ICO - Leads Work Limited (Monetary Penalty)

From GDPRhub
Revision as of 18:44, 14 April 2021 by Mariam-hwth (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=L...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Leads Work Limited (Monetary Penalty)
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 22 Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.03.2021
Published: 05.03.2021
Fine: 250000 GBP
Parties: Leads Work Limited
National Case Number/Name: Leads Work Limited (Monetary Penalty)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

The UK DPA fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR.

English Summary

Facts

Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name.

The UK DPA (Information Commissioner's Office or ICO) received various complaints from individuals concerning text messages/SMS sent under the Avon name. During the Covid-19 pandemic, individuals complained again about Avon sending them unsolicited text messages. Between April 2020 and May 2020, 835 complaints of this nature were recorded by the ICO.

Upon investigating further, the ICO identified LWL as the sender of these messages. The ICO notified LWL of the growing complaints concerning these texts. LWL responded to the investigation with information on how they acquired the individuals' data: by purchasing this from third parties and through a website (avon.leadsword.co.uk).

The ICO identified that the core data supplier was from an organisation who's website had an opti-in , a privacy notice and an option to unsubscribe. LWL was included as one of the third parties with who data was shared. However, LWL was not included within the list of organisations from whom individuals could expect marketing from. Additionally, it was not possible for individuals to submit details without selecting a marketing channel. The website was also vague, confusing and lengthy.

The ICO also identified other websites that contributed to collecting personal data used by LWL to send direct marketing SMS. LWL stated that lawyers had create the website's legal framework and believed it to be compliant with the legal requirements.

LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites.

Dispute

Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR?

Holding

The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR.

It then went on to clarify that consent to direct marketing was not freely given, specific or informed because the website indicating LWL as a recipient of personal data was vague, confusing and lengthy.

Similar conclusions were reached regarding other websites used to collect personal data used for direct marketing purposes by LWL. These websites had vague consent statements and did not refer to LWL in their policies (listing Avon instead in certain cases). Even where Avon was listed, the ICO highlighted that individuals could not be reasonably expected to know that Avon was linked to LWL. Therefore, consent was not informed and specific.

The ICO therefore concluded that LWL relied on invalid consent to send direct marketing texts to individuals. It found that LWL was in breach of Regulation 22 of the PECR. The UK DPA highlighted the gravity of the contravention due to the amount of messaged sent without the recipients' consent. It also noted LWL's deliberate or foreseeable infringement of the law without taking reasonable steps to prevent them.

As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                          •

                                                         ICO.
                                                         Information Commissioner's Office


                    DATA PROTECTION    ACT 1998


   SUPERVISORY    POWERS OF THE INFORMATION      COMMISSIONER


                    MONETARY   PENALTY NOTICE



To:  Leads Work Limited


Of:  Suite C Underwood House, 235 Three Bridges Road, Crawley,
     West Sussex RH10 1LU




1.   The InformationCommissioner ("Commissioner")has decided to issue

     Leads Work Limited ("LWL") with a monetary penalty under section
     SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation

     to a serious contravention of regulation 22 of the Privacy and Electronic

     Communications (EC Directive) Regulations 2003 ("PECR").


2.   This notice explains the Commissioner's decision.


     Legal framework


3.   LWL, whose registered office is given above (companies house

     registration number: 10853169), is the organisation (person) stated in
     this notice to have transmitunsolicited communicatioby means

     of electronic mail to individual subscribers for the purposes of direct
     marketing contrary to regulation 22 of PECR.



4.   Regulation 22 of PECRprovides that:


                                  1                                                                •

                                                                ICO.
                                                                Information Commissioner's Office

      "(l)This regulation applies to the transmission of unsolicited
      communications  by means of electronic mail to individual subscribers.


      (2) Except in the circumstances referred to in paragraph (3), a person
      shall neither transmitnor instigate the transmission of, unsolicited

      communications  for the purposes of direct marketing by means of
      electronic mail unless the recipient of the electronic mail has previously

      notified the sender that he consents for the time being to such

      communications  being sent by, or at the instigation of, the sender.


