ICO - Leads Work Limited (Monetary Penalty): Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=L...")
 
No edit summary
 
(2 intermediate revisions by one other user not shown)
Line 50: Line 50:
}}
}}


The UK DPA fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers. This breached Regulation 22 of the PECR.
The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers, in breach of Regulation 22 of the PECR. The ICO considered the GDPR's definition of consent.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Leads Work Limited (LWL) operates  within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name.  
Leads Work Limited (LWL) operates  within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name.  


Line 67: Line 67:
LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites.  
LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites.  


=== Dispute ===
===Dispute===
Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR?
Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR?


=== Holding ===
===Holding===
The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR.  
The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR.  


Line 81: Line 81:
As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited.
As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the English original. Please refer to the English original for more details.
See the original source link for to access the decision in English.
 
<pre>
                                                          •
 
                                                        ICO.
                                                        Information Commissioner's Office
 
 
                    DATA PROTECTION    ACT 1998
 
 
  SUPERVISORY    POWERS OF THE INFORMATION      COMMISSIONER
 
 
                    MONETARY  PENALTY NOTICE
 
 
 
To:  Leads Work Limited
 
 
Of:  Suite C Underwood House, 235 Three Bridges Road, Crawley,
    West Sussex RH10 1LU
 
 
 
 
1.  The InformationCommissioner ("Commissioner")has decided to issue
 
    Leads Work Limited ("LWL") with a monetary penalty under section
    SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation
 
    to a serious contravention of regulation 22 of the Privacy and Electronic
 
    Communications (EC Directive) Regulations 2003 ("PECR").
 
 
2.  This notice explains the Commissioner's decision.
 
 
    Legal framework
 
 
3.  LWL, whose registered office is given above (companies house
 
    registration number: 10853169), is the organisation (person) stated in
    this notice to have transmitunsolicited communicatioby means
 
    of electronic mail to individual subscribers for the purposes of direct
    marketing contrary to regulation 22 of PECR.
 
 
 
4.  Regulation 22 of PECRprovides that:
 
 
                                  1                                                                •
 
                                                                ICO.
                                                                Information Commissioner's Office
 
      "(l)This regulation applies to the transmission of unsolicited
      communications  by means of electronic mail to individual subscribers.
 
 
      (2) Except in the circumstances referred to in paragraph (3), a person
      shall neither transmitnor instigate the transmission of, unsolicited
 
      communications  for the purposes of direct marketing by means of
      electronic mail unless the recipient of the electronic mail has previously
 
      notified the sender that he consents for the time being to such
 
      communications  being sent by, or at the instigation of, the sender.
 
 
      (3) A person may send or instigate the sending of electronic mail for
      the purposes of direct marketing where -
 
 
 
      (a)  That person has obtained the contact details of the recipient of
            that electronic mail in the course of the sale or negotiations for
 
            the sale of a product or device to that recipient;
      (b)  The direct marketing is in respect of that person's similar
 
            products and services only; and
      (c)  The recipient has been given a simple means  of refusing (free of
 
            charge except for the costs of transmission of the refusal) the
 
            use of his contact details for the purposes of such direct
            marketing, at the time that the details were initially collected,
 
            and, where he did not initially refuse the use of the details, at the
            time of each subsequent communication.
 
 
      (4) A subscriber shall not permit his line to be used in contraventofn
 
      paragraph (2)."
 
 
5.  Section 122(5) of the DPA 2018 defines "direct marketing" as "the
 
    communication  (by whatever means) of any advertising material which
 
 
 
                                    2                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
    is directed to particular individualThis definition also applies for the
    purposes of PECR.
 
 
6.  "Electronic mail" is defined in regulation 2(1) PECRas" any text, voice,
 
    sound or image sent over a public electronic communications network
 
    which can be stored in the network or in the recipient's terminal
    equipment until it is collected by the recipient and includes messages
 
    sent using a short message service".
 
 
7.  Consent is defined in Article 4(11) the General Data Protection
 
    Regulation 2016/679 as "any freely given, specific, informed and
    unambiguous indication of the data subject's wishes by which he or
 
    she, by a statement or by a clear affirmativaction, signifies
 
    agreement to the processing of personal data relating to him or her".
 
