ICO (UK) - The Money Hive Limited

From GDPRhub
ICO (UK) - The Money Hive Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Investigation
Outcome: Violation Found
Started: 09.09.2020
Decided: 14.02.2022
Published: 17.02.2022
Fine: 50,000 GBP
Parties: The Money Hive Limited
National Case Number/Name: The Money Hive Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: gauravpathak

The UK DPA issued a €60,000 (GBP 50,000) fine against a loan broker for making unsolicited direct marketing text messages in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.

English Summary

Facts

The Money Hive Limited (TMHL) is a company that calls itself "a short term loan lender and broker for other lenders and financial service providers". Mobile UK is an entity representing the interests of mobile subscribers in the UK. Mobile UK has a Spam Reporting Service, and subscribers can report a spam message by forwarding the spam message to Mobile UK.

In September 2020, numerous unsolicited text messages by Money Hive were reported. The Investigating Officer ascertained nine separate message scripts promoting high-interest payday loans. The messages contained links to websites operated by TMHL and were sent to people who had “previously applied online for a loan with a TMHL-operated website” but had left the process midway to due to any reason.

In response to the ICO’s letter seeking information and documentation about consent provided by the subscribers, TMHL stated the following:

• It had used the services of two platform providers to send the messages.

• Between 1 January 2020 to 8 September 2020, a total of 752,425 text messages were received by subscribers.

• TMHL divided consent into two categories: “a) Individuals consent to being notified of their loan application results via SMS; and b) individuals consent to future marketing from it and "select 3rd parties" via separate tick boxes.” It added that "a very small number of customers might not realise that the messages are direct responses to their loan application and consider them to be marketing texts".

The ICO considered the 'customer journey' documents provided by TMHL and noticed two opt-in statements. Opt-in 1 was accessible after a customer had clicked 'apply now' on the respective website and had entered their contact details. It had the following text, followed by three separate optional tick boxes for email/SMS/phone:

"LoanPig and our 3rd party partners would like to stay in touch with you via email and sms to send you reminders and occasional relevant offers, please tick below if you wish to receive this[. .. ]"

Opt-in 2 had three checkboxes in which the first two checkboxes relating to subscribers being “contacted by SMS, email or telephone by Loanpig (TMHL) and its "third party partners"” and their agreement to Terms & Conditions and Privacy Policy were mandatory.

TMHL’s Privacy Policy stated that if a customer’s application “"does not meet [TMHL's] underwriting criteria, we may pass your details to a broker who may be able to offer you a loan or financial service from their panel of lenders and financial service providers"”. It also provided a list of brokers and further stated, “"[a]s part of the application process some lenders and financial service partners may take up to 24 hrs to respond by sms, email, or phone, so you may receive product offers from them within that period [... ]. To provide the best service possible during your application, we may send you, by sms or email, relevant alternative or complimentary products within the 24h application period".”

The ICO noticed that many of the brokers listed in TMHL’s Privacy Policy were in the business of lead generation services/affiliate network services.

Before the ICO, TMHL gave evidence of subscribers having opted out of its messaging texts. It also explained the working of its messaging system and the number of messages being sent. On the aspect of messages containing links to third parties, TMHL stated that “they use alternative brokers to obtain a loan for their customers stating: "[t]his isn't promoting 3rd party websites and we are only paid a commission when the customer gets a loan, not for each lead sent for example so we consider this the same as sending a customer to an alternative lender's website where they may obtain a loan. To confirm, we do not receive any commission if the consumer does not apply online or find a product, so this is not marketing".” In addition, TMHL submitted to the ICO a “'Legitimate Interest Assessment' document in relation to these messages, which explained that their purpose was to provide an alternative short-term loan [through an alternative broker] when the individual's application to TMHL directly was unsuccessful.”

TMHL informed the ICO that they had started sending these messages from 12 March 2020. TMHL stated that it conducted regular due diligence, but it was on a face to face basis and there was no documentary record of the same.

Holding

The ICO concluded as following:

1. TMHL contravened Regulation 22 PECR by sending 752,425 unsolicited direct marketing text messages that were received by subscribers.

2. TMHL’s marketing was not solicited as “in order to proceed with the online application, individuals had no choice but to agree to receive an undefined number of contacts via text, email and telephone from TMHL and its third-party partners.” The same is also evident from the high number of complaints received regarding TMHL’s messages.

3. Messages sent by TMHL were direct messages and not service messages as the messages “advertised the availability of loan products from both TMHL and third-party providers [and] can be appropriately defined as falling within the definition of direct marketing as prescribed by Section 122(5) DPA18.”

4. A valid consent needs to be “freely given” and the organisation will have to demonstrate how “the consent can be said to have been given freely.” This was not the case with TMHL as it “did provide a separate set of optional opt-in boxes for individuals who might wish to agree to marketing in the future.”

5. No specific consent was present in this case as individuals “were not able to select the method by which they may wish to receive direct marketing, with agreement to being potentially contacted by text message, email and/or telephone, being a requirement.”

6. “Consent will not be "informed" if individuals do not understand what they are consenting to.” Consent will not be valid if “if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description.” Moreover, “subscribers were denied the chance to select which, if any, of the potential third-parties it might wish to receive marketing messages about.”

7. TMHL could not rely on soft opt-in exemption under the PECR as “individuals were unable to opt out of receiving these particular direct marketing messages at the point at which their details were taken, since agreement to receipt of these messages was a condition of service.”