      (3) A person may send or instigate the sending of electronic mail for
      the purposes of direct marketing where -



      (a)  That person has obtained the contact details of the recipient of
            that electronic mail in the course of the sale or negotiations for

            the sale of a product or device to that recipient;
      (b)  The direct marketing is in respect of that person's similar

            products and services only; and
      (c)  The recipient has been given a simple means  of refusing (free of

            charge except for the costs of transmission of the refusal) the

            use of his contact details for the purposes of such direct
            marketing, at the time that the details were initially collected,

            and, where he did not initially refuse the use of the details, at the
            time of each subsequent communication.


      (4) A subscriber shall not permit his line to be used in contraventofn

      paragraph (2)."


5.   Section 122(5) of the DPA 2018 defines "direct marketing" as "the

     communication   (by whatever means) of any advertising material which



                                     2                                                               •

                                                               ICO.
                                                               Information Commissioner's Office

     is directed to particular individualThis definition also applies for the
     purposes of PECR.


6.   "Electronic mail" is defined in regulation 2(1) PECRas" any text, voice,

     sound or image sent over a public electronic communications network

     which can be stored in the network or in the recipient's terminal
     equipment until it is collected by the recipient and includes messages

     sent using a short message service".


7.   Consent is defined in Article 4(11) the General Data Protection

     Regulation 2016/679 as "any freely given, specific, informed and
     unambiguous indication of the data subject's wishes by which he or

     she, by a statement or by a clear affirmativaction, signifies

     agreement to the processing of personal data relating to him or her".

8.   Section SSA of the DPA (as amended by the Privacy and Electronic

     Communications   (EC Directive)(Amendment)  Regulations 2011 and the

     Privacy and Electronic Communications (EC Directive) (Amendment)
     Regulations 2015) states:


     "(l) The Commissioner may serve a person with a monetary penalty if

          the Commissioner is satisfied that -

             (a) there has been a serious contraventionof the requirements

                 of the Privacy and Electronic Communications (EC
                 Directive) Regulations 2003 by the person, and

             (b) subsection (2) or (3) applies.

      (2) This subsection applies if the contraventiwas deliberate.

      (3) This subsection applies if the person -

             (a) knew or ought to have known that there was a risk that

             the contravention would occur, but

                                     3                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

             (b) failed to take reasonable steps to prevent the
                contravention."


9.   The Commissioner has issued statutory guidance under section SSC (1)

     of the DPA about the issuing of monetary penalties that has been
     published on the ICO's website. The Data Protection (Monetary

     Penalties)(Maximum  Penalty and Notices) Regulations 2010 prescribe

     that the amount of any penalty determined by the Commissioner must
     not exceed £500,000.


10.  PECRimplements European legislation (Directive 2002/58/EC) aimed at

     the protection of the individual's fundamentright to privacy in the

     electronic communications sector. PECRwas amended for the purpose
     of giving effect to Directive 2009/136/which amended and

     strengthened the 2002 provisions. The Commissioner approaches PECR
     so as to give effect to the Directives.



11.  The provisionsof the DPA remain in force for the purposes of PECR
     notwithstanding the introductioof the Data Protection Act 2018 (see

     paragraph 58(1) of part 9, Schedule 20 of that Act).



 Background to the case



12.  LWL is a lead generation company which operates primarily in the

     'multi-levemarketing' sector. It generates leads under the Avon brand
     for the purpose of enlisting downstream recruits, and which are passed

     directly to independent Avon sales representatives.





                                    4                                                            •

                                                            ICO.
                                                            Information Commissioner's Office
13.  LWL first came to the attention of the Commissioner in connection with

     complaints about text messages seemingly sent by Avon Cosmetics

     Limited ("Avon"). The investigatifound that Avon did not send or
     instigate the texts. LWL were contacted, but not investigated at that

     time.


14.  LWL came to the attention of the Commissioner again during the Covid-
     19 pandemic, when a significant number of complaints were received

     about the following text message:


     In lockdown and want to earn extra cash? Avon is now FULLY ONLINE,

     FREE to do and paid weekly. Reply with your name for info. 18+ only.
     Text STOP to opt out.


15.  Between 14 April 2020 and 14 May 2020, 835 complaints were received

     by the 7726 SPAM reporting tool. Significant daily totals of complaints
     were also seen, including 329 on 13 May 2020, 345 on 14 May 2020

     and 370 on 15 May 2020.