8.  Section SSA of the DPA (as amended by the Privacy and Electronic
 
    Communications  (EC Directive)(Amendment)  Regulations 2011 and the
 
    Privacy and Electronic Communications (EC Directive) (Amendment)
    Regulations 2015) states:
 
 
    "(l) The Commissioner may serve a person with a monetary penalty if
 
          the Commissioner is satisfied that -
 
            (a) there has been a serious contraventionof the requirements
 
                of the Privacy and Electronic Communications (EC
                Directive) Regulations 2003 by the person, and
 
            (b) subsection (2) or (3) applies.
 
      (2) This subsection applies if the contraventiwas deliberate.
 
      (3) This subsection applies if the person -
 
            (a) knew or ought to have known that there was a risk that
 
            the contravention would occur, but
 
                                    3                                                              •
 
                                                            ICO.
                                                            Information Commissioner's Office
 
            (b) failed to take reasonable steps to prevent the
                contravention."
 
 
9.  The Commissioner has issued statutory guidance under section SSC (1)
 
    of the DPA about the issuing of monetary penalties that has been
    published on the ICO's website. The Data Protection (Monetary
 
    Penalties)(Maximum  Penalty and Notices) Regulations 2010 prescribe
 
    that the amount of any penalty determined by the Commissioner must
    not exceed £500,000.
 
 
10.  PECRimplements European legislation (Directive 2002/58/EC) aimed at
 
    the protection of the individual's fundamentright to privacy in the
 
    electronic communications sector. PECRwas amended for the purpose
    of giving effect to Directive 2009/136/which amended and
 
    strengthened the 2002 provisions. The Commissioner approaches PECR
    so as to give effect to the Directives.
 
 
 
11.  The provisionsof the DPA remain in force for the purposes of PECR
    notwithstanding the introductioof the Data Protection Act 2018 (see
 
    paragraph 58(1) of part 9, Schedule 20 of that Act).
 
 
 
Background to the case
 
 
 
12.  LWL is a lead generation company which operates primarily in the
 
    'multi-levemarketing' sector. It generates leads under the Avon brand
    for the purpose of enlisting downstream recruits, and which are passed
 
    directly to independent Avon sales representatives.
 
 
 
 
 
                                    4                                                            •
 
                                                            ICO.
                                                            Information Commissioner's Office
13.  LWL first came to the attention of the Commissioner in connection with
 
    complaints about text messages seemingly sent by Avon Cosmetics
 
    Limited ("Avon"). The investigatifound that Avon did not send or
    instigate the texts. LWL were contacted, but not investigated at that
 
    time.
 
 
14.  LWL came to the attention of the Commissioner again during the Covid-
    19 pandemic, when a significant number of complaints were received
 
    about the following text message:
 
 
    In lockdown and want to earn extra cash? Avon is now FULLY ONLINE,
 
    FREE to do and paid weekly. Reply with your name for info. 18+ only.
    Text STOP to opt out.
 
 
15.  Between 14 April 2020 and 14 May 2020, 835 complaints were received
 
    by the 7726 SPAM reporting tool. Significant daily totals of complaints
    were also seen, including 329 on 13 May 2020, 345 on 14 May 2020
 
    and 370 on 15 May 2020.
 
 
16.  Given the rapid rise in complaint volumes, and as LWL were known to
 
    send messages of this type, the Commissioner contacted LWL by
    telephone on 13 May 2020, who confirmed that the messages had been
 
    sent by LWL. This was subsequently supported by evidence from LWL's
    mobile network provider.
 
 
17.  On 15 May 2020, the ICO sent an investigatioletter to LWL detailing
 
    the Commissioner's concerns regarding LWL's compliance with PECR,
    and containing a number of enquiries. The letter attached an index of
 
    complaints received both by the 7726 SPAM reporting service, and by
 
    the ICO.
 
 
                                  5                                                                  •
 
 
                                                                  ICO.
                                                                  Information Commissioner's Office
18.  On 4 June 2020, the ICO received a response from LWL. This provided
      a list of CLI's used by LWL and text volumes, identified the bodies of 19
 
      different texts sent, and confirmation that texts were sent internally
 
      through a platform operated by LWL. LWL explained that data was both
      purchased from  third parties and driven to websites such as
 
    'Avon.leadswork.co.uk'.  The third parties from whom data was
 
      purchased were said to be'                        , -        -
    -      and _,_      Advertising was also operated extensively on
 
    '-,--and--'·
 
 
19.  In response to enquiries about contractual agreements, LWL stated that
 
      before working with a partner they 'review their terms and conditions
      and see the URL where the opt-in will occur', later adding that they also
 
      go through the registration process on a test basis to ensure necessary
 
      opt-ins were present. No contractual agreements were said to be in
      place or provided. LWL said that they had generated leads for Avon
 
      representatives for a 'very long time'.
 