The contravention by TMHL was considered to be serious due to the high number of messages resulting in a total of 1,360 complaints. However, the contravention was not considered to be deliberate. Nevertheless, the ICO found TMHL to be negligent as it did not take “thorough steps to understand and implement marketing procedures that are compliant with the legislation.”

Thus, the ICO fined TMHL €60,000 (£50,000) for making unsolicited direct marketing text messages in violation of Regulation 22 PECR.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                           •

                                                           ICO.
                                                           Information Commissioner's Office


                    DATA PROTECTION     ACT 1998


   SUPERVISORY    POWERS OF THE INFORMATION       COMMISSIONER



                    MONETARY    PENALTY NOTICE




To:  The Money Hive Limited

Of:  Britannic House
     657 Liverpool Road
     Irlam
     Lancashire
     M44  SXD


1.   The InformationCommissioner ("the Commissioner") has decided to
     issue The Money Hive Limited ("TMHL") with a monetary penalty under

     section SSA of the Data Protection Act 1998 ("DPA"). The penalty is in
     relation to a serious contraventof Regulation 22 of the Privacy and

     Electronic Communications(EC Directive) Regulations 2003 ("PECR").


2.   This notice explains the Commissioner's decision.



     Legal framework


3.   TMHL, whose registered office address is given above (Companies
     House Registration Number: 09932988) is the organisation stated in

     this notice to have transmitunsolicited communicationsby means

     of electronic mail to individual subscribers for the purposes of direct
     marketing contrary to regulation 22 of PECR.


4.   Regulation 22 of PECRstates:


                                   1,                                                                  •


                                                                  ICO.
                                                                  Information Commissioner's Office


      "(1) This  regulation  applies   to  the  transmission   of  unsolicited
          communications     by  means    of  electronic  mail  to   individual

          subscribers.

      (2) Except in the circumstances referred to in paragraph (3), a person
          shall neither transmit, nor instigate the transmission of, unsolicited

          communications    for the purposes of direct marketing by means of

          electronic  mail unless the recipient   of the electronic  mail has
          previously notified the sender that he consents for the time being

           to such communications   being sent by, or at the instigation of, the

          sender.
      (3) A person may send or instigate the sending of electronic mail for

           the purposes of direct marketing where-

              (a) that person has obtained the contact details of the recipient
                  of that electronic mail in the course of the sale or

                  negotiations for the sale of a product or service to that
                  recipient;

              (b) the direct marketing is in respect of that person's similar

                  products and services only; and
              (c) the recipient has been given a simple means of refusing

                  (free of charge except for the costs of the transmission of

                  the refusal) the use of his contact details for the purposes
                  of such direct marketing, at the time that the details were

                  initially collected, and, where he did not initially refuse the

                  use of the details, at the time of each subsequent
                  communication.

      (4) A subscriber shall not permit his line to be used in contraventionof

          paragraph (2)."


5.    Section 122(5) of the Data Protection Act 2018 ("DPA18") defines

      direct marketing as "the communication   (by whatever means) of

                                      2,                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

      advertising or marketing material which is directed to particular
      individuals". This definition also applies for the purposes of PECR(see

      regulation 2(2) PECRand paragraphs 430 & 432(6) to Schedule 19 of
      the DPA18).



6.    At the time of the alleged contraventioPECRwas defined by
      reference to the concept of consent in Regulation 2016/679 ("the

      GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic

      Communications  (Amendments   etc) (EU Exit) Regulations 2019. Article
      4(11) of the GDPR set out the following definiti"'consent' of the

      data subject means any freely given, specific, informed and
      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmative action, signifies

      agreement to the processing of personal data relating to him or her".


7.    Recital 32 of the GDPR materiallstates that "When the processing has
      multiple purposes, consent should be given for all of them". Recital 42

      materiallyprovides that "For consent to be informed, the data subject

      should be aware at least of the identity of the controller"Recital 43
      materiallystates that "Consent is presumed not to be freely given if it

      does not allow separate consent to be given to different personal data
     processing operations despite it being appropriate in the individual case".



8.   "Individual"is defined in regulation 2(1) of PECRas "a living individual
      and includes an unincorporatedbody of such individuals".


9.    A "subscriber"is defined in regulation 2(1) of PECRas "a person who is

      a party to a contract with a provider of public electronic

      communications services for the supply of such services".




                                     3,                                                               •

                                                              ICO.
                                                              Information Commissioner's Office

10.  "Electronic mail" is defined in regulation 2(1) of PECRas "any text,
      voice, sound or image message sent over a public electronic

     communications   network which can be stored in the network or in the
     recipient's terminal equipment until it is collected by the recipient and

     includes messages sent using a short message service".


11.  The  term "soft opt-in" is used to describe the rule set out in in

      Regulation 22(3) of PECR.In essence, an organisation may be able to
     e-mail its existing customers even if they haven't specifically consented

     to electronic mail. The soft opt-in rule can only be relied upon by the

      organisation that collected the contact details.


12.  Section SSA of the DPA (as applied to PECRcases by Schedule 1 to
      PECR,as variously amended) states:



      "(1)The Commissioner may serve a person with a monetary penalty if
          the Commissioner is satisfied that -

             (a) there has been a serious contraventionof the requirements

                 of the Privacy and Electronic Communications (EC
                 Directive) Regulations 2003 by the person,

             (b) subsection (2) or (3) applies.
     (2)  This subsection applies if the contraventiwas deliberate.

     (3)  This subsection applies if the person -

             (a) knew or ought to have known that there was a risk that the
             contravention would occur, but

             (b) failed to take reasonable steps to prevent the
                 contravention."



