ICO (UK) - Tempcover Ltd
|ICO (UK) - Tempcover Ltd|
|Relevant Law:||Article 4(11) GDPR|
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003
|National Case Number/Name:||Tempcover Ltd|
|European Case Law Identifier:||n/a|
|Original Source:||ICO (in EN)|
The UK DPA (ICO) fined Tempcover Ltd £85,000 for sending almost 30,000,000 unsolicited direct marketing messages in violation of Regulation 22 PECR.
English Summary[edit | edit source]
Facts[edit | edit source]
Tempcover Ltd is a company that provides short term motor insurance and is the data controller. Mobile UK is an entity representing the interests of mobile subscribers in the UK. Mobile UK has a Spam Reporting Service, and subscribers can report a spam message by forwarding the spam message to Mobile UK. Mobile UK compiles the spam reports on a monthly basis and provides a report to the ICO.
In May 2020, upon analysing the monthly reports provided by Mobile UK, the ICO ascertained “that between 1 November 2019 and 18 May 2020 there were a total of 13 complaints received from which Tempcover could be identified; of these, 12 were made via the 7726 service, and 1 was made directly to the Commissioner.” Accordingly, the ICO initiated an investigation against Tempcover.
Before the ICO, Tempcover submitted the following:
1. It sent direct marketing text messages and subscribers could see that they were sent by Tempcover.
2. A total of 1905,776 direct marketing text messages were sent between 26 May 2019 and 26 May 2020. However, it had the data only from 26 November 2019 to 26 May 2020 as per its data retention policy.
5. It operates an internal suspension list, which is updated in real-time.
6. It provides Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) training to its staff. Before starting with the SMS campaign, it had conducted a Legitimate Interest Assessment, which had been reviewed by its Data Protection Officer (DPO) and the Marketing Department.
7. Between 26 May 2019 and 26 May 2020, it also sent “29,156,023 emails, and that, of those, 28,822,172 were successfully delivered to a recipient.”
Upon further enquiry, Tempcover submitted that subsequently it had undertaken a host of measures, “amongst which would be a separate button allowing individuals to select their marketing preferences at the point of consent being obtained.”
Holding[edit | edit source]
The ICO concluded as following:
1. Between 26 May 2019 and 26 May 2020, taking into account both text messages and emails, subscribers received 29,970,419 unsolicited direct marketing messages that were sent by Tempcover. These messages were in violation of Regulation 22 PECR.
2. In order to be compliant with PECR, Tempcover should have either held valid consent, or had a soft opt-in mechanism on its website. By failing to provide an opportunity of opting out from direct marketing and making the ‘agreement to marketing a condition of service’, it cannot be said that the consent obtained by Tempcover from the subscribers was “freely given”.
3. The subscribers were automatically enlisted for both email and SMS marketing, without being given an option to specify the medium of their choice. Accordingly, the consent that Tempcover sought to rely upon could was not sufficient and not be considered to be “specific”.
4. As Tempcover did not provide an option to subscribers to refuse to marketing, Tempcover was within the ambit of Regulation 22(3)(c) PECR.
5. "Legitimate Interest" is not a lawful basis under PECR, and there must be a valid consent, or a soft opt-in mechanism.
The above contravention was considered to be serious because of the high number of messages. However, the ICO concluded that Tempcover did not deliberately set out to contravene the PECR. Nevertheless, Tempcover was considered to be negligent as “Tempcover knew or ought reasonably to have known that there were risks inherent in its direct marketing activities given that during the investigation the Commissioner was provided with copies of Tempcover’s own training materials which made specific reference to PECR, and the need for compliance with the legislation.” In addition, the ICO concluded that Tempcover “failed to take reasonable steps to prevent the contraventions.”
The ICO considered the aggravating factor of Tempcover having financial benefit from the messages, and also the mitigating factor of incorporating new mechanisms which allow subscribers to opt out of unsolicited direct marketing at the point which consent is obtained.
Thus, the ICO issued a monetary penalty of £85,000 (eighty-five thousand pounds) against Tempcover.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.