 
20.  A review by the Commissioner of the information provided by LWL
 
      revealed that its dominant data supplier was -    -      whose data
 
      capture website was'                    '. This website consists of a
      landing page to opt-in, a privacy notice, and an option to unsubscribe.
 
      The website states that it is 'part of the - •    -        _',
 
      which is a company quite distinct from -    -·      LWL is named in
      the consent statement;  by clicking the 'partners' link in the consent
 
      statement, individuals are directed to the privacy policy in which LWL
      are named in the 'marketing  service providers' section.A further link
 
      to 'direct clients' presents individuals with a further list of 457 distinct
 
      organisations from whom individuals  may expect to receive marketing,
      in which LWL is not included. The website does not allow individuals to
 
      submit their details without checking 'at least one' marketing channel.
 
                                      6                                                            •
 
                                                            ICO.
                                                            Information Commissioner's Office
    Furthermore, the website is vague and confusing given the discursive
 
    and lengthy nature of the consent statement and the extensive list of
 
    sectors and companies contained within both it and the privacy policy.
    For these reasons the Commissioner concluded that consent was not
 
    freely given, specific and informed.
 
 
21.  In response to a request by the Commissioner for evidence of consent,
    LWL explained that a suppression list was in place should anyone reply
 
    'Stop' to a message. In respect of the customer journey LWL explained
    that should a customer consent to be contacted by LWL then they are
 
    sent an initial message asking whether they want to be contacted by a
    local Avon representativeIf they respond positively then their data is
 
    shared with the local representative.
 
 
22.  LWL provided the Commissioner with a 'GDPR pack' containing a Data
 
    Protection Impact Assessment ("DPIA") and a 'company compliance
    document'. The latter discusses LWL's data protection obligations as a
 
    company, and whilst robust for the purpose it sets out to achieve, at no
    point is PECRreferenced. The DPIA, dated 20 October 2019, explicitly
 
    refersto PECRand consent, acknowledges that there is a 'degree of
    public concern over personal data sales', and refers to regulatory action
 
    by the ICO.
 
 
23.  LWL proclaimed their membership of 'S.H.I.E.L.D.' as an indicator of
 
    their compliance. This is a scheme operated by a law firm who appear
    to audit companies' GDPR compliance, and if deemed compliant, they
 
    are entered into the scheme. No evidence of due diligence conducted
    by this law firm on behalf of the company has been provided by LWL.
 
 
 
24.  Having reviewed LWL's response, the Commissioner sent a further set
    of detailed enquiries to LWL on 9 June 2020, attaching evidence of an
 
                                  7                                                                •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
    additional 8,089 complaints identified through the 7726 SPAM reporting
    system since the initial enquiries were sent.
 
 
25.  A substantive response was provided by LWL on 19 June 2020. This
 
    included the body of 64 distinct texts sent during the investigation
 
    period (over three times the amount identified in LWL's initial
    response). As was seen from those messages, LWL did not identify
 
    itself as the sender. LWL also provided volumes of data purchased since
 
      1 May 2019. Further capture domains were identified. In particular,
                      was identified as also capturing the data that -
 
    -      supplied. LWL prefaced this by stating that they were previously
    unaware of this website being a capture domain, and so had
 
    immediately  enquired as to the compliance and opt-in of this website.
 
    It was explained that this website directs individuals to a registration
    page where  their details are inputted, and agreement to the privacy
 
    policy obtained.LWL stated that lawyers had been involved in creation
    of the website's legal framework on behalf of another client, and so
 
    were confident it would be compliant.
 
 
26.  The Commissioner reviewed the privacy policy on '
 
    which has  granular opt-ins for each channel and a third party opt-in.
    The policy states that the website is owned and operated by a
 
    differentlynamed company than -      .,    who sold the data to
 
    LWL. The third party opt-in on the registratiopage contains a link to
    'partners' where 16 companies are listed, in which LWL does not
 
    appear. LWL does appear in the privacy policy, in a list of 7 'marketing
 
    service providers'. A further 442 companies are then listed under 'direct
    clients' followed by the following statement"at registration you have
 
    the option to opt-in to sponsors of our website". The Commissioner
    found the consent statements to be vague and confusing. Further, LWL
 
    are not named at the point of consent and in view of the extensive list
 
                                    8                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
    of companies in the privacy policy, the Commissioner considered that
 
    consent was not specific or informed.
 