13.  The Commissioner has issued statutory guidance under section SSC(1)
      of the DPA about the issuing of monetary penalties that has been

      published onthe ICO's website. The Data Protection (Monetary

                                     4,                                                             •

                                                            ICO.
                                                            Information Commissioner's Office

     Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
     that the amount of any penalty determined by the Commissioner must

     not exceed £500,000.


14.  PECRwere enacted to protect the individual's fundamentaright to
     privacy in the electronic communicationsector. PECRwere

     subsequently amended and strengthened.  The Commissioner will

     interpret PECRin a way which is consistent with the Regulations'
     overall aimof ensuring high levels of protection for individuals' privacy

     rights.


15.  The provisions of the DPA remain in force for the purposes of PECR

     notwithstanding the introductioof the DPA18: see paragraph 58(1) of
     Schedule 20 to the DPA18.


     Background to the case


16.  Mobile users can report the receipt of unsolicited marketing text

     messages to the Mobile UK's Spam Reporting Service by forwarding the

     message to 7726 (spelling out "SPAM"). Mobile UK is an organisation
     that represents the interests of mobile operators in the UK. The

     Commissioner is provided with access to the data on complaints made
     to the 7726 service and this data is incorporated into a Monthly Threat

     Assessment (MTA) used to ascertain organisations in breach of PECR.


17.  The organisation first came to the attention of the ICO in September

     2020, when large volumes of unsolicited text messages were reported
     via the 7726 tool. The InvestigatiOfficer analysed the complaints

     submitted and established that nine separate message scripts were
     sent promoting high interest payday loans.



                                   5,                                                                •


                                                               ICO.
                                                               Information Commissioner's Office
18.   The messages contained unique hyperlinks to one of the following
      websites: www.loanpig.co.uk, www.bingoloans.co.uk  and

      www.pmloans.co.uk,  which are trading styles of TMHL. When clicked

      on, the respective webpage would open and would generate a 'loading'
      bar which would ask the individual to wait while it gathered results,

      and the individual would then be presented with a loan offeItis

      understood that these messages were sent to individuals who had
      previously applied onlineor a loan with a TMHL-operated website. The

      purpose of these messages was to redirect the applicant to the relevant
      website when they had, for whatever reason, failed to proceed with the

      loan offer presented whilst on the website.


19.   One of TMHL's websites, www.loanpig.co.uk, states they offer "a

      straight-forward,transparent 100% online solution for you to get a

      responsibleshort term loan." The two other named sites, in addition to
      TMHL's lending portal site (www.themoneyhive.co.uk), contained

      materially similar text, with the consistent suggestion that the

      application would be online-only.


20.   On 9 September 2020, an initial investigation letter, along with a

      spreadsheet of complaints, was sent to TMHL. The letter outlined the
      Commissioner's concerns with TMHL's PECRcompliance, and asked a

      number of questions in relation to its direct marketing practices
      between 1 January 2020 and 8 September 2020, in addition to

      requesting evidence of consent for the complaints received.


21.   TMHL responded on 24 September 2020 and provided details of the

      customer journey undertaken when data is obtained, using a separate

      document to demonstrate a walkthrough of an application via one of its
      sitesIt also provided copies of its privacy policies, data processing

      agreements, communications   policy and a spreadsheet detailing the

                                     6,                                                                •


                                                                ICO.
                                                                Information Commissioner's Office
      consent evidence to show when an individual had applied for a loan via

      one of its sites. It was confirmed that no data is purchased from third
      parties. At this point, TMHL described itself as "a short term loan lender

      and broker for other lenders and financial service providers".


22.   TMHL explained that its text messages were transmitted using two

      platform providers:                  and                     who

      facilitated the sending of messages between 1 January 2020 to 8
      September 2020  1.During this period, 661,012 messages were sent via

                        Of those,616,824 were received by individuals.

      Whilst 146,370 messages were sent via                      with
      135,601 of those messages being received by individuals. This

      suggests that a total of 752,425 text messages were received by

      subscribers.


23.   The message scripts used by TMHL were provided, with some examples
      being as follows:



      -  <Name> your <loan amount>     fast track loan application results are
         ready. Click: www.tmhl.uk/XX  Optout: STOP to 07491163044



      -  <Name> your <loan amount>     fast track application is ready. Click:
         www.tmhl.uk/XX   Rep 1261% APR Optout: STOP to 07491163044



      -  <Name> we've found lenders for your <loan amount>     loan app.
        Just 1 Click to review results: www.tmhl.uk/XX Optout: STOP to

         07491163044






1TMHL confirmed in later correspondence that text messages were sent from mid-March 2020.

                                     7,                                                                •


                                                                ICO.
                                                                Information Commissioner's Office
24.   In response to the Commissioner's enquiry as to how TMHL ensures
      consent for marketing had been obtained from individuals, TMHL stated

      that "consent is split into two categoriea) Individuals consent to

      being notified of their loan application results via SMS; and b)
      individuals consentto future marketing from it and "select 3parties"

      via separate tick boxes.


25.   When asked  for an explanation for the number of complaints received,

      TMHL suggested that "a very small number of customers might not
      realise that the messages are direct responses to their loan application

      and consider them to be marketing texts".


26.   The Commissioner considered the 'customer journey' documents

      provided for one of TMHL's sites, www.loanpig.co.uk,which he was

      advised was identicalfor www.bingoloans.co.uk  and
      www.pmloans.co.uk.   As TMHL had said, there were two opt-in

      statements apparent from the webpage.


