice to have transmitted unsolicited communications by

      means of electronic mail to individual subscribers for the purposes of

      direct marketing contrary to regulation 22 of PECR.



4.    Regulation 22 of PECR states:





                                     1“(1) This  regulation   applies  to   the  transmission    of  unsolicited
     communications     by  means    of  electronic  mail   to  individual

     subscribers.


(2) Except in the circumstances referred to in paragraph (3), a person
     shall neither transmit, nor instigate the transmission of, unsolicited

     communications for the purposes of direct marketing by means of

     electronic mail unless the recipient of the electronic mail has

     previously notified the sender that he consents for the time being

     to such communications being sent by, or at the instigation of, the
     sender.


(3) A person may send or instigate the sending of electronic mail for

     the purposes of direct marketing where—

        (a) that person has obtained the contact details of the recipient

            of that electronic mail in the course of the sale or

            negotiations for the sale of a product or service to that
            recipient;


        (b) the direct marketing is in respect of that person’s similar

            products and services only; and

        (c) the recipient has been given a simple means of refusing

            (free of charge except for the costs of the transmission of
            the refusal) the use of his contact details for the purposes

            of such direct marketing, at the time that the details were

            initially collected, and, where he did not initially refuse the

            use of the details, at the time of each subsequent

            communication.

(4) A subscriber shall not permit his line to be used in contravention of

     paragraph (2).”






                                 25.    Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct
      marketing as “the communication (by whatever means) of any

      advertising material which is directed to particular individuals”. This

      definition also applies for the purposes of PECR (see regulation 2(2)

      PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).


6.    Consent in PECR is now defined, from 29 March 2019, by reference to

      the concept of consent in Regulation 2016/679 (“the GDPR”):

      regulation 8(2) of the Data Protection, Privacy and Electronic
      Communications (Amendments etc) (EU Exit) Regulations 2019. Article

      4(11) of the GDPR sets out the following definition: “‘consent’ of the

      data subject means any freely given, specific, informed and

      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmative action, signifies
      agreement to the processing of personal data relating to him or her”.



7.    Recital 32 of the GDPR materially states that “When the processing has

      multiple purposes, consent should be given for all of them”. Recital 42

      materially provides that “For consent to be informed, the data subject

      should be aware at least of the identity of the controller”. Recital 43
      materially states that “Consent is presumed not to be freely given if it

      does not allow separate consent to be given to different personal data

      processing operations despite it being appropriate in the individual case”.



8.    “Individual” is defined in regulation 2(1) of PECR as “a living individual
      and includes an unincorporated body of such individuals”.


9.    A “subscriber” is defined in regulation 2(1) of PECR as “a person who is

      a party to a contract with a provider of public electronic

      communications services for the supply of such services”.





                                        310.   “Electronic mail” is defined in regulation 2(1) of PECR as “any text,
      voice, sound or image message sent over a public electronic

      communications network which can be stored in the network or in the

      recipient’s terminal equipment until it is collected by the recipient and

      includes messages sent using a short message service”.


11.   The term "soft opt-in" is used to describe the rule set out in in

      Regulation 22(3) of PECR. In essence, an organisation may be able to
      e-mail its existing customers even if they haven't specifically consented

      to electronic mail. The soft opt-in rule can only be relied upon by the

      organisation that collected the contact details.



12.   Section 55A of the DPA (as applied to PECR cases by Schedule 1 to

      PECR, as variously amended) states:


      “(1) The Commissioner may serve a person with a monetary penalty if

           the Commissioner is satisfied that –

              (a) there has been a serious contravention of the requirements

                  of the Privacy and Electronic Communications (EC

                  Directive) Regulations 2003 by the person,

              (b) subsection (2) or (3) applies.


      (2) This subsection applies if the contravention was deliberate.

      (3) This subsection applies if the person –

              (a) knew or ought to have known that there was a risk that the

              contravention would occur, but

              (b) failed to take reasonable steps to prevent the

                  contravention.”



13.   The Commissioner has issued statutory guidance under section 55C (1)

      of the DPA about the issuing of monetary penalties that has been

                                       4      published on the ICO’s website. The Data Protection (Monetary
      Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

      that the amount of any penalty determined by the Commissioner must

      not exceed £500,000.



