ICO (UK) - We Buy Any Car Limited

From GDPRhub
Revision as of 15:35, 19 September 2021 by Mariam-hwth (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO (UK) - We Buy Any Car Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 13.09.2021
Published: 15.09.2021
Fine: 200000 GBP
Parties: We Buy Any Car Limited
National Case Number/Name: We Buy Any Car Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: MH

The Information Comissioner's Office imposed a fine of around €234,000 on a car valuation and purchasing company, We Buy Any Car Ltd. WBAC infringed Regulation 22 PECR by sending unsolicited marketing emails and SMS.

English Summary

Facts

We Buy Any Car Limited (WBAC) is a car purchasing company. Individuals can input details about their vehicle to get a fixed-price valuation.

Individuals complained that they received unsolicited marketing texts from WBAC. The UK DPA, the Information Commissioner's Office (ICO), started an investigation on the basis of complaints between October 2019 and January 2020. WBAC stated that they only contact individuals that request vehicle valuation. They claimed that these messages were either sent on the request of indivduals or on the basis of the "soft opt-in".

WBAC informed the ICO that 207.7 million email messages were sent (205.5m delivered) between Apil 2019 and April 2020. These messages were: - 92.3 million “journey” emails requested by the individuals asking for a valuation; - 107.6 million “batch” emails sent to customers between 30 days and 4 years since their last valuation; and - 7.8 million “good news” emails where the valuation offer has increased.

WBAC also sent 16.3 million SMS between April 2019 and April 2020. 4.2 million ("batch" and "good news" messages) were marketing, 3.6 million of which were delivered.

Dispute

Holding

The Information Commisioner's Office considered that the "journey" messages were unsolicited marketing because the individuals had not specifically requested them, even if WBAC had informed individuals about them. The ICO concluded that the emails were marketing emails rather than services messages, as defined in the ICO's Direct Marketing Code of Practice, because they contained marketing elements even if it wasn't the main purpose. Of all the messages delivered, the ICO considered that only 14.1 million were solicited versus 191.4 million unsolicited marketing emails. WBAC was therefore found in contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (hereafter: PECR) as WBAC did not satisfy the requirement of getting valid consent

The ICO also considered the “batch” and “good news” SMS to be direct marketing. Although WBAC claimed this was under the soft opt-in rule (Regulation 22(3) PECR), the ICO disagreed. The DPA held that the possibility of opt-in out was not presented to customers during process of collecting their details. Instead, it was only presented to them after they had received a vehicle valuation. There was no meaningful possibility to opt-out, which therefore lead the ICO to conclude that WBAC did not coply with the requirements of regulation 22(3) PECR. The ICO also concluded that WBAC had misunderstood the definition of service messages in relation to the SMS they sent, which the DPA deemed to be marketing ones.

The ICO also found that complainants were unsuccessful when attempting to unsubscribe from emails and SMS.

The ICO took into account the large number of emails and text sent over the 1 year period investigated and deemed it a serious contravention of the regulation. The ICO also concluded that WBAC "knew or ought reasonably to have known that there was a risk that this contravention would occur" and therefore considered this contravention to be negligent. The ICO therefore imposed a fine of around €234,000

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                      DATA PROTECTION ACT 1998



   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                      MONETARY PENALTY NOTICE


To:   We Buy Any Car Limited



Of:   Headway House, Crosby Way, Farnham, Surrey, GU9 7XG




1.    The Information Commissioner (“Commissioner”) has decidedto issue

      We Buy Any Car Limited (”WBAC”) with a monetary penalty under
      section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in

      relation to a serious contravention of regulation 22 of the Privacy and

      Electronic Communications (EC Directive) Regulations 2003 (“PECR”).



2.    This notice explains the Commissioner’s decision.


      Legal framework



3.    WBAC, whose registered office is given above (companies house

      registration number: 05727953), is the organisation (person) stated in

      this notice to have transmitted unsolicited communications by means
      of electronic mail to individual subscribers for the purposes of direct

      marketing contrary to regulation 22 of PECR.



4.    Regulation 22 of PECR provides that:






                                     1      “(1) This regulation applies to the transmission of unsolicited
      communications by means of electronic mail to individual subscribers.


      (2) Except in the circumstances referred to in paragraph (3), a person

      shall neither transmit, nor instigate the transmission of, unsolicited

      communications for the purposes of direct marketing by means of

      electronic mail unless the recipient of the electronic mail has previously

      notified the sender that he consents for the time being to such
      communications being sent by, or at the instigation of, the sender.