27.   The first ("Opt-Il") was accessible alter a customer had clicked

      'apply now' on the respective website and had entered their contact

      details.t had the following text, followed by three separate optional
      tick boxes for email/SMS / phone:


      "LoanPig and our 3rd party partners would like to stay in touch with

      you via email and sms to send you reminders and occasional relevant

      offers, please tick below if you wish to receive this[. ..]"


28.   Itis understood that Opt-In 1 related to marketing which would be

      sent beyond the 24-hour period immediately following the individual's
      application, and wasnot relevant for the purposes of the 752,425

      messages which were received by subscribers within the initial 24

                                     8,                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

      hours of the application and which form the basis of the
      Commissioner's investigation.


29.   The second ("Opt-In 2") materially consists of three parts and would be

      located at the end of the application with separate tick boxes.


30.   The first part of this is to advise customers of the need for a credit

      check to be performed, and would advise them that they may be

      contacted by SMS, email or telephone by Loanpig (TMHL) and its "third
      party partners". This tick box would be mandatory for all applicants.


31.   The second tick box requires agreement to signify that the customer

      agrees to the Terms & Conditions and Privacy PolicyIt is understood

      that this tick box was also mandatory.


32.   The third appears to be optional and offers a "free 14 day trial with UK
      Credit Rating".



33.   TMHL's Privacy Policy (referred to within the second tick box of Opt-In
      2) advises that if a customer's application "does not meet [TMHL's]

      underwritingcriteria, we may pass your details to a broker who may be
      able tooffer you a loan or financial service from their panel of lenders

      and financial service providersItthen provides a list of brokers who

      may be used, stating that "[a]s part of the application process some
      lenders and financial service partners may take up to 24 hrs to respond

      by sms, email, or phone,so you may receive product offers from them
      within that period [...] To provide the best service possible during your

      application, we may send you, by sms or email, relevant alternative or

      complimentary  products within the 24h application period".




                                     9,                                                                  •


                                                                 ICO.
                                                                 Information Commissioner's Office
34.   From the list of brokers which were named on TMHL's websites, the

      Commissioner has evidence that a number of them in fact provide lead
      generation services/ affiliate network services•



35.   Itis understood that the 752,425 unsolicited text messages sent by
      TMHL were received by subscribers who had ticked the necessary parts

      of Opt-In 2 (i.e. tick boxes 1 and 2) and clicked to submit their details

      to obtain an online loan offerItis understood that there were two
      circumstances under which text messages would be sent:



      a) messages advertising TMHL products would be sent    to individuals
         who, having input their details and been directed to a loan offer

         page, failed to proceed with the offer for whatever reason; and, in

         the alternative,


      b) messages advertising third-party brokers/products  would be sent to

         individuals who had been unsuccessful in their online loan
         application with TMHL.



36.   In any event, if an individual did not proceed with an online loan offer,
      or was deemed ineligible for a loan offer from TMHL directly, TMHL

      would proceed to send them a series of text messages over the

      following 24 hours offering loan-related products.


37.   In further correspondence on 16 October 2020, TMHL provided a

      screenshot of statistics showing the number of opt-outs which it had
      received via its 07491 163044 opt-out number (as included on all of its

      direct marketing texts) between March 2020 and August 2020.




2During the course of the investigation, the number and identity of the 'brokers' on the various websites changed.

                                      10,                                                              •


                                                              ICO.
                                                              Information Commissioner's Office
38.  TMHL also explained that in relation to the opt-in statements on its
      websites,Opt-In 1 concerned consent to future marketing SMS/emails

      from TMHL and third parties, whereas Opt-In 2 constituted agreement

      to a credit check and to an individual receiving the results of their loan
      application byMS text message. In subsequent correspondence of 3

      November 2020 it was confirmed that all of the complaints which the

      Commissioner had brought to TMHL's attention related to messages
      sent on the basis of Opt-In 2, i.e. that they were sent "in serving the

      legitimate interests of the customer to find a loan or suitable financial
     product". TMHL confirmed that all of the complainants "had applied one

      or more times on our loan application form which is impossible to

     submit without agreeing [to Opt-In 2]".


39.   During the investigation the Commissioner was able to establish

      complaints dating backto March 2020 which could be connected to
     TMHL but which included links to third-partsites not previously

      recognisedas being associated with TMHL. These websites included

                                                    (which are all
      operated by                                  who appear to have

      been added to TMHL's list of brokers on its various Privacy Policies at

      some point between August 2020 and November 2020),
                            (which is operated by                  who is

      actingas an appointed rep to              - these entities were not
      named within TMHL's Privacy Policies),                 (which is

      operated by

      isunknown).


40.   On 30 November 2020 the Commissioner sent some further enquires to

     TMHL inter alia in relation to the frequency of the messages being sent,
      and the inclusion of third-parweb links in its messages.



                                    11,                                                              •


                                                              ICO.
                                                              Information Commissioner's Office
41.   In its response of 9 December 2020,TMHL  provided the requested

      details. It explained that the average number of messages sent per
      application is five, and that this is now capped to be sent within the

      first 30 minutes of the application being received. In relation to the

      inclusion of third-parweb links in its messagesTMHL  explained that
     "[t]he third party website(s) were used as an option for the consumer

      to obtain a loan with an alternative panel as a last option for them.

