ICO (UK) - The Money Hive Limited
From GDPRhub
| ICO (UK) - The Money Hive Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 09.09.2020 |
| Decided: | 14.02.2022 |
| Published: | 17.02.2022 |
| Fine: | 50,000 GBP |
| Parties: | The Money Hive Limited |
| National Case Number/Name: | The Money Hive Limited |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | gauravpathak |
The UK DPA issued a €60,000 (GBP 50,000) fine against a loan broker for making unsolicited direct marketing text messages in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
English Summary
Facts
The Money Hive Limited (TMHL) is a company that calls itself "a short term loan lender and broker for other lenders and financial service providers". Mobile UK is an entity representing the interests of mobile subscribers in the UK. Mobile UK has a Spam Reporting Service, and subscribers can report a spam message by forwarding the spam message to Mobile UK.
In September 2020, numerous unsolicited text messages by Money Hive were reported. The Investigating Officer ascertained nine separate message scripts promoting high-interest payday loans. The messages contained links to websites operated by TMHL and were sent to people who had “previously applied online for a loan with a TMHL-operated website” but had left the process midway to due to any reason.
In response to the ICO’s letter seeking information and documentation about consent provided by the subscribers, TMHL stated the following:
• It had used the services of two platform providers to send the messages.
• Between 1 January 2020 to 8 September 2020, a total of 752,425 text messages were received by subscribers.
• TMHL divided consent into two categories: “a) Individuals consent to being notified of their loan application results via SMS; and b) individuals consent to future marketing from it and "select 3rd parties" via separate tick boxes.” It added that "a very small number of customers might not realise that the messages are direct responses to their loan application and consider them to be marketing texts".
The ICO considered the 'customer journey' documents provided by TMHL and noticed two opt-in statements. Opt-in 1 was accessible after a customer had clicked 'apply now' on the respective website and had entered their contact details. It had the following text, followed by three separate optional tick boxes for email/SMS/phone:
"LoanPig and our 3rd party partners would like to stay in touch with you via email and sms to send you reminders and occasional relevant offers, please tick below if you wish to receive this[. .. ]"
Opt-in 2 had three checkboxes in which the first two checkboxes relating to subscribers being “contacted by SMS, email or telephone by Loanpig (TMHL) and its "third party partners"” and their agreement to Terms & Conditions and Privacy Policy were mandatory.
TMHL’s Privacy Policy stated that if a customer’s application “"does not meet [TMHL's] underwriting criteria, we may pass your details to a broker who may be able to offer you a loan or financial service from their panel of lenders and financial service providers"”. It also provided a list of brokers and further stated, “"[a]s part of the application process some lenders and financial service partners may take up to 24 hrs to respond by sms, email, or phone, so you may receive product offers from them within that period [... ]. To provide the best service possible during your application, we may send you, by sms or email, relevant alternative or complimentary products within the 24h application period".”
The ICO noticed that many of the brokers listed in TMHL’s Privacy Policy were in the business of lead generation services/affiliate network services.
Before the ICO, TMHL gave evidence of subscribers having opted out of its messaging texts. It also explained the working of its messaging system and the number of messages being sent. On the aspect of messages containing links to third parties, TMHL stated that “they use alternative brokers to obtain a loan for their customers stating: "[t]his isn't promoting 3rd party websites and we are only paid a commission when the customer gets a loan, not for each lead sent for example so we consider this the same as sending a customer to an alternative lender's website where they may obtain a loan. To confirm, we do not receive any commission if the consumer does not apply online or find a product, so this is not marketing".” In addition, TMHL submitted to the ICO a “'Legitimate Interest Assessment' document in relation to these messages, which explained that their purpose was to provide an alternative short-term loan [through an alternative broker] when the individual's application to TMHL directly was unsuccessful.”
TMHL informed the ICO that they had started sending these messages from 12 March 2020. TMHL stated that it conducted regular due diligence, but it was on a face to face basis and there was no documentary record of the same.
Holding
The ICO concluded as following:
1. TMHL contravened Regulation 22 PECR by sending 752,425 unsolicited direct marketing text messages that were received by subscribers.
2. TMHL’s marketing was not solicited as “in order to proceed with the online application, individuals had no choice but to agree to receive an undefined number of contacts via text, email and telephone from TMHL and its third-party partners.” The same is also evident from the high number of complaints received regarding TMHL’s messages.
3. Messages sent by TMHL were direct messages and not service messages as the messages “advertised the availability of loan products from both TMHL and third-party providers [and] can be appropriately defined as falling within the definition of direct marketing as prescribed by Section 122(5) DPA18.”
4. A valid consent needs to be “freely given” and the organisation will have to demonstrate how “the consent can be said to have been given freely.” This was not the case with TMHL as it “did provide a separate set of optional opt-in boxes for individuals who might wish to agree to marketing in the future.”