      (3) A person may send or instigate the sending of electronic mail for

      the purposes of direct marketing where–



      (a)    That person has obtained the contact details of the recipient of
             that electronic mail in the course of the sale or negotiations for

             the sale of a product or device to that recipient;

      (b)    The direct marketing is in respect of that person’s similar

             products and services only; and

      (c)    The recipient has been given a simple means of refusing (free of
             charge except for the costs of transmission of the refusal) the

             use of his contact details for the purposes of such direct

             marketing, at the time that the details were initially collected,

             and, where he did not initially refuse the use of the details, at the

             time of each subsequent communication.


      (4) A subscriber shall not permit his line to be used in contravention of

      paragraph (2).”



5.    Section 122(5) of the DPA 2018 defines “direct marketing” as “the

      communication (by whatever means) of any advertising material which




                                         2      is directed to particular individuals”. This definition also applies for the
      purposes of PECR.



6.    “Electronic mail” is defined in regulation 2(1) PECR as “ any text, voice,

      sound or image sent over a public electronic communications network

      which can be stored in the network or in the recipient’s terminal

      equipment until it is collected by the recipient and includes messages
      sent using a short message service”.



7.    Consent in PECR is now defined, from 29 March 2019, by reference to

      the concept of consent in Regulation 2016/679 (“the GDPR”):

      Regulation 8(2) of the Data Protection, P rivacy and Electronic
      Communications (Amendments etc) (EU Exit) Regulations 2019. Ar ticle

      4(11) of the GDPR sets out the following definition: “‘consent’ of the

      data subject means any freely given, specific, informed and

      unambiguous indication of the data subject’s wishes by which he or

      she, by a statement or by a clear affirmative action, signifies

      agreement to the processing of personal data relating to him or her”.


8.    Section 55A of the DPA (as amended by the Privacy and Electronic
      Communications (EC Directive)(Amendment) Regulations 2011 and the

      Privacy and Electronic Communications (EC Directive) (Amendment)

      Regulations 2015) states:



      “(1) The Commissioner may serve a person with a monetary penalty if
           the Commissioner is satisfied that –


              (a) there has been a serious contravention of the requirements

                  of the Privacy and Electronic Communications (EC
                  Directive) Regulations 2003 by the person, and


              (b) subsection (2) or (3) applies.



                                       3      (2) This subsection applies if the contravention was deliberate.

      (3) This subsection applies if the person –

              (a) knew or ought to have known that there was a risk that

              the contravention would occur, but

              (b) failed to take reasonable steps to prevent the

                  contravention.”



9.    The Commissioner has issued statutory guidance under section 55C (1)

      of the DPA about the issuing of monetary penalties that has been
      published on the ICO’s website. The Data Protection (Monetary

      Penalties)(Maximum Penalty and Notices) Regulations 2010 prescribe

      that the amount of any penalty determined by the Commissioner must

      not exceed £500,000.



10.   PECR were enacted to protect the individual’s fundamental right to
      privacy in the electronic communications sector. PECR were

      subsequently amended and strengthened. The Commissioner will

      interpret PECR in a way which is consistent with the Regulations’

      overall aim of ensuring high levels of protection for individuals’ privacy

      rights.


11.   The provisions of the DPA remain in force for the purposes of PECR

      notwithstanding the introduction of the Data Protection Act 2018 (see

      paragraph 58(1) of part 9, Schedule 20 of that Act).













                                       4 Background to the case



12.   WBAC is a vehicle purchasing and wholesale company with branches

      across the UK. Individuals use the WBAC website to input details about

      their vehicle and obtain a fixed-price valuation.


13.   Phone users can report the receipt of unsolicited marketing text

      messages to the GSMA’s Spam Reporting Service by forwarding the

      message to 7726 (spelling out “SPAM”). The GSMA is an organisation

      that represents the interests of mobile operators worldwide. The

      Commissioner is provided with access to the data on complaints made
      to the 7726 service and this data is incorporated into a Monthly Threat

      Assessment (MTA) used to ascertain organisations in breach of PECR.



14.   WBAC came to the attention of the Commissioner following monitoring

      of spam email complaints received directly via the ICO spam email
      reporting tool. Between 29 October 2019 and 17 January 2020, 10

      complaints from individuals, and a further two from the same

      individual, had been recorded.