      They were also used in a separate capacity as a wayf providing
      customers with an option if there was any error with our online

     application process. Those combined usages led to too much confusion

      for the customer and we have removed that service as one of our
      results on sms [...] We do not send messages on behalf of anyone else,

      we are trying to find the consumer a loan or comparable financial

     product. On occasion the use of a broker with a different panel of
      lenders can lead to a better result for the customer so we believe this

      to still be in the legitimate interests of the customer. If they ultimately
      obtain a loan through the use of the broker site, we do receive a

      commission for the lead and is, therefore, no different to our

      relationships with other financial service providers".


42.   Noting thatTMHL  had not provided a list of the third parties whose web

      links were provided in its text messages, or the related requested
      information,the Commissioner wrote to TMHL  on 10 December 2020

      requesting the same.


43.  TMHL  responded the same day to advise that, in its view, messages

      were not sent on behalf of third-parwebsites, but that they use

      alternative brokers to obtain a loan for their customers stating: "[t]his
      isn't promoting 3dparty websites and we are only paid a commission

      when the customer gets a loan, not for each lead sent for example so

      we consider this the same as sending a customer to an alternative

                                    12,                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

     lender's website where they may obtain a loan. To confirm, we do not
     receive any commission if the consumer does not apply online or find a

     product, so this is not marketing".


44.  TMHL explained they did not have a relationship with the credit brokers

     who received the leads because, in relation to the messages sent which
      advertise the loan products of a third-pathey use a redirection

      service provided by                      ('-"),       which is
      effectively used to find customers an alternative loan. With its

      response, TMHL provided an 'affiliate processing activity contract'

      between itself and-       dated 12 March 2020 which included a
      screenshotof TMHL's data capture page. This page included a

      screenshotof the Opt-In 1 statement, which TMHL had previously
      advised the Commissioner was not used in relation to the messages

      about which complaints had been received.


45.  TMHL provided a 'Legitimate Interest Assessment' document in relation

     to these messages, which explained that their purpose was to provide
      an alternative short-terloan [through an alternative broker] when

     the individual's application to TMHL directly was unsuccessful. Under
     the section of the document headed "Would you be happy to explain

      the processing to the individuals?", TMHL wrote:


      "Yes - if any individual wanted to know why their details were

     processed we would provide the reasons behind our decision. This
      information is also provided within our Privacy Notice at all times.



      'To provide the best service possible during your application, we may
      send you, by sms or email, relevant* alternative or complimentary

     products within the 24h application period. Where it is necessary for


                                    13,                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

      our legitimate interests and your interests and fundamenrights do
      not override those interests.


     If you opt in to marketing during your application, our partnemay

      send you marketing informationabout these services after this 24h
     period.



      *The product offers we consider relevant for both your initial
      application and for if you opt-in to future offers are:


           • High Cost Short Term Credit

           • Credit Cards

           • Loan Comparison Services
           • Tax Refund

           • Payday Loan/Short Term Credit
           • Guarantor Loans

           • Debt Management Services
           • Credit Scoring

           • Pre-paid Debit Cards

           • Money Saving Offers
           • Utility Switching Services"'


46.  TMHL also provided figures to show that between March 2020 and

      September 2020, 217,797 such messages were sent, with 203,100
      being received. As it is understood that 752,425 messages were

      received by subscribers in total over the prescribed period, the

      Commissioner therefore understands that 203,100 of these provided
      linkso third-partysites, and the remaining 549,325 messages which

     were received by subscribers contained links which directed recipients
     to TMHL's own sites.



                                    14,                                                                •


                                                                ICO.
                                                                Information Commissioner's Office
47.   On 15 December 2020 the Commissioner sent further correspondence
      to TMHL raising concerns with TMHL's apparent reliance on legitimate

      interest as the basis for the transmission of its direct marketing

      messages. The Commissioner requested further details of TMHL's
      relationship with-         and details of the credit brokers whose

      services were included in TMHL's 'alternativloan' messages.


48.   TMHL responded   on 8 January 2021 disagreeing with the

      Commissioner's suggestion that its messages constituted direct
      marketing. Italso provided a summary of the service provided to it by

     -          which essentially confirmed that-had         no

      involvement in the content of the 'alternativloan' text messages,
      except for providing the redirect-URL, and arranging brokers which

      would be advertised in the messages.


49.   The Commissioner emailed TMHL on 13 January 2021 providing some

      short guidance in relation to the soft opt-in, as it had been referred to

      by TMHL in previous correspondence, and explained why it would not
      apply in these circumstances. The Commissioner then sent TMHL a

      further email on 11 February 2021 with some additional enquiries

      concerning inter alia the precise start date for its messages, its due
      diligence in respectf the third parties listed within the Privacy Policies

      of its sites, and details of the point at which an individual who leaves a
      TMHL-operated website  after completing a loan application would

      qualify to receive messages from TMHL.


50.   The Commissioner received a response   on 1 March 2021 to advise that

      the-         messages (i.e. those about which complaints had been

      received) had begun in "mid-March 2020".   Itadvised that its due
      diligence was conducted routinely but largely face-to-facaccordingly

      it could not produce any documentary  proof. TMHL confirmed it did not

                                     15,                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

     do any formal due diligence on -        explaining that "we do not
     send customer data to them, we redirect the customer's browser

     session to them".


51.  In terms of the point of the application process at which an individual
     would be eligibleto begin receiving text messages from TMHL, it

     explained that:


     "[...] we sent the customer their loan result in a text message as a

     courtesy following each application. The loan application process can be

     slow due to the affordabilichecks we need to do and then if we can't
     lend to the customer, it then takes longer to find the customer a

     product within our panels. The end result is the customer can
     frequently get disconnected from our website or get impatient and

     leave thinking it's not working. That gave rise to the entire process of

     texting them to ensure they obtained the product they were qualified
     for. This was done as a courtesy to all customers as we would not

     really find out data on abandoned applications until the following
     month".