16.  Given the rapid rise in complaint volumes, and as LWL were known to

     send messages of this type, the Commissioner contacted LWL by
     telephone on 13 May 2020, who confirmed that the messages had been

     sent by LWL. This was subsequently supported by evidence from LWL's
     mobile network provider.


17.  On 15 May 2020, the ICO sent an investigatioletter to LWL detailing

     the Commissioner's concerns regarding LWL's compliance with PECR,
     and containing a number of enquiries. The letter attached an index of

     complaints received both by the 7726 SPAM reporting service, and by

     the ICO.


                                   5                                                                  •


                                                                  ICO.
                                                                  Information Commissioner's Office
18.   On 4 June 2020, the ICO received a response from LWL. This provided
      a list of CLI's used by LWL and text volumes, identified the bodies of 19

      different texts sent, and confirmation that texts were sent internally

      through a platform operated by LWL. LWL explained that data was both
      purchased from  third parties and driven to websites such as

     'Avon.leadswork.co.uk'.  The third parties from whom data was

      purchased were said to be'                         , -         -
     -      and _,_      Advertising was also operated extensively on

     '-,--and--'·


19.   In response to enquiries about contractual agreements, LWL stated that

      before working with a partner they 'review their terms and conditions
      and see the URL where the opt-in will occur', later adding that they also

      go through the registration process on a test basis to ensure necessary

      opt-ins were present. No contractual agreements were said to be in
      place or provided. LWL said that they had generated leads for Avon

      representatives for a 'very long time'.


20.   A review by the Commissioner of the information provided by LWL

      revealed that its dominant data supplier was -     -       whose data

      capture website was'                    '. This website consists of a
      landing page to opt-in, a privacy notice, and an option to unsubscribe.

      The website states that it is 'part of the - •    -         _',

      which is a company quite distinct from -     -·      LWL is named in
      the consent statement;  by clicking the 'partners' link in the consent

      statement, individuals are directed to the privacy policy in which LWL
      are named in the 'marketing  service providers' section.A further link

      to 'direct clients' presents individuals with a further list of 457 distinct

      organisations from whom individuals  may expect to receive marketing,
      in which LWL is not included. The website does not allow individuals to

      submit their details without checking 'at least one' marketing channel.

                                       6                                                            •

                                                            ICO.
                                                            Information Commissioner's Office
     Furthermore, the website is vague and confusing given the discursive

     and lengthy nature of the consent statement and the extensive list of

     sectors and companies contained within both it and the privacy policy.
     For these reasons the Commissioner concluded that consent was not

     freely given, specific and informed.


21.  In response to a request by the Commissioner for evidence of consent,
     LWL explained that a suppression list was in place should anyone reply

     'Stop' to a message. In respect of the customer journey LWL explained
     that should a customer consent to be contacted by LWL then they are

     sent an initial message asking whether they want to be contacted by a
     local Avon representativeIf they respond positively then their data is

     shared with the local representative.


22.  LWL provided the Commissioner with a 'GDPR pack' containing a Data

     Protection Impact Assessment ("DPIA") and a 'company compliance
     document'. The latter discusses LWL's data protection obligations as a

     company, and whilst robust for the purpose it sets out to achieve, at no
     point is PECRreferenced. The DPIA, dated 20 October 2019, explicitly

     refersto PECRand consent, acknowledges that there is a 'degree of
     public concern over personal data sales', and refers to regulatory action

     by the ICO.


23.  LWL proclaimed their membership of 'S.H.I.E.L.D.' as an indicator of

     their compliance. This is a scheme operated by a law firm who appear
     to audit companies' GDPR compliance, and if deemed compliant, they

     are entered into the scheme. No evidence of due diligence conducted
     by this law firm on behalf of the company has been provided by LWL.



24.  Having reviewed LWL's response, the Commissioner sent a further set
     of detailed enquiries to LWL on 9 June 2020, attaching evidence of an

                                   7                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

     additional 8,089 complaints identified through the 7726 SPAM reporting
     system since the initial enquiries were sent.