5. No specific consent was present in this case as individuals “were not able to select the method by which they may wish to receive direct marketing, with agreement to being potentially contacted by text message, email and/or telephone, being a requirement.”
6. “Consent will not be "informed" if individuals do not understand what they are consenting to.” Consent will not be valid if “if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description.” Moreover, “subscribers were denied the chance to select which, if any, of the potential third-parties it might wish to receive marketing messages about.”
7. TMHL could not rely on soft opt-in exemption under the PECR as “individuals were unable to opt out of receiving these particular direct marketing messages at the point at which their details were taken, since agreement to receipt of these messages was a condition of service.”
The contravention by TMHL was considered to be serious due to the high number of messages resulting in a total of 1,360 complaints. However, the contravention was not considered to be deliberate. Nevertheless, the ICO found TMHL to be negligent as it did not take “thorough steps to understand and implement marketing procedures that are compliant with the legislation.”
Thus, the ICO fined TMHL €60,000 (£50,000) for making unsolicited direct marketing text messages in violation of Regulation 22 PECR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
Information Commissioner's Office
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To: The Money Hive Limited
Of: Britannic House
657 Liverpool Road
Irlam
Lancashire
M44 SXD
1. The InformationCommissioner ("the Commissioner") has decided to
issue The Money Hive Limited ("TMHL") with a monetary penalty under
section SSA of the Data Protection Act 1998 ("DPA"). The penalty is in
relation to a serious contraventof Regulation 22 of the Privacy and
Electronic Communications(EC Directive) Regulations 2003 ("PECR").
2. This notice explains the Commissioner's decision.
Legal framework
3. TMHL, whose registered office address is given above (Companies
House Registration Number: 09932988) is the organisation stated in
this notice to have transmitunsolicited communicationsby means
of electronic mail to individual subscribers for the purposes of direct
marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECRstates:
1, •
ICO.
Information Commissioner's Office
"(1) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual
subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where-
(a) that person has obtained the contact details of the recipient
of that electronic mail in the course of the sale or
negotiations for the sale of a product or service to that
recipient;
(b) the direct marketing is in respect of that person's similar
products and services only; and
(c) the recipient has been given a simple means of refusing
(free of charge except for the costs of the transmission of
the refusal) the use of his contact details for the purposes
of such direct marketing, at the time that the details were
initially collected, and, where he did not initially refuse the
use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contraventionof
paragraph (2)."
5. Section 122(5) of the Data Protection Act 2018 ("DPA18") defines
direct marketing as "the communication (by whatever means) of
2, •
ICO.
Information Commissioner's Office
advertising or marketing material which is directed to particular
individuals". This definition also applies for the purposes of PECR(see
regulation 2(2) PECRand paragraphs 430 & 432(6) to Schedule 19 of
the DPA18).
6. At the time of the alleged contraventioPECRwas defined by
reference to the concept of consent in Regulation 2016/679 ("the
GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Article
4(11) of the GDPR set out the following definiti"'consent' of the
data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her".
7. Recital 32 of the GDPR materiallstates that "When the processing has
multiple purposes, consent should be given for all of them". Recital 42
materiallyprovides that "For consent to be informed, the data subject
should be aware at least of the identity of the controller"Recital 43
materiallystates that "Consent is presumed not to be freely given if it
does not allow separate consent to be given to different personal data
processing operations despite it being appropriate in the individual case".
8. "Individual"is defined in regulation 2(1) of PECRas "a living individual
and includes an unincorporatedbody of such individuals".
9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services".
3, •
ICO.
Information Commissioner's Office
10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient's terminal equipment until it is collected by the recipient and
includes messages sent using a short message service".
11. The term "soft opt-in" is used to describe the rule set out in in
Regulation 22(3) of PECR.In essence, an organisation may be able to
e-mail its existing customers even if they haven't specifically consented
to electronic mail. The soft opt-in rule can only be relied upon by the
organisation that collected the contact details.
12. Section SSA of the DPA (as applied to PECRcases by Schedule 1 to
PECR,as variously amended) states:
"(1)The Commissioner may serve a person with a monetary penalty if
the Commissioner is satisfied that -
(a) there has been a serious contraventionof the requirements
of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contraventiwas deliberate.
(3) This subsection applies if the person -
(a) knew or ought to have known that there was a risk that the
contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention."
13. The Commissioner has issued statutory guidance under section SSC(1)
of the DPA about the issuing of monetary penalties that has been
published onthe ICO's website. The Data Protection (Monetary
4, •
ICO.
Information Commissioner's Office
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
14. PECRwere enacted to protect the individual's fundamentaright to
privacy in the electronic communicationsector. PECRwere
subsequently amended and strengthened. The Commissioner will
interpret PECRin a way which is consistent with the Regulations'
overall aimof ensuring high levels of protection for individuals' privacy
rights.
15. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introductioof the DPA18: see paragraph 58(1) of
Schedule 20 to the DPA18.
Background to the case
16. Mobile users can report the receipt of unsolicited marketing text
messages to the Mobile UK's Spam Reporting Service by forwarding the
message to 7726 (spelling out "SPAM"). Mobile UK is an organisation
that represents the interests of mobile operators in the UK. The
Commissioner is provided with access to the data on complaints made
to the 7726 service and this data is incorporated into a Monthly Threat
Assessment (MTA) used to ascertain organisations in breach of PECR.
17. The organisation first came to the attention of the ICO in September
2020, when large volumes of unsolicited text messages were reported
via the 7726 tool. The InvestigatiOfficer analysed the complaints
submitted and established that nine separate message scripts were
sent promoting high interest payday loans.
5, •
ICO.
Information Commissioner's Office
18. The messages contained unique hyperlinks to one of the following
websites: www.loanpig.co.uk, www.bingoloans.co.uk and
www.pmloans.co.uk, which are trading styles of TMHL. When clicked
on, the respective webpage would open and would generate a 'loading'
bar which would ask the individual to wait while it gathered results,
and the individual would then be presented with a loan offeItis
understood that these messages were sent to individuals who had
previously applied onlineor a loan with a TMHL-operated website. The
purpose of these messages was to redirect the applicant to the relevant
website when they had, for whatever reason, failed to proceed with the
loan offer presented whilst on the website.
19. One of TMHL's websites, www.loanpig.co.uk, states they offer "a
straight-forward,transparent 100% online solution for you to get a
responsibleshort term loan." The two other named sites, in addition to
TMHL's lending portal site (www.themoneyhive.co.uk), contained
materially similar text, with the consistent suggestion that the
application would be online-only.
20. On 9 September 2020, an initial investigation letter, along with a
spreadsheet of complaints, was sent to TMHL. The letter outlined the
Commissioner's concerns with TMHL's PECRcompliance, and asked a
number of questions in relation to its direct marketing practices
between 1 January 2020 and 8 September 2020, in addition to
requesting evidence of consent for the complaints received.
21. TMHL responded on 24 September 2020 and provided details of the
customer journey undertaken when data is obtained, using a separate
document to demonstrate a walkthrough of an application via one of its
sitesIt also provided copies of its privacy policies, data processing
agreements, communications policy and a spreadsheet detailing the
6, •
ICO.
Information Commissioner's Office
consent evidence to show when an individual had applied for a loan via
one of its sites. It was confirmed that no data is purchased from third
parties. At this point, TMHL described itself as "a short term loan lender
and broker for other lenders and financial service providers".
22. TMHL explained that its text messages were transmitted using two
platform providers: and who
facilitated the sending of messages between 1 January 2020 to 8
September 2020 1.During this period, 661,012 messages were sent via
Of those,616,824 were received by individuals.
Whilst 146,370 messages were sent via with
135,601 of those messages being received by individuals. This
suggests that a total of 752,425 text messages were received by
subscribers.
23. The message scripts used by TMHL were provided, with some examples
being as follows:
- <Name> your <loan amount> fast track loan application results are
ready. Click: www.tmhl.uk/XX Optout: STOP to 07491163044
- <Name> your <loan amount> fast track application is ready. Click:
www.tmhl.uk/XX Rep 1261% APR Optout: STOP to 07491163044
- <Name> we've found lenders for your <loan amount> loan app.
Just 1 Click to review results: www.tmhl.uk/XX Optout: STOP to
07491163044
1TMHL confirmed in later correspondence that text messages were sent from mid-March 2020.
7, •
ICO.
Information Commissioner's Office
24. In response to the Commissioner's enquiry as to how TMHL ensures
consent for marketing had been obtained from individuals, TMHL stated
that "consent is split into two categoriea) Individuals consent to
being notified of their loan application results via SMS; and b)
individuals consentto future marketing from it and "select 3parties"
via separate tick boxes.
25. When asked for an explanation for the number of complaints received,
TMHL suggested that "a very small number of customers might not
realise that the messages are direct responses to their loan application
and consider them to be marketing texts".
26. The Commissioner considered the 'customer journey' documents
provided for one of TMHL's sites, www.loanpig.co.uk,which he was
advised was identicalfor www.bingoloans.co.uk and
www.pmloans.co.uk. As TMHL had said, there were two opt-in
statements apparent from the webpage.
27. The first ("Opt-Il") was accessible alter a customer had clicked
'apply now' on the respective website and had entered their contact
details.t had the following text, followed by three separate optional
tick boxes for email/SMS / phone:
"LoanPig and our 3rd party partners would like to stay in touch with
you via email and sms to send you reminders and occasional relevant
offers, please tick below if you wish to receive this[. ..]"