52.  TMHL confirmed on 2 March 2021 that it first sent the relevant text

     messages from 12 March 2020.


53.  The Commissioner received 4 complaints in July 2020 from a single

     complainant who received four separate messages within a 24-hour
     period, of which 3 were between 9pm and 10pm, with the complainant

     reporting that the messages disrupted her sleep.


54.  There were  1,356 complaints made to the 7726-reportingservice

     between 26 March 2020 and 8 September 2020 concerning messages
     sent by TMH L.

                                   16,                                                             •

                                                            ICO.
                                                             Information Commissioner's Office


55.  It is understood that there have been a further 5,107 complaints to the

     7726 service between 9 September 2020 and 23 May 2021, with a
     number of further complaints being made from 24 May 2021 and

     continuing into 2022.


56.  The Commissioner has made   the above findings of fact on the

     balance of probabilities.


57.  The Commissioner has considered whether those facts constitute
     a contravention of regulation 22 of PECRby TMHL and, if so, whether

     the conditions of section SSA DPA are satisfied.


     The contravention


58.  The Commissioner finds that TMHL contravened regulation 22 of PECR.


59.  The Commissioner finds that the contraventiowas as follows:



60.  The Commissioner finds that between 12 March 2020 and 8 September
     2020 there were 752,425 unsolicited direct marketing text messages

     received by subscribers. The Commissioner findshat TMHL
     transmitted those direct marketing messages via two platform

     providers, contrary to regulation 22 of PECR.


61.  The Commissioner takes the view that these messages are unsolicited.

     Subscribers used TMHL's websites, which advertised themselvesas a
     "100%" and "purely online" service, as a means of obtaining a short­

     term loan offer. However, in order to proceed with the online
     application, individuals had no choice but to agree to receive an

     undefined number of contacts via text, email and telephone from TMHL

                                   17,                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

     and its third-partpartners. TMHL used the individual's mandatory
     agreement as a basis for engaging in its direct marketing campaign.

     Individuals used TMHL's service to obtain an online loan offer and had
      not requested this additional contact voluntarthe Commissioner

     therefore takes the view that the marketing cannot be said to have
      been solicited. The fact that individuals were denied this choice at the

     outset of their application is evidenced by the high volume of

     complaints which were received regarding these messages.


62.  TMHL,  as the sender of unsolicited direct marketing, is required to
     ensure that it is acting in compliance with the requirements of

      regulation 22 of PECR,and to ensure that valid consent to send those
      messages had been acquired.


63.   Whilst TMHL has suggested that its messages were 'service messages',

     and not direct marketing messages, the Commissioner is satisfied that

     the messages which were received by subscribers, which advertised
     the availability of loan products from both TMHL and third-party

      providers, can be appropriately defined as falling within the definition
     of direct marketing as prescribed by Section 122(5) DPA18.


64.   For consentto be valid it is required to be "freely given", by which it

     follows that if consent to marketing is a condition of subscribing to a

     service,the organisation will have to demonstrate how the consent can
      be said to have been given freely. Whilst TMHL did provide a separate

     set of optional opt-in boxes for individuals who might wish to agree to
      marketing in the future, it is the case that if a subscriber wished to

      proceed with their online loan application they would be required to

     agree to receiving a variety of contacts (telephone, email and text
      message) from TMHL and a range of third-partiesIn this instance,

     over a 6-month period over 750,000 messages were sent. These

                                    18,                                                             •

                                                            ICO.
                                                             Information Commissioner's Office
     messages would be sent if an individual decided not to proceed with

     the subsequent online offer, or if they were ineligible for a loan offer

     from TMHL. This requirement to agree to TMHL's messages was also
     bundled up with the requirement to agree to a credit check. Individuals

     were unable to agree solely to the credit check and to proceed with
     their loan application online only. Agreement to being potentially

     contacted by text message, email and telephone was a requirement of
     proceeding with TMHL's service.Whilst TMHL has characterised its text

     messages as a "courtesy" for customers, in the Commissioner's view it
     is misleading to do so, as subscribers had no choice but to agree to

     receipt of these messages. Furthermore, and in any event, messages

     sent as a "courtesy" are not exempt from the rules regarding PECR.


65.  Consent is also required to be "specific" as to the type of marketing
     communication to be received, and the organisation, or specific type of

     organisation, that will be sending it. Individuals in this instance were
     not able to select the method by which they may wish to receive direct

     marketing, with agreement to being potentially contacted by text
     message, email and/or telephone, being a requirement.


66.  Consent willnot be "informed"if individuals do not understand what

     they are consenting to. Organisations should therefore always ensure
     that the language used is clear, easy to understand, and not hidden

     away in a privacy policy or small print. Consent will not be valid if

     individuals are asked to agree to receive marketing from "similar
     organisations", "partners", "selected third parties" or other similar

     generic description. In this instance, individuals did not have the option
     to select which, if any, of TMHL's third parties it might wish to receive

     direct marketing from following their online loan application. Whilst
     some of the third parties about which the individuals might receive

     direct marketing were named within the relevant Privacy Policy, there

                                   19,                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

      was no indication of how many messages they might receive, nor was
     there an option to select the method of contact. Indeed, as TMHL itself

      recognised in the course of the investigatiit could be confusing for
      an individual to receive a text with a link to a thirdwebsite

      offering a loanith an alternative panel with which it will have had no
      contact previously. It is also understood that in relation to the

      messages which were sent which advertised the loan products of third­

      parties, whilst some third-partiwere named within TMHL's Privacy
      Policies, the third-partincluded brokers (who might in turn advertise

     their own affiliates) and entities who provided lead generation services
     / affiliate network services. Accordingly ,TMHL were not fully aware of

      precisely which loan provider a subscriber may be directed to within its

     text messages. Therefore, subscribers were denied the chance to select
      which, if any, of the potential third-pait might wish to receive

      marketing messages about.