15.   On 7 April 2020, the ICO sent an investigation letter to WBAC via email

      requesting the volume of marketing messages sent and delivered
      between 7 April 2019 and 7 April 2020, the source of the data, and

      evidence of consent relied upon to send marketing messages. The

      letter also provided an index of the twelve complaints and asked for an

      explanation in relation to each one.


16.   On 3 July 2020, the ICO received a response from WBAC in which it

      explained the service provided. WBAC advised that it does not initiate

      contact with individuals and only responds to individuals who request a



                                       5      vehicle valuation. The vehicle valuation is guaranteed for a set period
      of time, within which the individual can sell their vehicle to WBAC. If

      the guarantee period expires then WBAC contacts individuals to give

      them the opportunity to update their valuation. WBAC explained that

      emails are sent either at the request of individuals, or in accordance

      with the ‘soft opt-in’.


17.   The Commissioner’s investigation accordingly focussed on the

      marketing emails and SMS WBAC say were sent after the initial

      valuation email, and whether those communications satisfied the ‘soft

      opt-in’ criteria.


18.   WBAC went on to inform the Commissioner that during the period 7

      April 2019 to 7 April 2020 it sent 207.7 million email messages, of

      which 205.5 were delivered. These messages were split into three

      categories:



          (a)  92.3 million “journey” emails. Up to 12 emails over a 30 day
               period were sent to customers of its website in response to

               14.1 million valuation requests. WBAC explained that

               customers specifically requested “journey” emails when

               completing the valuation process and so believed that this

               category of emails were not “unsolicited” emails regulated by
               PECR.



          (b)  107.6 million “batch” emails. These are occasional emails sent

               to customers after the 30 day “journey” and up to 4 years

               since their last valuation was provided.







                                        6          (c)  7.8 million “good news” emails. These were emails whereby
               customers are informed that the offer for their vehicle has

               been increased.



19.   With regard to the “journey” emails the Commissioner’s view is that for

      a marketing message to be solicited it must be actively requested. The
      Commissioner therefore accepts that the initial valuation emails (of

      which 14.1 million were sent during the period under investigation)

      constitute solicited marketing and so are not subject to the

      requirements of PECR.



20.   WBAC asserted in representations to the Notice of Intent that the
      remaining “journey” emails are also solicited, as in their view recipients

      took an ‘active step’ in requesting a vehicle valuation, at which point

      they were informed about the receipt of vehicle valuation and

      guarantee reminders. The Commissioner however does not agree, and

      finds that the subsequent “journey” messages are unsolicited, because
      they are not specifically requested by individuals, even if informed

      about them by WBAC.



21.   Furthermore, the Commissioner’s Direct Marketing Guidance states that

      the definition of direct marketing includes any message which includes

      some marketing element, even if that is not its main purpose. The
      Commissioner considers that these messages contain an element of

      marketing because they contain material promoting WBAC’s service and

      encouraging recipients to continue the valuation journey, and so are

      subject to the provisions of PECR.


22.   On the basis that 205.5 million emails from all categories were

      delivered in total, of which 14.1 million were solicited valuation emails,




                                       7      this equates to 191.4 million unsolicited marketing emails having been
      sent by WBAC.



23.   In addition to emails WBAC also informed the Commissioner that it sent

      16.3 million SMS over the same period, of which 4.2 million were

      marketing messages. 3.6 million of these were delivered. WBAC later

      confirmed that 2 million of the marketing messages were “batch”
      messages and 2.2 were “good news” messages, examples being as

      follows:



      Batch SMS: It takes less than 60 seconds to get an updated quote for

      your ~MANUFACTURER~! Click here > ~LINK~. Text STOP to 65800 to
      optout



      Good news SMS: Price alert: We can offer more for your

      ~MANUFACTURER~! Don’t miss out on your higher valuation, click

      ~LINK~. Text STOP to 65800 to optout.


24.   The Commissioner considers that the “batch” and “good news” SMS

      clearly encourage customers to continue with their valuation journey

      and therefore constitute directmarketing, as they promote WBAC’s

      service.


25.   With regard to consent to send marketing messages, WBAC informed

      the Commissioner that “where we do send emails that customers have

      not specifically requested, we do so relying on the ‘soft opt in’ under

      Regulation 22(3) PECR  ”.