14.   PECR were enacted to protect the individual’s fundamental right to

      privacy in the electronic communications sector. PECR were
      subsequently amended and strengthened. The Commissioner will

      interpret PECR in a way which is consistent with the Regulations’

      overall aim of ensuring high levels of protection for individuals’ privacy

      rights.


15.   The provisions of the DPA remain in force for the purposes of PECR

      notwithstanding the introduction of the DPA18: see paragraph 58(1) of

      Schedule 20 to the DPA18.



      Background to the case



16.   SportsDirect came to the attention of the Commissioner due to
      complaints reported via the ICO’s online reporting tool. The

      Commissioner received twelve complaints about unsolicited

      communications between 21 December 2019 and 16 February 2020.



17.   The Commissioner sent an initial investigation letter to SportsDirect on
      25 February 2020 setting out her concerns regarding SportsDirect’s

      compliance with PECR and asking for, inter alia, the source of its data,

      and evidence of the consent relied on in the course of its direct

      marketing campaign between 21 December 2019 and 16 February

      2020.





                                      518.   SportsDirect provided a response on 13 March 2020. This response
      explained that all data used to engage in its direct marketing is

      obtained directly from customers; and provided details of the ways in

      which it obtained consent to engage in its direct marketing campaigns.

      In relation to the complaints which had been received, SportsDirect

      indicated that these recipients were part of a “re-engagement

      campaign”, and stated:


      “The ecommerce team determined that the data subjects in the aged

      data set had not unsubscribed from receiving email marketing and
      would only send emails with content that provided offers on multi-buy

      products or free delivery/click&collect, along with the usual unsubscribe

      link. This was done with the expectation that data subjects would

      either not engage with the email, choose to unsubscribe from future

      emails or view those offers and emails positively and engage with
      Sports Direct.



      Where a data subject unsubscribed, this would be processed in the

      normal way, and where they did not engage with the emails after a

      reasonable period, the data would be removed from or anonymised

      within the marketing database.


      Having considered the proposed approach and likely impact of the re-

      engagement campaign, the ecommerce team took the decision to run a

      re-engagement campaign with that aged data set with the objectives of

      (1) reducing the amount of data held in the marketing database and

      (2) connecting with customers who had not engaged with Sports Direct
      within the normal engagement criteria.”


19.   SportsDirect explained that "...the Sports Direct ecommerce team

      analysed the Sports Direct marketing database and identified a



                                       6      category of data that showed as being opted in to receive email
      marketing but had not been sent any marketing emails.". This category

      of data has been referred to as the ‘aged data / aged dataset’.



20.   Regarding evidence of consent, SportsDirect stated that “none of the

      complainants were recorded as being opted out of marketing emails at

      the time their details were collected and had not unsubscribed to
      marketing emails at the time when the emails were sent”. It also

      provided a simple breakdown of the “lawful basis” relied upon for each

      complainant (i.e. soft opt-in; or consent).



21.   The Commissioner sent further enquiries to SportsDirect on 2 April
      2020, specifically seeking confirmation of the number of emails which

      were sent between 21 December 2019 and 16 February 2020, in

      addition to further information regarding the consent being relied upon

      and the frequency of the direct marketing emails being sent.


22.   SportsDirect requested an extension of two months for its response in

      light of the impact of the COVID-19 pandemic, which the Commissioner

      agreed to.


23.   SportsDirect responded on 12 June 2020 in line with the agreed

      extension period to provide answers to the Commissioner’s most recent

      questions. Within this response it was confirmed that between 21

      December 2019 and 16 February 2020 there were a total of
      459,882,124 emails sent by SportsDirect, with 2,948,865 of those

      relating specifically to the “re-engagement campaign”. SportsDirect

      provided percentages for the number of those sent messages which

      had been received by a subscriber; in relation to the “re-engagement

      campaign” it was explained that 87% were received, which the




                                       7      Commissioner calculates equates to 2,565,513 direct marketing
      messages being received over the relevant period.