67.  The Commissioner   is therefore satisfied from the evidence he has seen
     that TMHL did not have the necessary valid consent for the 752,425

      direct marketing messages received by subscribers.


68.  The Commissioner is also satisfied that TMHL cannot rely on the soft

      opt-in exemption provided by regulation 22(3). This is because,
      contrary to the requirement of regulation 22(3)( c) individuals were

      unable to opt out of receiving these particular direct marketing
      messages at the point at which their details were taken, since

      agreement to receipt of these messages was a condition of service.

      Furthermore, 203,100 of the 752,425 received messages did not relate
     to TMHL's own products or services, contrary to the requirement of

      regulation 22(3)(b).




                                    20,                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

69.  The Commissioner has gone on to consider whether the conditions
     under section SSA DPA are met.


     Seriousness of the contravention


70.  The Commissioner is satisfied that the contraventiidentified

     above was serious. This is because between 12 March 2020 and 8

     September 2020, a confirmed total of 807,382 direct marketing
     messages were sent by TMHL, of which 7S2,42S were received by

     subscribers. These messages contained direct marketing material for
     which subscribers had not provided valid consent. Furthermore the

     Commissioner is satisfied that TMHL cannot rely on the soft opt-in

     exemption.  From these messages, a total of 1,360 complaints were
     made.


71.  The Commissioner  is therefore satisfied that condition (a) from

     section SSA(l) DPA is met.


     Deliberate  or negligent contraventions


72.  The Commissioner has considered whether the contravention identified

     above was deliberate. The Commissioner does not consider that TMHL
     deliberately set out to contravene PECRin this instance.


73.  The Commissioner has gone  on to consider whether the contravention

     identified above was negligent. This consideration comprises

     elements:


74.  Firstly, he has consideredhether TMHL knew or ought reasonably to
     have known that there was a risk that these contraventiowould



                                   21,                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

      occur. This is not a high bar and he is satisfied that this condition is
      met.


75.  The Commissioner has published detailed guidance for those carrying

      out direct marketing explaining their legal obligations under PECR.
     This guidance gives clear advice regarding the requirementof consent

     for direct marketing and explains the circumstances under which

      organisations are able to carry out marketing over the phone, by text,
      by email, by post, or by fax. In particular it states that organisations

      cangenerally only send, or instigate, marketing messages to
      individuals if that person has specifically consented to receiving them.

     The guidance also provides a full explanation of the "solt opt-in"

      exemption. The Commissioner has also published detailed guidance on
      consent under the GDPR. In case organisations remain unclear on their

      obligations, the ICO operates a telephone helpline. ICO
      communications about previous enforcement action where businesses

      have not complied with PECRare also readily available.


76.   It is therefore reasonable to suppose that TMHL should have been
      aware of its responsibilitin this area.



77.   Secondly, the Commissioner has gone on to consider whether TMHL
     failedto take reasonable steps to prevent the contraventionAgain, he

      is satisfied that this condition is met.


78.  The Commissioner considers that any organisation engaging in direct

      marketing must take thorough steps to understand and implement
      marketing procedures that are compliant with the legislation. If TMHL

      had done this, it would have realised that it was unable to rely on
     'legitimateinterest' to comply with PECRas it had suggested for the

      sending of its direct marketing material.

                                    22,                                                              •

                                                             ICO.
                                                             Information Commissioner's Office


79.  The Commissioner considers that it would have been reasonable for

     TMHL to separate the various elements of its opt-in page. i.e., by
      making agreement to the credit check and use of its online loan

     application process separate anddistinct from its request for

      individuals to agree to follow-up direct marketing communicatioBy.
     conflating theserequirements, TMHL removed the individual's ability to

      proceed with an online-only loan application, without being required to

     agree to potentially invasive direct marketing by a variety of methods.
     That TMHL intended to send these further messages only over the 24-

      hour period immediately following the individual's application is
      irrelevant, and appears arbitrary. Indeed, TMHL has also accepted

     during the investigation that some of the messages it sent, about

     which complaints were received, fell outside of this time frame in any
     event.


80.  The Commissioner  is also concerned by TMHL's lack of knowledge as to

     the third-partieabout whom individuals may have received direct

      marketing text messages. He considers that it would be reasonable to
     expect TMHL to conduct sufficient due diligence to ensure that it is at

      least aware of which third-partiit may be referring individuals to.


81.  In the circumstances, the Commissioner is satisfied that TMHL failed to

     take reasonable steps to prevent the contraventions.


82.  The Commissioner  is therefore satisfied that condition (b) from section
      SSA (1) DPA is met.



     The Commissioner's    decision to impose a monetary    penalty


83.  The Commissioner has taken into account the following

                                   23,                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

      aggravating  feature of this case:


     •  The direct marketing being received in this case is likely to have been
        sent to vulnerable individuals in financial difficulty.


84.  The Commissioner does  not consider there to be any significant

     mitigating  features in this case.


85.   Forthe reasons explained above, the Commissioner is satisfied that the

      conditions from section SSA (1) DPA have been met in this case. He is
      also satisfied that the procedural rights under section 55B have been

      complied with.