26.   The Commissioner went onto consider whether WBAC either had valid

      consent to send the marketing emails and SMS, or in particular, based

      on assertions made by WBAC, whether it satisfied the criteria for


                                       8      reliance upon regulation 22(3) of PECR – the ‘soft opt-in’. In this regard
      WBAC stated: “Customer details are collected in the course of the

      customer choosing to use our service, with the opportunity to object

      presented to them once they have been presented with their valuation

      by email.”



27.   From a review of WBAC’s website, information presented to customers
      at the point of submitting their details to WBAC is as follows:



      “When you obtain a valuation, you agree to Webuyanycar’s Terms &

      Conditions, Privacy & Cookies Policy, and our Data & Communication

      Policy, which includes marketing communications regarding your
      vehicle. You can update our communication preferences at any time by

      visiting our Contact Preference Centre. We provide links to this in each

      of our emails.”



      “We will send you a copy of your valuation to your email address and

      mobile phone, along with reminders of how long your valuation is valid
      for. You will also receive updates that we believe will be of interest to

      you, such as significant marketing activity or limited offers in respect of

      your vehicle. You can choose not to receive any further communication

      from us at any time. All our emails have unsubscribe li nks, SMS

      messages accept STOP replies to 65800. Alternatively, you can visit our
      contact preference centre to opt-out of all or specific communications.”



28.   It is apparent from the above that whilst customers are informed of

      future ways to opt out at the point of collection of their details, the

      opportunity to actually object to marketing messages is presented only
      after provision of the vehicle valuation . Individuals have no opportunity

      to refuse marketing when initially inputting their details. WBAC accept

      that the opt-out provision does not occur until receipt of the first


                                        9      valuation email however believe that as there is a ‘minor temporal gap’
      between the two events it is ‘simultaneous’. The Commissioner does

      not accept WBAC’s position on this point and remains satisfied that

      WBAC do not comply with the requirements of Regulation 22(3)(c) in

      relation to the timing of the opt-out.



29.   WBAC also presented the Commissioner with a copy of its data
      protection impact assessment (“DPIA”) for the three categories of

      message as detailed in paragraph 18 above. Questions asked of WBAC

      in the DPIA are:



         1. Did WBAC obtain individuals’ contact details in the course of a
            sale or negotiations of a sale?

         2. Is the marketing message in respect of WBAC’s same or similar
            products and services?


         3. Were individuals given a simple means to refuse marketing when
            their details were collected?


         4. Have individuals been given a simple means of opting-out in each
            subsequent message?

      WBAC’s response for each of the three types of marketing message

      was:

            “Yes. All messages to the customer are in respect of our service.
            Customers have the option to update their communication

            preferences once they have received their 7 day guarantee
            (which is sent immediately), and all our communications contain
            an opt-out mechanism.”


30.   It appears from WBAC’s response to the DPIA that it failed to comply

      with Question 3, and in relation to Question 4 it seems WBAC has

      misunderstood or misinterpreted PECR by providing customers an

      opportunity to opt out only in messages sent following the initial
      valuation email. The Commissioner found that because customers were



                                      10      not able to refuse marketing communications at the initial point of
      collection of their data, WBAC had in fact failed to meet the

      requirement at Regulation 22(3)(c) of PECR – the ‘soft opt in’.



31.   It is noteworthy that upon review of a copy of the unsubscribe journey

      also provided by WBAC, the available customer contact preference

      options refer to: all WBAC communications, “service” emails and SMS,
      and newsletters. It is clear from WBAC’s own interpretation of “service”

      as provided during the investigation, that it encompassed “the whole

      business and offering to consumers of WBAC to make offers to

      purchase used vehicles”. This is an unconventional definition of

      “service” and at odds with the Commissioner’s definition of “service
      messages” in her own Direct MarketingCode of Practice, which WBAC

      acknowledged it had consulted. In this instance the Commissioner

      considered that customers  may misinterpret the options in the

      communication preferences centre, which would lead to them

      remaining signed up to receive marketing messages under the

      misapprehension that they have only chosen to opt in to receive
      genuine service emails. As such the Commissioner considers that WBAC

      is unable to satisfy the requirement in Regulation 22(3)(c) relating to

      provision of a “simple means” of refusal.