28. Itis understood that Opt-In 1 related to marketing which would be
sent beyond the 24-hour period immediately following the individual's
application, and wasnot relevant for the purposes of the 752,425
messages which were received by subscribers within the initial 24
8, •
ICO.
Information Commissioner's Office
hours of the application and which form the basis of the
Commissioner's investigation.
29. The second ("Opt-In 2") materially consists of three parts and would be
located at the end of the application with separate tick boxes.
30. The first part of this is to advise customers of the need for a credit
check to be performed, and would advise them that they may be
contacted by SMS, email or telephone by Loanpig (TMHL) and its "third
party partners". This tick box would be mandatory for all applicants.
31. The second tick box requires agreement to signify that the customer
agrees to the Terms & Conditions and Privacy PolicyIt is understood
that this tick box was also mandatory.
32. The third appears to be optional and offers a "free 14 day trial with UK
Credit Rating".
33. TMHL's Privacy Policy (referred to within the second tick box of Opt-In
2) advises that if a customer's application "does not meet [TMHL's]
underwritingcriteria, we may pass your details to a broker who may be
able tooffer you a loan or financial service from their panel of lenders
and financial service providersItthen provides a list of brokers who
may be used, stating that "[a]s part of the application process some
lenders and financial service partners may take up to 24 hrs to respond
by sms, email, or phone,so you may receive product offers from them
within that period [...] To provide the best service possible during your
application, we may send you, by sms or email, relevant alternative or
complimentary products within the 24h application period".
9, •
ICO.
Information Commissioner's Office
34. From the list of brokers which were named on TMHL's websites, the
Commissioner has evidence that a number of them in fact provide lead
generation services/ affiliate network services•
35. Itis understood that the 752,425 unsolicited text messages sent by
TMHL were received by subscribers who had ticked the necessary parts
of Opt-In 2 (i.e. tick boxes 1 and 2) and clicked to submit their details
to obtain an online loan offerItis understood that there were two
circumstances under which text messages would be sent:
a) messages advertising TMHL products would be sent to individuals
who, having input their details and been directed to a loan offer
page, failed to proceed with the offer for whatever reason; and, in
the alternative,
b) messages advertising third-party brokers/products would be sent to
individuals who had been unsuccessful in their online loan
application with TMHL.
36. In any event, if an individual did not proceed with an online loan offer,
or was deemed ineligible for a loan offer from TMHL directly, TMHL
would proceed to send them a series of text messages over the
following 24 hours offering loan-related products.
37. In further correspondence on 16 October 2020, TMHL provided a
screenshot of statistics showing the number of opt-outs which it had
received via its 07491 163044 opt-out number (as included on all of its
direct marketing texts) between March 2020 and August 2020.
2During the course of the investigation, the number and identity of the 'brokers' on the various websites changed.
10, •
ICO.
Information Commissioner's Office
38. TMHL also explained that in relation to the opt-in statements on its
websites,Opt-In 1 concerned consent to future marketing SMS/emails
from TMHL and third parties, whereas Opt-In 2 constituted agreement
to a credit check and to an individual receiving the results of their loan
application byMS text message. In subsequent correspondence of 3
November 2020 it was confirmed that all of the complaints which the
Commissioner had brought to TMHL's attention related to messages
sent on the basis of Opt-In 2, i.e. that they were sent "in serving the
legitimate interests of the customer to find a loan or suitable financial
product". TMHL confirmed that all of the complainants "had applied one
or more times on our loan application form which is impossible to
submit without agreeing [to Opt-In 2]".
39. During the investigation the Commissioner was able to establish
complaints dating backto March 2020 which could be connected to
TMHL but which included links to third-partsites not previously
recognisedas being associated with TMHL. These websites included
(which are all
operated by who appear to have
been added to TMHL's list of brokers on its various Privacy Policies at
some point between August 2020 and November 2020),
(which is operated by who is
actingas an appointed rep to - these entities were not
named within TMHL's Privacy Policies), (which is
operated by
isunknown).
40. On 30 November 2020 the Commissioner sent some further enquires to
TMHL inter alia in relation to the frequency of the messages being sent,
and the inclusion of third-parweb links in its messages.
11, •
ICO.
Information Commissioner's Office
41. In its response of 9 December 2020,TMHL provided the requested
details. It explained that the average number of messages sent per
application is five, and that this is now capped to be sent within the
first 30 minutes of the application being received. In relation to the
inclusion of third-parweb links in its messagesTMHL explained that
"[t]he third party website(s) were used as an option for the consumer
to obtain a loan with an alternative panel as a last option for them.