25.  A substantive response was provided by LWL on 19 June 2020. This

     included the body of 64 distinct texts sent during the investigation

     period (over three times the amount identified in LWL's initial
     response). As was seen from those messages, LWL did not identify

     itself as the sender. LWL also provided volumes of data purchased since

      1 May 2019. Further capture domains were identified. In particular,
                       was identified as also capturing the data that -

     -      supplied. LWL prefaced this by stating that they were previously
     unaware of this website being a capture domain, and so had

     immediately  enquired as to the compliance and opt-in of this website.

     It was explained that this website directs individuals to a registration
     page where  their details are inputted, and agreement to the privacy

     policy obtained.LWL stated that lawyers had been involved in creation
     of the website's legal framework on behalf of another client, and so

     were confident it would be compliant.


26.  The Commissioner reviewed the privacy policy on '

     which has  granular opt-ins for each channel and a third party opt-in.
     The policy states that the website is owned and operated by a

     differentlynamed company than -       .,     who sold the data to

     LWL. The third party opt-in on the registratiopage contains a link to
     'partners' where 16 companies are listed, in which LWL does not

     appear. LWL does appear in the privacy policy, in a list of 7 'marketing

     service providers'. A further 442 companies are then listed under 'direct
     clients' followed by the following statement"at registration you have

     the option to opt-in to sponsors of our website". The Commissioner
     found the consent statements to be vague and confusing. Further, LWL

     are not named at the point of consent and in view of the extensive list

                                     8                                                              •

                                                              ICO.
                                                              Information Commissioner's Office
     of companies in the privacy policy, the Commissioner considered that

     consent was not specific or informed.


27.  Data was also stated to be purchased by LWL from ,.  ? -
     _,      ('-"),     the second largest of LWL's data suppliers, through

     websites'                    'and'                  '. These sites
     share the same vague consent statement, which contains a link to

     identical privacy policies. The privacy policies contain no distinguishable

     'third party policy' and lists approximat40 companies with whom
     data may be shared. LWL are not listed in the privacy policy, instead

     'UK - Avon' are listed; this listing is hyperlinked to LWL's privacy policy.
     In representationsmade to the Commissioner in response to the Notice

     of Intent, LWL provided a letter from -   which stated that LWL
     should be considered to fall within the category of 'health and beauty

     tips'.Given that LWL are not directly named in any list, and the
     policies are convoluted, individuals could not reasonably be expected to

     know that LWL were linked to Avon. For the reasons above the
     Commissioner found that the consent statements did not constitute

     informed and specific consent.


28.  In relation to the volume of texts sent to each data source, LWL stated
     it was not possible to produce an entirely accurate figure, however

     provided an approximation of volumes in a further email to the

     Commissioner dated 24 June 2020. Between 1 May 2019 and 15 May
     2020 LWL approximated that it sent in excess of 25 million texts to

     data sourced from __         , ---           and•••·        The vast
     majority of the texts, as well as the complaints evidenced in the

     Commissioner's second investigation letter, were related to data

     supplied by --·



                                    9                                                                  •

                                                                 ICO.
                                                                 Information Commissioner's Office
29.   A further request for information was sent by the Commissioner to LWL

      on 26 June 2020 seeking evidence of consent in relation to another
      4,703 complaints received through the 7726 SPAM reporting service,

      information regarding data supplier'•••     ? ,and an accurate
      number of texts sent though each source between 16 May 2020 and 26

      June 2020.


30.   LWL's director responded on 3 July 2020, providing further opt-ins. In
      relation to          he said the use of this data preceded his time as

      director, and so would need to contact           directly or his
      predecessors for information.


31.   LWL went onto verify that between 16 May 2020 and 26 June 2020, a

      total of 3,486,716 messages were sent, of which 3,327,573 were
      received. Of these,3,013,096 texts were sent, and 2,670,140

      connected, to data sourced by --           and ---
      (comprising 1,911,493 to --           data and 758,647 to'-     ?

     -'data).


32.   On 10 July 2020 LWL supplied the Commissioner with information
      regarding the '         ' data source. LWL identified the domains used

      by                                 '(also used by --           and
      previously reviewed by the Commissioner - see para. 20 above) and

                        '. Thelatter is operated by -    -     and its
      consent statement lists 240 companies who may contact individuals.