32.   In conclusion the Commissioner considers that WBAC’s business model
      is fundamentally flawed in that it is unable to satisfy Regulation 22 in

      terms of valid consent, nor the requirements of the ‘soft opt-in’ under

      Regulation 22(3), in order to send unsolicited marketing messages to

      its customers.



33.   Further analysis of complaints data established that in addition to 12
      complaints received about emails, 26 SMS messages were reported as




                                       11      SPAM to the 7726 service, and the Commissioner received 4 complaints
      about SMS directly via her online reporting tool (“OLRT”).



34.   Examples of some of the complaints are as follows:



      “I’ve tried to unsubscribe twice and I’m still getting emails.”


      “Having repeatedly asked them to not send me any more messages, I

      continue to receive direct marketing”



      “I got a quote from we buy any car last summer and since then I have

      been bombarded with emails from them about the car I received the
      quote for. I have requested to unsubscribe from their service in full at

      least 3 to 4 times possibly more, I have lost count. But still I get emails

      from them - I tend to delete them now but today I decided to try again

      to remove myself from their service. You never get any confirmation

      that you've succeeded either.”


      “An email asking me if I wanted to sell my car. I have not consented to

      these emails and they have been sent daily despite me unsubscribing

      twice.”



      “I did use their website to see how much my car is worth, but I did not
      consent to being hassled via text messages to bring my car to their

      local site to sell it( in 3 texts so far, and numerous emails also). When I

      used website to value my car it did not have an opt-out for further

      marketing or if it did it was not in an obvious visible place. It seems

      that they are not upfront about hassling people who use their website,

      the purpose of which seems to be to collect data about people. If there
      was an opt-out it was not placed where it was easily visible, so I feel

      deceived.” (compilation of three complaints from the same individual).


                                       1235.   The Commissioner has made the above findings of fact on the balance

      of probabilities.


36.   The Commissioner has considered whether those facts constitute a
      contravention of regulation 22 of PECR by WBACand, if so, whether the

      conditions of section 55A DPA are satisfied.



   The contravention


37.   The Commissioner finds that WBAC has contravened Regulation 22 of

      PECR. The Commissioner finds that the contravention was as follows:


38.   Between 7 April 2019 and 7 April 2020 WBAC transmitted 191.4 million

      emails and 3.6 million SMS (totalling 195 million unsolicited

      communications) over a public electronic communications network by

      means of electronic mail to individual subscribers for the purposes of
      direct marketing contrary to regulation 22 of PECR.


39.   Organisations cannot generally send marketing emails or SMS unless

      the recipient has notified the sender that they consent to such emails

      being sent by, or at the instigation of, that sender. The Commissioner

      is satisfied that there was no such consent.


40.   An organisation which is reliant upon regulation 22(3)of PECR to send

      marketing emails and SMS to its customers, as appears to be the case
      here, must ensure the recipient has been given a simple means of

      refusing the use of their contact details for the purposes of such direct

      marketing at the time that the details were initially collected. WBAC

      failed to do so.


41.   The Commissioner is satisfied that WBAC is  unable to satisfy Regulation

      22 in terms of valid consent, nor the requirements of the ‘soft opt in’


                                       13      under Regulation 22(3), in order to send unsolicited mar keting
      messages to its customers.


42.   The Commissioner is satisfied that WBAC was responsible for this

      contravention.


43.   The Commissioner has gone on to consider whether the conditions

      under section 55A DPA were met.



    Seriousness of the contravention


44.   The Commissioner is satisfied that the contravention identified above

      was serious.



45.   This is because WBAC sent 191.4 million marketing emails and 3.6
      million marketing SMS messages to individuals without fully satisfying

      the requirements of the soft opt in, resulting in 42 complaints to the

      Commissioner, over a period of twelve months.



46.   The Commissioner’s guidance in relation to PECR states that “making a

      large number of marketing calls based on recorded messages or
      sending large numbers of marketing text messages to individuals who

      have not consented to receive them […] is likely to constitute a serious

      contravention of the Regulations”. The situation here is analogous in

      that substantial numbers of marketing emails and SMS were sent to

      individuals who had not consented to receive them and had not been
      provided an opportunity to opt out. WBAC conducted a sustained and

      long term approach to marketing based upon a flawed soft optin

      mechanism.



47.   Upon analysis of the 7726 complaints, 83.3% of complainants chose

      the option “It made me annoyed and/or anxious ” in response to the

                                      14      question “How did this message affect you?”. From this the
      Commissioner can infer that the unsolicited marketing messages have

      negatively impacted the recipients.