24.   SportsDirect claimed to rely on the ‘soft opt in’ for seven of the twelve

      complainants, and stated that consent had been obtained from three of

      the twelve complainants directly. In terms of the two remaining

      complainants, SportsDirect claimed that its records did not show any

      messages being sent to one of them; and that the final complainant

      had since requested that their information be removed from its
      systems and so SportsDirect was unable to provide details of the lawful

      basis on which it would have relied to send the message.


25.   The Commissioner took the view that sufficient evidence of valid

      consent had not been provided and sent an email to SportsDirect on 2

      July 2020 to request this. SportsDirect requested an extension for

      providing this information which the Commissioner granted, although it

      was explained to SportsDirect that in the Commissioner’s view such
      evidence should be readily available.


26.   SportsDirect provided its response on 20 July 2020 with purported

      evidence of consent for three of the twelve complainants, specifically

      stating that those individuals had signed up to a ‘local customer benefit

      scheme’ (the “benefit scheme”) at a store outside of the United

      Kingdom on 8 August 2011, 6 October 2012 and 24 April 2014
      respectively. The purpose of the benefit scheme was to allow

      subscribers to “receive their receipts by email, a regular brochure,

      annual vouchers and other offers and promotions”. This scheme

      ceased to operate in 2018.


27.   The Commissioner sent further queries to SportsDirect on 14 August

      2020 to establish why subscribers who signed up to the benefit scheme




                                       8      continued to receive messages, and the number of customers who had
      consented to marketing communications in this way.


28.   SportsDirect explained in response that “[f]ollowing cessation of the

      Scheme, the Scheme data set was reviewed and it was decided that (i)

      there was a legitimate interest in members of the Scheme continuing

      to receive general offers and discounts from the business as an

      alternative to the benefits previously made available under the Scheme

      and (ii) it would be prudent to run a data cleanse. This data cleanse
      removed duplicated data, incorrectly formatted email addresses and

      emails identified as ‘spam traps’. This left a data set of around 779,000

      email contacts.


      This reduced data set then received a small number of emails

      immediately following cessation of the Scheme, starting with a

      welcome-style email introducing the type of emails members would

      receive following cessation of the Scheme, unless they unsubscribed.”


29.   The Commissioner asked further questions on 4 September 2020. In
      particular the Commissioner wished to know, inter alia, the specific

      date when the benefit scheme ended; the number of emails sent to,

      and received by, subscribers after the cessation of the scheme; and as

      part of the “re-engagement campaign”, how many subscribers were

      sent messages who had initially consented to marketing emails as part
      of a previous campaign.



30.   In its response, SportsDirect again cited concerns which it had raised

      earlier in the investigation in respect of the challenges it has faced in

      gathering information to respond to some of the Commissioner’s

      queries; i.e. since many of the individuals who were “involved in
      making decisions and administering the databases around the time the

      dataset was cleansed have already long since left the business” [and]


                                       9      “most files and communications created during their employment on
      local drives have long since been deleted in accordance with standard

      retention procedures”.



31.   SportsDirect therefore sought to provide its “best estimate” of the

      dates in connection with the cessation of the benefit scheme, stating
      that it ceased to operate “in around January 2018”, and that

      throughout January and February 2018 the data cleanse took place,

      leaving “around 779,000 email contacts”. This dataset was then sent a

      “welcome-style email” although the content of this could not be

      determined. Those who “engaged” with the “welcome-style email”

      were added to the “main email marketing dataset”.


32.   In relation to the “re-engagement campaign” (also referred to by
      SportsDirect as the “Christmas 2019 Email Campaign”), SportsDirect

      stated: “one of the objectives of the Christmas 2019 Email Campaign

      was to cleanse the marketing database. This cleanse began in the week

      commencing 13 January 2020. This means that the business is not able

      to retrieve data deleted at that time and is unable to re-create that
      segmentation to provide [the Commissioner] with specific details

      around how many individuals initially consented to marketing emails as

      part of a previous campaign or scheme. The business used legitimate

      interests as the basis on which to send the Christmas 2019 Email

      Campaign.