They were also used in a separate capacity as a wayf providing
customers with an option if there was any error with our online
application process. Those combined usages led to too much confusion
for the customer and we have removed that service as one of our
results on sms [...] We do not send messages on behalf of anyone else,
we are trying to find the consumer a loan or comparable financial
product. On occasion the use of a broker with a different panel of
lenders can lead to a better result for the customer so we believe this
to still be in the legitimate interests of the customer. If they ultimately
obtain a loan through the use of the broker site, we do receive a
commission for the lead and is, therefore, no different to our
relationships with other financial service providers".
42. Noting thatTMHL had not provided a list of the third parties whose web
links were provided in its text messages, or the related requested
information,the Commissioner wrote to TMHL on 10 December 2020
requesting the same.
43. TMHL responded the same day to advise that, in its view, messages
were not sent on behalf of third-parwebsites, but that they use
alternative brokers to obtain a loan for their customers stating: "[t]his
isn't promoting 3dparty websites and we are only paid a commission
when the customer gets a loan, not for each lead sent for example so
we consider this the same as sending a customer to an alternative
12, •
ICO.
Information Commissioner's Office
lender's website where they may obtain a loan. To confirm, we do not
receive any commission if the consumer does not apply online or find a
product, so this is not marketing".
44. TMHL explained they did not have a relationship with the credit brokers
who received the leads because, in relation to the messages sent which
advertise the loan products of a third-pathey use a redirection
service provided by ('-"), which is
effectively used to find customers an alternative loan. With its
response, TMHL provided an 'affiliate processing activity contract'
between itself and- dated 12 March 2020 which included a
screenshotof TMHL's data capture page. This page included a
screenshotof the Opt-In 1 statement, which TMHL had previously
advised the Commissioner was not used in relation to the messages
about which complaints had been received.
45. TMHL provided a 'Legitimate Interest Assessment' document in relation
to these messages, which explained that their purpose was to provide
an alternative short-terloan [through an alternative broker] when
the individual's application to TMHL directly was unsuccessful. Under
the section of the document headed "Would you be happy to explain
the processing to the individuals?", TMHL wrote:
"Yes - if any individual wanted to know why their details were
processed we would provide the reasons behind our decision. This
information is also provided within our Privacy Notice at all times.
'To provide the best service possible during your application, we may
send you, by sms or email, relevant* alternative or complimentary
products within the 24h application period. Where it is necessary for
13, •
ICO.
Information Commissioner's Office
our legitimate interests and your interests and fundamenrights do
not override those interests.
If you opt in to marketing during your application, our partnemay
send you marketing informationabout these services after this 24h
period.
*The product offers we consider relevant for both your initial
application and for if you opt-in to future offers are:
• High Cost Short Term Credit
• Credit Cards
• Loan Comparison Services
• Tax Refund
• Payday Loan/Short Term Credit
• Guarantor Loans
• Debt Management Services
• Credit Scoring
• Pre-paid Debit Cards
• Money Saving Offers
• Utility Switching Services"'
46. TMHL also provided figures to show that between March 2020 and
September 2020, 217,797 such messages were sent, with 203,100
being received. As it is understood that 752,425 messages were
received by subscribers in total over the prescribed period, the
Commissioner therefore understands that 203,100 of these provided
linkso third-partysites, and the remaining 549,325 messages which
were received by subscribers contained links which directed recipients
to TMHL's own sites.
14, •
ICO.
Information Commissioner's Office
47. On 15 December 2020 the Commissioner sent further correspondence
to TMHL raising concerns with TMHL's apparent reliance on legitimate
interest as the basis for the transmission of its direct marketing
messages. The Commissioner requested further details of TMHL's
relationship with- and details of the credit brokers whose
services were included in TMHL's 'alternativloan' messages.
48. TMHL responded on 8 January 2021 disagreeing with the
Commissioner's suggestion that its messages constituted direct
marketing. Italso provided a summary of the service provided to it by
- which essentially confirmed that-had no
involvement in the content of the 'alternativloan' text messages,
except for providing the redirect-URL, and arranging brokers which
would be advertised in the messages.
49. The Commissioner emailed TMHL on 13 January 2021 providing some
short guidance in relation to the soft opt-in, as it had been referred to
by TMHL in previous correspondence, and explained why it would not
apply in these circumstances. The Commissioner then sent TMHL a
further email on 11 February 2021 with some additional enquiries
concerning inter alia the precise start date for its messages, its due
diligence in respectf the third parties listed within the Privacy Policies
of its sites, and details of the point at which an individual who leaves a
TMHL-operated website after completing a loan application would
qualify to receive messages from TMHL.
50. The Commissioner received a response on 1 March 2021 to advise that
the- messages (i.e. those about which complaints had been
received) had begun in "mid-March 2020". Itadvised that its due
diligence was conducted routinely but largely face-to-facaccordingly
it could not produce any documentary proof. TMHL confirmed it did not
15, •
ICO.