      LWL are not included in the list. The privacy policy does name LWL, but
      within a list of hundreds of other sponsors. The Commissioner found

      that consent in those circumstances was not specific and informed.


33.   In conclusion the Commissioner considers that LWL relied upon invalid
      consents to send direct marketing texts to individuals whose data was

                                      10                                                              •

                                                              ICO.
                                                              Information Commissioner's Office
     sourced by __          , ___          , and
                                                           LWL's business
     model is inextricably linked to direct marketing, and whilst it did make

     some  attempt to comply with data protection legislation, it had no
     discernible policiesr procedures relevant to PECRcompliance, and any

     due diligence was insufficient.


34.  During the period 16 May 2020 to 26 June 2020, a total of 12,281

     complaints from 11,733 individuals about unsolicited texts from LWL

     were received via the 7726 reporting service. 4 complaints were
     received though the Commissioner's online reporting tool. The vast

     majority of complaints (10,570) relate to data sourced by -  -·
     It is also noteworthy that LWL began receiving a significant number of

     complaints from May 2020 onwards, shortly after the UK entered

     lockdown in response to the pandemic.


35.  The Commissioner has made the above findings of fact on the balance
     of probabilities.


36.  The Commissioner has considered  whether those facts constitute a

     contravention of regulation 22 of PECRby LWL and, if so, whether the
     conditions of section SSA DPA are satisfied.


     The contravention



37.  The Commissioner finds that LWL has contravened Regulation 22 of
     PECR.The Commissioner finds that the contravention  was as follows:


38.  Between 16 May 2020 and 26 June 2020 LWL transmitted    2,670,140
     texts over a public electronic communicationnetwork by means of

     electronic mail to individual subscribers for the purposes of direct

     marketing contrary to regulation 22 of PECR.


                                    11                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

39.  Organisations cannot generally send marketing texts unless the
     recipient has notified the sender that they consent to such texts being

     sent by, or at the instigation of, that sender.

40.  The Commissioner is satisfied that the consent relied on by

      LWL did not amount to valid consent for the purposes of regulation 22

      PECR.

41.  The Commissioner is satisfied that LWL was responsible for this

     contravention.

42.  The Commissioner has gone on to consider whether the conditions

     under section SSA DPA were met.


      Seriousness of the contravention



43.  The Commissioner is satisfied that the contraventioidentified above
     was serious.


44.  This is because LWL sent 2,670,140 marketing text messages to

     individuals without their consent, resulting in excess of 10,000

     complaints, over a period of 41 days. The volume of texts and
     complaints over such a short period is substantial. Indeed, the

     Commissioner would go so far as to say that the ratio of complaints to
     the volume of data subjects in receipt of unlawful texts far exceeds any

     contravention she has witnessed to date.


45.  It is reasonable to suppose that the volume of contraventionis

     actually significantly higher, and spanned a broader period of time. LWL

     approximated  that during the period 1 May 2019 and 15 May 2020, it
     sent 17.23 million texts to--data,          6.43 million texts to.

     --         data and 1.37 million texts to        data. All these data

                                    12                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

     sources have been deemed non-compliant,   however as LWL's system
     overwrites data after a period of time, LWL have been unable to verify

     these figures.


46.  The Commissioner's Direct Marketing Guidance available on the ICO's

     website states that: "Organisations can generally only send marketing
     texts or emails to individuals (including sole traders and some

     partnerships) if that person has specifically consented to receiving

     them". Point 60 of the Guidance refers to the fact that freely given
     consent should be demonstrated where it is the "condition of

     subscribing to a service", however it is apparent that consent is not
     freely given in the case of data sourced by -   -     (LWL's largest

     provider of data) through '                 ', because individuals are

     not able to register without subscribing to at least one marketing
     channel.


47.  Furthermore,  the Commissioner's guidance in relation to PECRstates

     that "making a large number of marketing calls based on recorded

     messages or sending large numbers of marketing text messages to
     individuals who have not consented to receive them [...] is likely to

     constitute a serious contraventioof the Regulations".


48.  The Commissioner is  therefore satisfied that condition (a) from section

     SSA (1) DPA is met.


      Deliberate or foreseeable  contravention


49.  The Commissioner has considered whether the contravention   identified

     above was deliberate. In the Commissioner's view, this means that
     LWL's actions which constituted that contraventionwere deliberate



                                    13                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

     actions (even if LWL did not actually intethereby to contravene
     PECR).