      For the reasons described above, it is no longer possible for us to

      retrieve the distribution list used in the Christmas 2019 Email

      Campaign and then separate out individuals who were initially opted in

      through being a member of the Scheme”






                                      1033.   The Commissioner sent an ‘end of investigation’ email to SportsDirect
      on 21 October 2020, although it was invited to provide any further

      “relevant evidence, or information regarding [its] policies, procedures

      and training programmes”. SportsDirect responded on 2 November

      2020 with a summary of its position, and information in respect of the

      number of individuals who may have received an email as part of the

      “re-engagement campaign”, specifically stating that it: “understand[s]
      that the volume of emails sent as part of the Christmas 2019 Campaign

      was approximately 2.9 million. [It] cannot quantify the total number of

      data subjects emailed as part of this campaign due to the absence of

      historic communications due to strict data deletion […]. […] the data

      subjects would have included individuals who had been members of the
      [Loyalty Scheme operating outside of the UK], but there would also

      have been other recipients”. Whilst SportsDirect were unable to

      confirm the precise number of individuals which it had emailed, its

      confirmation that “approximately 2.9 million” messages were sent

      accorded with the precise figures which it had provided on 12 June

      2020 where it was stated that there had been 2,948,865 direct
      marketing messages sent relating specifically to the “re-engagement

      campaign”, with 87% being received.



34.   The Commissioner has made the above findings of fact on the

      balance of probabilities.


35.   The Commissioner has considered whether those facts constitute

      a contravention of regulation 22 of PECR by SportsDirect and, if so,

      whether the conditions of section 55A DPA are satisfied.


      The contravention






                                       1136.   The Commissioner finds that SportsDirect contravened regulation 22 of
      PECR.



37.   The Commissioner finds that the contravention was as follows:



38.   The Commissioner finds that between 21 December 2019 and 16

      February 2020 there were 2,565,513 direct marketing emails received
      by subscribers. The Commissioner finds that SportsDirect transmitted

      those direct marketing messages, contrary to regulation 22 of PECR.


39.   SportsDirect, as the sender of the direct marketing, is required to

      ensure that it is acting in compliance with the requirements of

      regulation 22 of PECR, and to ensure that valid consent to send those

      messages had been acquired.


40.   SportsDirect has been unable to provide evidence of consent for the
      messages sent over the period of 21 December 2019 and 16 February

      2020.


41.   In this instance, in relation to the 2,565,513 direct marketing emails

      stated by SportsDirect on 12 June 2020 to have been received by

      subscribers over the relevant period, SportsDirect has been unable to

      provide evidence of valid consent. Indeed it is stated that it is no
      longer possible for SportsDirect to “retrieve the distribution list used in

      the Christmas 2019 Email Campaign”. In the circumstances the

      Commissioner is not satisfied that SportsDirect can avail itself to the

      soft opt-in exception provided at regulation 22(3) PECR.


42.   The Commissioner has gone on to consider whether the conditions

      under section 55A DPA are met.






                                      12      Seriousness of the contravention


43.   The Commissioner is satisfied that the contravention identified

      above was serious. This is because between 21 December 2019 and 16

      February 2020, a total of 2,565,513 direct marketing messages were

      received by subscribers having been sent by SportsDirect. These

      messages, which were sent as part of a “re-engagement campaign”,
      contained direct marketing material for which subscribers had not

      provided valid consent. Furthermore, since SportsDirect is now unable

      to retrieve the distribution list and is therefore unable to evidence

      how/when details were purportedly obtained, the Commissioner is

      satisfied that SportsDirect is unable to rely on the soft opt-in
      exemption.



44.   The Commissioner is therefore satisfied that condition (a) from

      section 55A(1) DPA is met.


      Deliberate or negligent contraventions



45.   The Commissioner has considered whether the contravention identified

      above was deliberate.



46.   The Commissioner does not consider that SportsDirect deliberately set
      out to contravene PECR in this instance.



47.   The Commissioner has gone on to consider whether the contravention

      identified above was negligent. This consideration comprises two

      elements:


48.   Firstly, she has considered whether SportsDirect knew or ought

      reasonably to have known that there was a risk that these


                                      13      contraventions would occur. This is not a high bar and she is satisfied
      that this condition is met.