86.  The latter has included the issuing of a Notice of Intent, in which the

      Commissioner set out his preliminary thinking. In reaching his final
      view, the Commissioner has taken into account the representations

      made by TMHL, but remains satisfied that there are valid grounds for
      proceeding to issue a monetary penalty notice.



87.  The Commissioner   is accordingly entitled to issue a monetary penalty
      in this case.


88.  The Commissioner has considered  whether, in the circumstances, he

     should exercise his discretion so as to issue a monetary penalty.


89.  The Commissioner has considered  the likely impact of a monetary

      penalty on TMHL. He has decided on the information that is available to
      him, that a penalty remains the appropriate course of action in the

      circumstances of this case.




                                    24,                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

90.  The Commissioner's underlying objective in imposing a monetary
     penalty notice is to promote compliance with PECR.The sending of

     unsolicited direct marketing messages is a matter of significant public
     concern. A monetary penalty in this case should act as a general

     encouragement towards compliance with the law, or at least as a
     deterrent against non-compliance,on the part of all persons running

     businesses currently engaging in these practices. The issuing of a

     monetary penalty will reinforce the need for businesses to ensure that
     they are only messaging those who specifically consent to receive

     direct marketing.


91.  For these reasons, the Commissioner has decided to issue a monetary

     penalty in this case.


     The amount of the penalty


92.  Taking into account all of the above, the Commissioner has decided
     that a penalty in the sum of £50,000(fifty thousand pounds) is

     reasonable and proportionategiven the particular facts of the case and

     the underlying objective in imposing the penalty.


     Conclusion


93.  The monetary penalty must be paid to the Commissioner's office by

     BACS transfer or cheque by 16 March 2022 at the latest. The
     monetary penalty is not kept by the Commissioner but will be paid into

     the Consolidated Fund which is the Government's general bank account
     at the Bank of England.


94.  If the Commissioner receives full payment of the monetary penalty by

      15 March 2022 the Commissioner will reduce the monetary penalty

                                   25,                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

      by 20% to £40,000   (forty thousand  pounds).  However, you should
      be aware that the early payment discount is not available if you decide

      to exercise your right of appeal.


95.   There is a right of appeal to the First-tier Tribunal (InformRights)
      against:



      (a) the imposition of the monetary penalty
         and/or;

      (b) the amount of the penalty specified in the monetary penalty
         notice.



96.   Any notice of appeal should be received by the Tribunal within 28 days
      of the date of this monetary penalty notice.


97.   Information about appeals is set out in Anne1.


98.   The Commissioner will not take action to enforce a monetary penalty

      unless:


         • the period specified within the notice within which a monetary

           penalty must be paid has expired and all or any of the monetary
           penalty has not been paid;

         • allrelevant appeals against the monetary penalty notice and any

           variation of it have either been decided or withdrawand
         • the period for appealing against the monetary penalty and any

           variation of it has expired.


99.   In England, Wales and Northern Ireland, the monetary penalty is
      recoverable by Order of the County Court or the High Court. In

      Scotland, the monetary penalty can be enforced in the same manner as

                                    26,                                                      •

                                                     ICO.
                                                     Information Commissioner's Office
     an extract registered decree arbitral bearing a warrant for execution
     issued by the sheriff court of any sheriffdom in Scotland.


Dated the 14day of February 2022


Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF






























                               27,                                                           •

                                                           ICO.
                                                           Information Commissioner's Office

ANNEX 1


        SECTION   55 A-E OF THE DATA PROTECTION     ACT 1998


  RIGHTS  OF APPEAL AGAINST     DECISIONS   OF THE COMMISSIONER


     1.    Section 55B(S) of the Data Protection Act 1998 gives any person

     upon whom a monetary penalty notice has been served a right of

     appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
     against the notice.


     2.    If you decide to appeal and if the Tribunal considers:-



           a)   that the notice against which the appeal is brought is not in
           accordance with the law; or


           b)   to the extent that the notice involved an exercise of

           discretion by the Commissioner, that he ought to have exercised

           his discretionfferently,


     the Tribunal will allow the appeal or substitute such other decision as
     could have been made by the Commissioner. In any other case the

     Tribunal will dismiss the appeal.


     3.    You may bring an appeal by serving a notice of appeal on the

     Tribunal at the following address:


                General Regulatory Chamber
                HM Courts &Tribunals Service
                PO Box 9300
                Leicester
                LEl 8DJ


                                  28,                                                          •

                                                         ICO.
                                                         Information Commissioner's Office
      Telephone: 0203 936 8963
      Email:     grc@justice.gov.uk


      a)   The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it
      unless the Tribunal has extended the time for complying with this

      rule.


4.    The notice of appeal should state:-


      a)   your name and address/name and address of your

      representative(if any);


      b)    an address where documents may be sent or delivered to
      you;


      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)   the result that you are seeking;


      f)   the grounds on which you rely;


      g)   you must provide with the notice of appeal a copy of the
      monetary penalty notice or variation notice;



      h)    if you have exceeded the time limit mentioned above the
      notice of appeal must include a request for an extension of time


                               29,                                                   •

                                                   ICO.
                                                   Information Commissioner's Office
     and the reason why the notice of appeal was not provided in
     time.


5.   Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier

Tribunal (InformatiRights) are contained in section 55B(S) of, and
Schedule 6to, the Data Protection Act 1998, and Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009

(StatutorInstrument 2009 No. 1976 (L.20)).



























                           30