50.  The Commissioner considers that in this case that LWL's actions were

      deliberate, as despite having been notified that it was under

      investigatioby the Commissioner, and given her concerns about
      LWL's compliance with PECR, LWL has continued its marketing

      campaign without making any adjustments to its business model. LWL

      continues to send unlawful text messages even after the investigation
      was completed, and a Notice of Intent served upon LWL in which it's

      practices were deemed non-compliant.


51.   Further, and in the alternatithe Commissioner has gone on to

      consider whether the contraventionidentified above was negligent.


52.  First, she has considered whether LWL knew or ought reasonably to
     have known that there was a risk that this contraventiowould occur.

     She is satisfiedhat this condition is met, given that LWL's business

     model relied heavily on direct marketing.


53.  LWL is registered with the ICO as a data controller and as such should
     be aware  of the Regulations.As the sender of the texts it was the

     responsibility of LWL to ensure valid consent had been obtained prior to

     their transmission.


54.  The Commissioner has published detailed guidance for those carrying

     out direct marketing explaining their legal obligations under PECR.This
     guidance explains the circumstances under which organisations are

     able to carry out marketing over the phone, by text, by email, by post,
     or by fax.



                                    14                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

55.  Furthermore, the issue of unsolicited marketing has been widely
     publicised by the media as being a problem.


56.  LWL had a DPIA in place dated 20 October 2019 which demonstrates

     awareness on  the part of LWL as to its statutory obligatioIt.contains

     the following statement:

     LW have considered the fact that there is a degree of public concern
     over the sales of personal data. The legislation is clear on the point of
     consent and the subsequent enforcement action brought by the

     Regulator (ICO) has reinforced the legislation and demonstrated a clear
     pathway to take for businesses engaged in the sale of personal data

     This unambiguously references public concern regarding data sales,

     and an awareness of enforcement action taken by the ICO.


57.  It is therefore reasonable to suppose that LWL knew or ought

     reasonably to have known that there was a risk that these
     contraventions would occur.



58.  The Commissioner has also considered whether LWL failed to take
     reasonable steps to prevent the contraventions.


59.  Reasonable steps could have included seeking appropriate guidance on
     the rules in relation to electronic direct marketing and ensuring the

     consent on which it sought to rely on was valid, putting in place

     contractual arrangements to ensure the veracity of the data, and
     conducting sufficient due diligence in relation to its data providers.


60.  In this case, LWL failed to put in place contractual arrangements with
     data suppliers despite sourcing significant volumes of data from these

     suppliers. Any due diligence appears to be minimal and there is a lack

     of evidence in relation to thisBy their own admission, LWL conducted
     most of their due diligence checks on '                 ', by looking

                                     15                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

     at the website and testing the registration pages, however had these
     checks been sufficient LWL should have known that the website was

     non-compliant. In fact, LWL only became aware of a page that sourced

     a significantmount of--            data when the ICO investigation
     commenced. LWL purports to rely on their entry to the S.H.I.E.L.D.

     scheme as reassurance of compliance, however no evidence in relation
     to this has been provided.



61.  LWL appear to have placed great reliance upon due diligence
     conducted by third parties in relation to data capture websites, and the

     fact that there had been legal input from lawyers engaged by other
     organisations who also utilised those same websites. LWL have

     provided minimal evidence in relation to any due diligence provided by

     others and appear to have assumed that as others were reliant upon it,
     then their own business model must also have been compliant. It would

     have been reasonable for LWL to carry out its own checks as to
     how consent was being obtained via the websites, notwithstandingany

     assurances by its third-partdata providers - such checks would have

     alerted LWL to the inadequacy of the consents being obtained via the
     sites for the purposes of third-pardirect marketing. In short, simple

     reliance on assurances of indirect consent alone without undertaking
     proper due diligence is not acceptable.



62.  Furthermore,  LWL has continued to send significant numbers of
     marketing texts to individuals throughoutand since, the course of the

     Commissioner's investigation,incurring a substantial amount of

     complaints. This would suggest that no remedial measures have been
     taken to prevent further contraventionsand an apparent continuing

     disregard for its obligations under PECR. Indeed, since August 2020 to
     the date of this Notice, a further 28,350 complaints about marketing

     texts from LWL have been received by the 7726 reporting service.