49.   The Commissioner has published detailed guidance for those carrying

      out direct marketing explaining their legal obligations under PECR.

      This guidance gives clear advice regarding the requirements of consent

      for direct marketing and explains the circumstances under which
      organisations are able to carry out marketing over the phone, by text,

      by email, by post, or by fax. In particular it states that organisations

      can generally only send, or instigate, marketing messages to

      individuals if that person has specifically consented to receiving them.

      The guidance also provides a full explanation of the “soft opt-in”
      exemption and states that organisations “should […] make sure that

      they keep clear records of exactly what someone has consented to. In

      particular, they should record the date of consent, the method of

      consent, who obtained consent, and exactly what information was

      provided to the person consenting”. SportsDirect has been unable to

      do this.

50.   The Commissioner has published detailed guidance on consent under

      the GDPR. In case organisations remain unclear on their obligations,

      the ICO operates a telephone helpline. ICO communications about

      previous enforcement action where businesses have not complied with

      PECR are also readily available.


51.   It is therefore reasonable to suppose that SportsDirect should have
      been aware of its responsibilities in this area.



52.   Secondly, the Commissioner has gone on to consider whether
      SportsDirect failed to take reasonable steps to prevent the

      contraventions. Again, she is satisfied that this condition is met.




                                       1453.   The Commissioner takes the view that any person wishing to engage in
      direct marketing by electronic mail could and should – particularly

      since the coming into effect of the GDPR – have ensured that all of

      their consent capture mechanisms properly enabled consent to be

      separately given or withheld for direct marketing communications, and

      that such consent was retained. At the outset of the investigation the

      Commissioner raised concerns with SportsDirect’s privacy policy which
      stated: “You acknowledge that you do not object to us and third parties

      identified below, including our Third Party Advertisers, using your

      personal information for any of the purposes outlined in this privacy

      policy and you confirm that you do not and will not consider any of

      these purposes as a breach of any of your rights under the Privacy and
      Electronic Communications (EC Directive) Regulations 2003” (emphasis

      added). SportsDirect has since amended the wording of its Privacy

      Policy.


54.   The Commissioner takes the view that SportsDirect could legitimately

      have sought advice either from the Commissioner or from a legal

      advisor in relation to the basis on which it proposed to send its
      unsolicited direct marketing to an aged dataset but failed to do so.

      This is particularly egregious given that the purpose of SportsDirect’s

      “re-engagement campaign” was to contact individuals with whom it

      had not “connected” with for some time.


55.   In the circumstances, the Commissioner is satisfied that SportsDirect

      failed to take reasonable steps to prevent the contraventions.


56.   The Commissioner is therefore satisfied that condition (b) from section

      55A (1) DPA is met.



      The Commissioner’s decision to issue a monetary penalty



                                       1557.   The Commissioner has taken into account the following
      aggravating feature of this case:



   •  The Commissioner is concerned about SportsDirect’s failure to maintain

      satisfactory internal consent records.



58.   The Commissioner has taken into account the following mitigating
      feature of this case:



    •  The Commissioner is mindful that SportsDirect has taken a number of

       steps to improve its compliance with data protection legislation,

       specifically it has carried out an exercise to reduce the amount of data
       in its database; it has reconsidered the frequency of emails which will

       be sent to individuals; and will introduce a new cleansing system.    It

       is noted that it has also updated its privacy policy in line with the

       Commissioner’s guidance.



59.   For the reasons explained above, the Commissioner is satisfied that the
      conditions from section 55A (1) DPA have been met in this case. She is

      also satisfied that the procedural rights under section 55B have been

      complied with.



60.   The latter has included the issuing of a Notice of Intent, in which the
      Commissioner set out her preliminary thinking. In reaching her final

      view, the Commissioner has taken into account the representations

      made by SportsDirect on this matter.



61.   The Commissioner is accordingly entitled to issue a monetary penalty

      in this case.





                                       1662.   The Commissioner has considered whether, in the circumstances, she
      should exercise her discretion so as to issue a monetary penalty.