Information Commissioner's Office
do any formal due diligence on - explaining that "we do not
send customer data to them, we redirect the customer's browser
session to them".
51. In terms of the point of the application process at which an individual
would be eligibleto begin receiving text messages from TMHL, it
explained that:
"[...] we sent the customer their loan result in a text message as a
courtesy following each application. The loan application process can be
slow due to the affordabilichecks we need to do and then if we can't
lend to the customer, it then takes longer to find the customer a
product within our panels. The end result is the customer can
frequently get disconnected from our website or get impatient and
leave thinking it's not working. That gave rise to the entire process of
texting them to ensure they obtained the product they were qualified
for. This was done as a courtesy to all customers as we would not
really find out data on abandoned applications until the following
month".
52. TMHL confirmed on 2 March 2021 that it first sent the relevant text
messages from 12 March 2020.
53. The Commissioner received 4 complaints in July 2020 from a single
complainant who received four separate messages within a 24-hour
period, of which 3 were between 9pm and 10pm, with the complainant
reporting that the messages disrupted her sleep.
54. There were 1,356 complaints made to the 7726-reportingservice
between 26 March 2020 and 8 September 2020 concerning messages
sent by TMH L.
16, •
ICO.
Information Commissioner's Office
55. It is understood that there have been a further 5,107 complaints to the
7726 service between 9 September 2020 and 23 May 2021, with a
number of further complaints being made from 24 May 2021 and
continuing into 2022.
56. The Commissioner has made the above findings of fact on the
balance of probabilities.
57. The Commissioner has considered whether those facts constitute
a contravention of regulation 22 of PECRby TMHL and, if so, whether
the conditions of section SSA DPA are satisfied.
The contravention
58. The Commissioner finds that TMHL contravened regulation 22 of PECR.
59. The Commissioner finds that the contraventiowas as follows:
60. The Commissioner finds that between 12 March 2020 and 8 September
2020 there were 752,425 unsolicited direct marketing text messages
received by subscribers. The Commissioner findshat TMHL
transmitted those direct marketing messages via two platform
providers, contrary to regulation 22 of PECR.
61. The Commissioner takes the view that these messages are unsolicited.
Subscribers used TMHL's websites, which advertised themselvesas a
"100%" and "purely online" service, as a means of obtaining a short
term loan offer. However, in order to proceed with the online
application, individuals had no choice but to agree to receive an
undefined number of contacts via text, email and telephone from TMHL
17, •
ICO.
Information Commissioner's Office
and its third-partpartners. TMHL used the individual's mandatory
agreement as a basis for engaging in its direct marketing campaign.
Individuals used TMHL's service to obtain an online loan offer and had
not requested this additional contact voluntarthe Commissioner
therefore takes the view that the marketing cannot be said to have
been solicited. The fact that individuals were denied this choice at the
outset of their application is evidenced by the high volume of
complaints which were received regarding these messages.
62. TMHL, as the sender of unsolicited direct marketing, is required to
ensure that it is acting in compliance with the requirements of
regulation 22 of PECR,and to ensure that valid consent to send those
messages had been acquired.
63. Whilst TMHL has suggested that its messages were 'service messages',
and not direct marketing messages, the Commissioner is satisfied that
the messages which were received by subscribers, which advertised
the availability of loan products from both TMHL and third-party
providers, can be appropriately defined as falling within the definition
of direct marketing as prescribed by Section 122(5) DPA18.
64. For consentto be valid it is required to be "freely given", by which it
follows that if consent to marketing is a condition of subscribing to a
service,the organisation will have to demonstrate how the consent can
be said to have been given freely. Whilst TMHL did provide a separate
set of optional opt-in boxes for individuals who might wish to agree to
marketing in the future, it is the case that if a subscriber wished to
proceed with their online loan application they would be required to
agree to receiving a variety of contacts (telephone, email and text
message) from TMHL and a range of third-partiesIn this instance,
over a 6-month period over 750,000 messages were sent. These
18, •
ICO.
Information Commissioner's Office
messages would be sent if an individual decided not to proceed with
the subsequent online offer, or if they were ineligible for a loan offer
from TMHL. This requirement to agree to TMHL's messages was also
bundled up with the requirement to agree to a credit check. Individuals
were unable to agree solely to the credit check and to proceed with
their loan application online only. Agreement to being potentially
contacted by text message, email and telephone was a requirement of
proceeding with TMHL's service.Whilst TMHL has characterised its text
messages as a "courtesy" for customers, in the Commissioner's view it
is misleading to do so, as subscribers had no choice but to agree to
receipt of these messages. Furthermore, and in any event, messages
sent as a "courtesy" are not exempt from the rules regarding PECR.