48.   The Commissioner is therefore satisfied that condition (a ) from section

      55A (1) DPA is met.


  Deliberate or foreseeable contravention



49.   The Commissioner has considered whether the contravention identified

      above was deliberate. In the Commissioner’s view, this means that
      WBAC’s actions which constituted that contravention were deliberate

      actions (even if WBAC did not actually intend thereby to contravene

      PECR).



50.   The Commissioner considers that WBAC’s actions in failing to include a
      consent statement at the point of collection of customer’s information

      was not a deliberate act.



51.   Accordingly the Commissionerhas gone on to consider whether the

      contravention identified above was negligent.


52.   First, she has considered whether WBAC knew or ought reasonably to

      have known that there was a risk that this contravention would occur.

      She is satisfied that this condition is met, given that WBAC is a well-

      established organisation and its business model relied heavily on direct

      marketing.


53.   WBAC is registered with the ICO as a data controller and as such

      should be aware of the Regulations. As the sender of the emails and

      SMS it was the responsibility of WBAC to ensure either valid consent


                                      15      had been obtained prior to their transmission, or all the criteria for the
      soft opt in had been satisfied.



54.   The Commissioner has published detailed guidance for those carrying

      out direct marketing explaining their legal obligation s under PECR. This

      guidance explains the circumstances under which organisations are

      able to carry out marketing over the phone, by text, by email, or by
      fax. The ICO also operates a helpline should organisations require

      further clarification or assistance with specific enquiries.


55.   Furthermore, the issue of unsolicited marketing has been widely

      publicised by the media as being a problem.



56.   WBAC took some steps to ensure compliance by consulting the
      Commissioner’s guidance and Direct Marketing Code of Practice, and

      completing a DPIA. This demonstrates some awareness on the part of

      WBAC as to its statutory obligations.



57.   It is therefore reasonable to suppose that WBACknew or ought
      reasonably to have known that there was a risk that these

      contraventions would occur.



58.   The Commissioner has also considered whether WBAC failed to take

      reasonable steps to prevent the contraventions.


59.   Reasonable steps could have included seeking and fully implementing
      appropriate guidance on the rules in relation to electronic direct

      marketing. Regulation 22 is clear that a data controller must not send

      direct marketing via electronic means unless it can evidence consent or

      satisfy all the requirements of the soft opt in.





                                       1660.   WBAC confirmed that it had consulted the guidance and outlined the
      requirements of the soft opt in in the DPIA, but have not satisfied its

      requirements. It has also sought legal advice. Whilst WBAC included

      information about marketing activity and how an individual can update

      their preferences in the information presented to customers at the point

      of inputting their details into the website, it did not allow individuals the

      opportunity to opt out of marketing at the time their details are
      collected. Proper review and understanding of Regulation 22 would

      have made it clear that this option should be presented to individuals at

      the point of requesting a valuation to ensure compliance.



61.   It is also noteworthy that in relation to its contact preference options
      (see paragraph 31 above) WBAC has acknowledged that its own

      definition of “service messages” is at odds with general understanding

      and ICO guidance but has given no indication that it intends to make

      any changes to its contact preference options. Individuals should be

      presented with options which clearly distinguish marketing

      communications from genuine “service” messages so as to avoid
      customers inadvertently signing up to unwanted direct marketing.



62.   The Commissioner is therefore satisfied that condition (b ) from section

      55A (1) DPA is met.


      The Commissioner’s decision to impose a monetary penalty


63.   The Commissioner considers there are no aggravating features of

      this case.



64.   The Commissioner has taken into account the following mitigating

      factors:




                                       17         •  WBAC made some effort towards ensuring compliance with PECR
            such as consulting the ICO Guidance, seeking legal advice and

            completing a DPIA, albeit these steps ultimately failed to achieve

            compliance.



65.   For the reasons explained above, the Commissioner is satisfied that the

      conditions from section 55A(1) DPA have been met in this case. She is
      also satisfied that the procedural rights under section 55B have been

      complied with.



66.   This has included issuing a Notice of Intent on 26 May 2021, in which

      the Commissioner set out her preliminary thinking, and invited WB AC
      to make representations in response.



67.   The Commissioner received and has considered Representations from

      WBAC dated 16 July 2021.