63.   The Commissioner has considered the likely impact of a monetary

      penalty on SportsDirect. She has decided on the information that is

      available to her, that SportsDirect has access to sufficient financial
      resources to pay the proposed monetary penalty without causing

      undue financial hardship.



64.   The Commissioner’s underlying objective in imposing a monetary

      penalty notice is to promote compliance with PECR. The sending of

      unsolicited direct marketing messages is a matter of significant public
      concern. A monetary penalty in this case should act as a general

      encouragement towards compliance with the law, or at least as a

      deterrent against non-compliance, on the part of all persons running

      businesses currently engaging in these practices. The issuing of a

      monetary penalty will reinforce the need for businesses to ensure that
      they are only messaging those who specifically consent to receive

      direct marketing.


65.   For these reasons, the Commissioner has decided to issue a monetary

      penalty in this case.



      The amount of the penalty


66.   Taking into account all of the above, the Commissioner has decided

      that a penalty in the sum of £70,000 (seventy thousand pounds) is
      reasonable and proportionate given the particular facts of the case and

      the underlying objective in imposing the penalty.



      Conclusion



                                      1767.   The monetary penalty must be paid to the Commissioner’s office by
      BACS transfer or cheque by 14 October 2021 at the latest. The

      monetary penalty is not kept by the Commissioner but will be paid into

      the Consolidated Fund which is the Government’s general bank account

      at the Bank of England.



68.   If the Commissioner receives full payment of the monetary penalty by
      13 October 2021 the Commissioner will reduce the monetary penalty

      by 20% to £56,000 (fifty-six thousand pounds). However, you

      should be aware that the early payment discount is not available if you

      decide to exercise your right of appeal.


69.   There is a right of appeal to the First-tier Tribunal (Information Rights)

      against:



            (a) the imposition of the monetary penalty

                and/or;

            (b) the amount of the penalty specified in the monetary penalty
               notice.



70.   Any notice of appeal should be received by the Tribunal within 28 days

      of the date of this monetary penalty notice.


71.   Information about appeals is set out in Annex 1.



72.   The Commissioner will not take action to enforce a monetary penalty

      unless:



         • the period specified within the notice within which a monetary
            penalty must be paid has expired and all or any of the monetary

            penalty has not been paid;


                                      18         • all relevant appeals against the monetary penalty notice and any

            variation of it have either been decided or withdrawn; and

         • the period for appealing against the monetary penalty and any

            variation of it has expired.




73.   In England, Wales and Northern Ireland, the monetary penalty is
      recoverable by Order of the County Court or the High Court. In

      Scotland, the monetary penalty can be enforced in the same manner as

      an extract registered decree arbitral bearing a warrant for execution

      issued by the sheriff court of any sheriffdom in Scotland.


             th
Dated the 13   day of September 2021

Andy Curry

Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane

Wilmslow
Cheshire
SK9 5AF
























                                      19ANNEX 1


         SECTION 55 A-E OF THE DATA PROTECTION ACT 1998



  RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER



      1.    Section 55B(5) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)

      against the notice.



      2.    If you decide to appeal and if the Tribunal considers:-


            a)    that the notice against which the appeal is brought is not in

            accordance with the law; or



            b)    to the extent that the notice involved an exercise of

            discretion by the Commissioner, that she ought to have exercised
            her discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as

      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.    You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:



                  General Regulatory Chamber
                  HM Courts & Tribunals Service
                  PO Box 9300
                  Leicester

                  LE1 8DJ


                                     20      Telephone: 0203 936 8963
      Email:      grc@justice.gov.uk


      a)    The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it

      unless the Tribunal has extended the time for complying with this

      rule.



4.    The notice of appeal should state:-


      a)    your name and address/name and address of your

      representative (if any);



      b)     an address where documents may be sent or delivered to

      you;


      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)    the result that you are seeking;



      f)    the grounds on which you rely;



      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for an extension of time



                                 21      and the reason why the notice of appeal was not provided in
      time.



5.    Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person

whom he may appoint for that purpose.


6.    The statutory provisions concerning appeals to the First-tier

Tribunal (Information Rights) are contained in section 55B(5) of, and

Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).



































                                 22