65. Consent is also required to be "specific" as to the type of marketing
communication to be received, and the organisation, or specific type of
organisation, that will be sending it. Individuals in this instance were
not able to select the method by which they may wish to receive direct
marketing, with agreement to being potentially contacted by text
message, email and/or telephone, being a requirement.
66. Consent willnot be "informed"if individuals do not understand what
they are consenting to. Organisations should therefore always ensure
that the language used is clear, easy to understand, and not hidden
away in a privacy policy or small print. Consent will not be valid if
individuals are asked to agree to receive marketing from "similar
organisations", "partners", "selected third parties" or other similar
generic description. In this instance, individuals did not have the option
to select which, if any, of TMHL's third parties it might wish to receive
direct marketing from following their online loan application. Whilst
some of the third parties about which the individuals might receive
direct marketing were named within the relevant Privacy Policy, there
19, •
ICO.
Information Commissioner's Office
was no indication of how many messages they might receive, nor was
there an option to select the method of contact. Indeed, as TMHL itself
recognised in the course of the investigatiit could be confusing for
an individual to receive a text with a link to a thirdwebsite
offering a loanith an alternative panel with which it will have had no
contact previously. It is also understood that in relation to the
messages which were sent which advertised the loan products of third
parties, whilst some third-partiwere named within TMHL's Privacy
Policies, the third-partincluded brokers (who might in turn advertise
their own affiliates) and entities who provided lead generation services
/ affiliate network services. Accordingly ,TMHL were not fully aware of
precisely which loan provider a subscriber may be directed to within its
text messages. Therefore, subscribers were denied the chance to select
which, if any, of the potential third-pait might wish to receive
marketing messages about.
67. The Commissioner is therefore satisfied from the evidence he has seen
that TMHL did not have the necessary valid consent for the 752,425
direct marketing messages received by subscribers.
68. The Commissioner is also satisfied that TMHL cannot rely on the soft
opt-in exemption provided by regulation 22(3). This is because,
contrary to the requirement of regulation 22(3)( c) individuals were
unable to opt out of receiving these particular direct marketing
messages at the point at which their details were taken, since
agreement to receipt of these messages was a condition of service.
Furthermore, 203,100 of the 752,425 received messages did not relate
to TMHL's own products or services, contrary to the requirement of
regulation 22(3)(b).
20, •
ICO.
Information Commissioner's Office
69. The Commissioner has gone on to consider whether the conditions
under section SSA DPA are met.
Seriousness of the contravention
70. The Commissioner is satisfied that the contraventiidentified
above was serious. This is because between 12 March 2020 and 8
September 2020, a confirmed total of 807,382 direct marketing
messages were sent by TMHL, of which 7S2,42S were received by
subscribers. These messages contained direct marketing material for
which subscribers had not provided valid consent. Furthermore the
Commissioner is satisfied that TMHL cannot rely on the soft opt-in
exemption. From these messages, a total of 1,360 complaints were
made.
71. The Commissioner is therefore satisfied that condition (a) from
section SSA(l) DPA is met.
Deliberate or negligent contraventions
72. The Commissioner has considered whether the contravention identified
above was deliberate. The Commissioner does not consider that TMHL
deliberately set out to contravene PECRin this instance.
73. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises
elements:
74. Firstly, he has consideredhether TMHL knew or ought reasonably to
have known that there was a risk that these contraventiowould
21, •
ICO.
Information Commissioner's Office
occur. This is not a high bar and he is satisfied that this condition is
met.
75. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligations under PECR.
This guidance gives clear advice regarding the requirementof consent
for direct marketing and explains the circumstances under which
organisations are able to carry out marketing over the phone, by text,
by email, by post, or by fax. In particular it states that organisations
cangenerally only send, or instigate, marketing messages to
individuals if that person has specifically consented to receiving them.
The guidance also provides a full explanation of the "solt opt-in"
exemption. The Commissioner has also published detailed guidance on
consent under the GDPR. In case organisations remain unclear on their
obligations, the ICO operates a telephone helpline. ICO
communications about previous enforcement action where businesses
have not complied with PECRare also readily available.
76. It is therefore reasonable to suppose that TMHL should have been
aware of its responsibilitin this area.
77. Secondly, the Commissioner has gone on to consider whether TMHL
failedto take reasonable steps to prevent the contraventionAgain, he
is satisfied that this condition is met.
78. The Commissioner considers that any organisation engaging in direct
marketing must take thorough steps to understand and implement
marketing procedures that are compliant with the legislation. If TMHL
had done this, it would have realised that it was unable to rely on
'legitimateinterest' to comply with PECRas it had suggested for the
sending of its direct marketing material.
22, •
ICO.