68.   The Commissioner is accordingly entitled to issue a monetary penalty
      in this case.



69.   The Commissioner has considered whether , in the circumstances, she

      should exercise her discretion so as to issue a monetary penalty. She

      has decided that a monetary penalty is an appropriate and
      proportionate response to the finding of a serious contravention of

      Regulation 22 of PECR by WBAC.



70.   The Commissioner’s underlying objective in imposing a monetary

      penalty notice is to promote compliance with PECR. The sending of

      unsolicited direct marketing emails and SMS is a matter of significant
      public concern. A monetary penalty in this case should act as a general

      encouragement towards compliance with the law, or at least as a


                                      18       deterrent against non-compliance, on the part of all persons running
       businesses currently engaging in these practices. This is an opportunity

       to reinforce the need for businesses to ensure that they are only

       contacting consumers who want to receive these emails and SMS.



 71.   The Commissioner has also considered the likely impact of a monetary

       penalty on WBAC.


       The amount of the penalty



 72.   Taking into account all of the above, the Commissioner has decided

       that the amount of the penalty is £200,000 (two hundred thousand
       pounds).



      Conclusion



73.   The monetary penalty must be paid to the Commissioner’s office by BACS
      transfer or cheque by 12 October     2021 at the latest. The monetary

      penalty is not kept by the Commissioner but will be paid into the

      Consolidated Fund which is the Government’s general bank account at the

      Bank of England.


74.   If the Commissioner receives full payment of the monetary penalty by 11

      October 2021 the Commissioner will reduce the monetary penalty by

      20% to £ 160,000 ( one hundred and sixty          thousand pounds).

      However, you should be aware that the early payment discount is not

      available if you decide to exercise your right of appeal.


75.   There is a right of appeal to the Firstier Tribunal (Information Rights)

       against:




                                      19      (a)  the imposition of the monetary penalty and/or;


      (b)  the amount of the penalty specified in the monetary penalty

      notice.



73. Any notice of appeal should be received by the Tribunal within 28 days

     of the date of this monetary penalty notice.


74. Information about appeals is set out in Annex 1.


75. The Commissioner will not take action to enforce a monetary penalty

    unless:


     • the period specified within the notice within which a monetary penalty

       must be paid has expired and all or any of the monetary penalty has

       not been paid;



     • all relevant appeals against the monetary penalty notice and any

       variation of it have either been decided or withdrawn; and

    •  period for appealing against the monetary penalty and any variation

       of it has expired.


76. In England, Wales and Northern Ireland, the monetary penalty is

    recoverable by Order of the County Court or the High Court. In

    Scotland, the monetary penalty can be enforced in the same manner
    as an extract registered decree arbitral bearing a warrant for execution

    issued by the sheriff court of any sheriffdom in Scotland.










                                       20Dated the 13th day of September 2021



Andy Curry
Head of Investigations

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire

SK9 5AF









































                                    21ANNEX 1


         SECTION 55 A-E OF THE DATA PROTECTION ACT 1998



  RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER



      1.    Section 55B(5) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)

      against the notice.



      2.    If you decide to appeal and if the Tribunal considers:-


            a)    that the notice against which the appeal is brought is not in

            accordance with the law; or



            b)    to the extent that the notice involved an exercise of

            discretion by the Commissioner, that she ought to have exercised
            her discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as

      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.    You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:



                 General Regulatory Chamber
                  HM Courts & Tribunals Service
                 PO Box 9300
                 Leicester

                 LE1 8DJ
                  Telephone:   0203 936 8963

                                     22            Email:         grc@justice.gov.uk


      a)    The notice of appeal should be sent so it is received by the
      Tribunal within 28 days of the date of the notice.



      b)    If your notice of appeal is late the Tribunal will not admit it

      unless the Tribunal has extended the time for complying with this

      rule.


4.    The notice of appeal should state:-



      a)    your name and address/name and address of your

      representative (if any);


      b)     an address where documents may be sent or delivered to

      you;



      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)    the result that you are seeking;



      f)    the grounds on which you rely;


      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;



      h)    if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for a n extension of time




                                 23      and the reason why the notice of appeal was not provided in
      time.



5.    Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person

whom he may appoint for that purpose.


6.    The statutory provisions concerning appeals to the First- tier

Tribunal (Information Rights) are contained in section 55B(5) of, and

Schedule 6 to, the Data Protection Act 1998, an d Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).



































                                 24