                                    16                                                               •

                                                               ICO.
                                                               Information Commissioner's Office


63.  In representations made to the Commissioner, LWL states that at no

     time was it made aware that its practices were non-compliant.The
     Commissioner views  the fact that an organisation is under investigation

     should be sufficient impetus for that organisation to review its own

     practices in lineith the Regulations. Irrespective of the timing of any
     awareness on LWL's part, it is apparent that LWL has not heeded the

     Commissioner's concerns and has continued its campaign in blatant

     disregard for the Regulations.


64.  The Commissioner is therefore satisfied that condition (b) from section
     SSA (1) DPA is met.


     The Commissioner's    decision to impose a monetary     penalty


65.  The Commissioner has taken into account the following aggravating

     features  of this case:


   •  The texts misleadingly appeared to be sent by Avon. LWL accepts that

      it deliberately did not identify itself in the body of the texts as the
      sender so as to not "confuse" recipients, and as such were in breach of

      regulation 23 of PECR.


   •  LWL has continued to run the marketing campaign both during, and

      since,the Commissioner's investigation and despite the ICO's
      concerns,without attempting to amend or review its practices. Indeed,

      all the contraventionwhich are the subject of this Notice occurred

      after LWL were notified it was under investigatioFurthermore, LWL
      has continued to send unlawful marketing texts after the Commissioner

      completed her investigationon 26 June 2020, and issued a Notice of
      Intent in which LWL's practices were deemed non-compliant.


                                    17                                                             •

                                                            ICO.
                                                            Information Commissioner's Office


•  Since August 2020 to the present time, an additional 28,350
   complaints have been received by the 7726 SPAM reporting tool about

   texts sent by LWL.


•  LWL sought to capitalise on the pandemic by sending a significant

   number of text messages relating to, and directly referencing, the
   ensuant lockdown when the population was at its most vulnerable and

   advertising the potential financial gains by becoming an Avon

   representative.1,698 complaints were received regarding this
   particular message.


•  LWL repeatedly indicated long standing compliance with PECRin its

   communications  with the Commissioner which was blatantly untrue.

   LWL also failed to be completely transparentduring the course of the
   investigation.For example, when asked to provide details of the body

   of texts sent by LWL, it initially provided only 19, when it later

   transpired 65 separate texts were utilised. In representatioto the
   Commissioner, LWL stated that those omitted were simply variants of

   the original texts however the Commissioner's view remains that LWL
   were not completely open and transparent  in relation to her enquiry.


•  Furthermore, LWL failed to inform the Commissioner in its response to

   enquiries about marketing methods that it also conducted email

   marketing. The Commissioner has since been made aware that·­
   -      conducted hosted marketing for LWL, and that over a 12 month

   period had sent 7.5 million emails on LWL's behalf, including activity

   during the contravention period. Between the contravention period 16
   May 2020 - 26 June 2020   the number of emails transmitted was

   1,006,000.



                                  18                                                               •


                                                               ICO.
                                                               Information Commissioner's Office
66.  The Commissioner considers there are no mitigating factors to be

     considered in this case.


67.  For the reasons explained above, the Commissioner is satisfied that the

     conditions from section SSA(l) DPA have been met in this case. She is
     also satisfiedthat the procedural rights under section 55B have been

     complied with.


68.  This has included   the issuing of a Notice of Intent,  in which the

     Commissioner set out her preliminary thinking, and invited LWL to make
     representations in response.



69.  The Commissioner    has received  and considered   Representations  in
     response  to the Notice of Intent dated 9th & 22nd December 2020, and

     5th, 13th & 20th January 2021.


70.  The Commissioner is accordingly entitled to issue a monetary penalty in

     this case.


71.   The Commissioner has considered   whether, in the circumstances, she

      should exercise her discretion so as to issue a monetary penalty. She

      has decided that a monetary penalty is an appropriate and proportionate
      response to the finding of a serious contraventionof regulation22 of

      PECRby LWL.