Information Commissioner's Office
79. The Commissioner considers that it would have been reasonable for
TMHL to separate the various elements of its opt-in page. i.e., by
making agreement to the credit check and use of its online loan
application process separate anddistinct from its request for
individuals to agree to follow-up direct marketing communicatioBy.
conflating theserequirements, TMHL removed the individual's ability to
proceed with an online-only loan application, without being required to
agree to potentially invasive direct marketing by a variety of methods.
That TMHL intended to send these further messages only over the 24-
hour period immediately following the individual's application is
irrelevant, and appears arbitrary. Indeed, TMHL has also accepted
during the investigation that some of the messages it sent, about
which complaints were received, fell outside of this time frame in any
event.
80. The Commissioner is also concerned by TMHL's lack of knowledge as to
the third-partieabout whom individuals may have received direct
marketing text messages. He considers that it would be reasonable to
expect TMHL to conduct sufficient due diligence to ensure that it is at
least aware of which third-partiit may be referring individuals to.
81. In the circumstances, the Commissioner is satisfied that TMHL failed to
take reasonable steps to prevent the contraventions.
82. The Commissioner is therefore satisfied that condition (b) from section
SSA (1) DPA is met.
The Commissioner's decision to impose a monetary penalty
83. The Commissioner has taken into account the following
23, •
ICO.
Information Commissioner's Office
aggravating feature of this case:
• The direct marketing being received in this case is likely to have been
sent to vulnerable individuals in financial difficulty.
84. The Commissioner does not consider there to be any significant
mitigating features in this case.
85. Forthe reasons explained above, the Commissioner is satisfied that the
conditions from section SSA (1) DPA have been met in this case. He is
also satisfied that the procedural rights under section 55B have been
complied with.
86. The latter has included the issuing of a Notice of Intent, in which the
Commissioner set out his preliminary thinking. In reaching his final
view, the Commissioner has taken into account the representations
made by TMHL, but remains satisfied that there are valid grounds for
proceeding to issue a monetary penalty notice.
87. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
88. The Commissioner has considered whether, in the circumstances, he
should exercise his discretion so as to issue a monetary penalty.
89. The Commissioner has considered the likely impact of a monetary
penalty on TMHL. He has decided on the information that is available to
him, that a penalty remains the appropriate course of action in the
circumstances of this case.
24, •
ICO.
Information Commissioner's Office
90. The Commissioner's underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR.The sending of
unsolicited direct marketing messages is a matter of significant public
concern. A monetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance,on the part of all persons running
businesses currently engaging in these practices. The issuing of a
monetary penalty will reinforce the need for businesses to ensure that
they are only messaging those who specifically consent to receive
direct marketing.
91. For these reasons, the Commissioner has decided to issue a monetary
penalty in this case.
The amount of the penalty
92. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £50,000(fifty thousand pounds) is
reasonable and proportionategiven the particular facts of the case and
the underlying objective in imposing the penalty.
Conclusion
93. The monetary penalty must be paid to the Commissioner's office by
BACS transfer or cheque by 16 March 2022 at the latest. The
monetary penalty is not kept by the Commissioner but will be paid into
the Consolidated Fund which is the Government's general bank account
at the Bank of England.
94. If the Commissioner receives full payment of the monetary penalty by
15 March 2022 the Commissioner will reduce the monetary penalty
25, •
ICO.
Information Commissioner's Office
by 20% to £40,000 (forty thousand pounds). However, you should
be aware that the early payment discount is not available if you decide
to exercise your right of appeal.
95. There is a right of appeal to the First-tier Tribunal (InformRights)
against:
(a) the imposition of the monetary penalty
and/or;
(b) the amount of the penalty specified in the monetary penalty
notice.
96. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
97. Information about appeals is set out in Anne1.
98. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the monetary
penalty has not been paid;
• allrelevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawand
• the period for appealing against the monetary penalty and any
variation of it has expired.
99. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner as
26, •
ICO.
Information Commissioner's Office
an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
Dated the 14day of February 2022
Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
27, •
ICO.
Information Commissioner's Office
ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 55B(S) of the Data Protection Act 1998 gives any person
upon whom a monetary penalty notice has been served a right of
appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that he ought to have exercised
his discretionfferently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
General Regulatory Chamber
HM Courts &Tribunals Service
PO Box 9300
Leicester
LEl 8DJ
28, •
ICO.
Information Commissioner's Office
Telephone: 0203 936 8963
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your
representative(if any);
b) an address where documents may be sent or delivered to
you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the
notice of appeal must include a request for an extension of time
29, •
ICO.
Information Commissioner's Office
and the reason why the notice of appeal was not provided in
time.
5. Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier
Tribunal (InformatiRights) are contained in section 55B(S) of, and
Schedule 6to, the Data Protection Act 1998, and Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(StatutorInstrument 2009 No. 1976 (L.20)).
30