72.   The Commissioner's   underlying  objective in imposing  a monetary

      penalty notice is to promote  compliance  with PECR. The making of

      unsolicited direct marketing calls is a matter of significant public concern.
      A monetary penalty in this case should act as a general encouragement

      towards compliance with the law, or at least as a deterrent against non­

      compliance, on the part of all persons running  businesses currently

                                    19                                                            •


                                                            ICO.
                                                            Information Commissioner's Office
     engaging in these practices. This is an opportuto reinforce the need
     for businesses to ensure that they are only telephoning consumers who

     want to receive these calls.


73.  The Commissioner has also considered the likely impact of a monetary

     penalty on LWL and in doing so has reviewed financial evidence supplied

     by LWL.


     The amount of the penalty


74.  Taking into account all of the above, the Commissioner has decided that

     the amount  of the penalty is £250,000   (Two  hundred   and fifty
     thousand  pounds).


     Conclusion



75.  The  monetary penalty must be paid to the Commissioner's  office by
     BACS transfer or cheque by 1 April 2021 at the latest. The monetary

     penalty is not kept by the Commissioner   but will be paid into the
     Consolidated Fund which is the Government'sgeneral bank account at

     the Bank of England.


76.  If the Commissioner receives full payment of the monetary penalty by

     31 March 2021 the Commissioner will reduce the monetary penalty by

     20% to £200,000   (Two hundred thousand    pounds).  However, you
     should be aware that the early payment discount is not available if you

     decide to exercise your right of appeal.


77.  There is a right of appeal to the First-tier Tribunal (InfoRights)

      against:



                                  20                                                             •

                                                            ICO.
                                                             Information Commissioner's Office
      a)   the imposition of the monetary penalty

           and/or;


      b)   the amount of the penalty specified in the monetary penalty
           notice.


70. Any notice of appeal should be received by the Tribunal within 28 days

    of the date of this monetary penalty notice.


71. Informationabout appeals is set out in Annex 1.

72. The Commissioner will not take action to enforce a monetary penalty

    unless:


   • the period specified within the notice within which a monetary penalty

     must be paid has expired and all or any of the monetary penalty has
     not been paid;


   • all relevant appeals against the monetary penalty notice and any

     variation of it have either been decided or withdraand

   • period for appealing against the monetary penalty and any variation of

     it has expired.

73. In England, Wales and Northern Ireland, the monetary penalty is

   recoverable by Order of the County Court or the High Court. In
   Scotland, the monetary penalty can be enforced in the same manner

   as an extract registered decree arbitral bearing a warrant for execution
   issued by the sheriff court of any sheriffdom in Scotland.






                                   21                                                    •

                                                   Information Commissioner's Office


Dated the 1 day of March 2021


Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF






























                              22                                                           •

                                                           ICO.
                                                           Information Commissioner's Office



ANNEX 1

SECTION   55 A-E OF THE DATA PROTECTION      ACT 1998



RIGHTS   OF APPEAL AGAINST    DECISIONS   OF THE COMMISSIONER


1.   Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')

against the notice.

2.   If you decide to appeal and if the Tribunal considers:-


a)   that the notice against which the appeal is brought is not in accordance
with the law; or

b)   to the extent that the notice involved an exercise of discretion by the

Commissioner, that she ought to have exercised her discretion differently,

the Tribunal will allow the appeal or substitute such other decision as could
have been made by  the Commissioner. In any other case the Tribunal will
dismiss the appeal.


3.   You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:



           GRC & GRPTribunals
           PO Box 9300
           Arnhem House

           31 Waterloo Way
           Leicester
           LEl 8DJ


a)   The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.


                                  23                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

b)   If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.

4.   The notice of appeal should state:-


     a)    your name and address/name and address of your representative
     (if any);


     b)    an address where documents may be sent or delivered to you;

     c)    the name and address of the Information  Commissioner;

     d)    detailsof the decision to which the proceedings relate;


     e)    the result that you are seeking;

     f)    the grounds on which you rely;


     g)    you must provide with the notice of appeal a copy of the
     monetary penalty notice or variation notice;


     h)    if you have exceeded the time limit mentioned above the notice
     of appeal must include a request for an extension of time and the
     reason why the notice of appeal was not provided in time.


5.   Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory   Instrument  2009 No.

1976 (L.20)).







                                    24