 
27.  Data was also stated to be purchased by LWL from ,.   -
    _,      ('-"),    the second largest of LWL's data suppliers, through
 
    websites'                    'and'                  '. These sites
    share the same vague consent statement, which contains a link to
 
    identical privacy policies. The privacy policies contain no distinguishable
 
    'third party policy' and lists approximat40 companies with whom
    data may be shared. LWL are not listed in the privacy policy, instead
 
    'UK - Avon' are listed; this listing is hyperlinked to LWL's privacy policy.
    In representationsmade to the Commissioner in response to the Notice
 
    of Intent, LWL provided a letter from -  which stated that LWL
    should be considered to fall within the category of 'health and beauty
 
    tips'.Given that LWL are not directly named in any list, and the
    policies are convoluted, individuals could not reasonably be expected to
 
    know that LWL were linked to Avon. For the reasons above the
    Commissioner found that the consent statements did not constitute
 
    informed and specific consent.
 
 
28.  In relation to the volume of texts sent to each data source, LWL stated
    it was not possible to produce an entirely accurate figure, however
 
    provided an approximation of volumes in a further email to the
 
    Commissioner dated 24 June 2020. Between 1 May 2019 and 15 May
    2020 LWL approximated that it sent in excess of 25 million texts to
 
    data sourced from __        , ---          and•••·        The vast
    majority of the texts, as well as the complaints evidenced in the
 
    Commissioner's second investigation letter, were related to data
 
    supplied by --·
 
 
 
                                    9                                                                  •
 
                                                                ICO.
                                                                Information Commissioner's Office
29.  A further request for information was sent by the Commissioner to LWL
 
      on 26 June 2020 seeking evidence of consent in relation to another
      4,703 complaints received through the 7726 SPAM reporting service,
 
      information regarding data supplier'•••     ,and an accurate
      number of texts sent though each source between 16 May 2020 and 26
 
      June 2020.
 
 
30.  LWL's director responded on 3 July 2020, providing further opt-ins. In
      relation to          he said the use of this data preceded his time as
 
      director, and so would need to contact          directly or his
      predecessors for information.
 
 
31.  LWL went onto verify that between 16 May 2020 and 26 June 2020, a
 
      total of 3,486,716 messages were sent, of which 3,327,573 were
      received. Of these,3,013,096 texts were sent, and 2,670,140
 
      connected, to data sourced by --          and ---
      (comprising 1,911,493 to --          data and 758,647 to'-    
 
    -'data).
 
 
32.  On 10 July 2020 LWL supplied the Commissioner with information
      regarding the '        ' data source. LWL identified the domains used
 
      by                                '(also used by --          and
      previously reviewed by the Commissioner - see para. 20 above) and
 
                        '. Thelatter is operated by -    -    and its
      consent statement lists 240 companies who may contact individuals.
 
      LWL are not included in the list. The privacy policy does name LWL, but
      within a list of hundreds of other sponsors. The Commissioner found
 
      that consent in those circumstances was not specific and informed.
 
 
33.  In conclusion the Commissioner considers that LWL relied upon invalid
      consents to send direct marketing texts to individuals whose data was
 
                                      10                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
    sourced by __          , ___          , and
                                                          LWL's business
    model is inextricably linked to direct marketing, and whilst it did make
 
    some  attempt to comply with data protection legislation, it had no
    discernible policiesr procedures relevant to PECRcompliance, and any
 
    due diligence was insufficient.
 
 
34.  During the period 16 May 2020 to 26 June 2020, a total of 12,281
 
    complaints from 11,733 individuals about unsolicited texts from LWL
 
    were received via the 7726 reporting service. 4 complaints were
    received though the Commissioner's online reporting tool. The vast
 
    majority of complaints (10,570) relate to data sourced by -  -·
    It is also noteworthy that LWL began receiving a significant number of
 
    complaints from May 2020 onwards, shortly after the UK entered
 
    lockdown in response to the pandemic.
 
 
35.  The Commissioner has made the above findings of fact on the balance
    of probabilities.
 
 
36.  The Commissioner has considered  whether those facts constitute a
 
    contravention of regulation 22 of PECRby LWL and, if so, whether the
    conditions of section SSA DPA are satisfied.
 
 
    The contravention
 
 
 
37.  The Commissioner finds that LWL has contravened Regulation 22 of
    PECR.The Commissioner finds that the contravention  was as follows:
 
 
38.  Between 16 May 2020 and 26 June 2020 LWL transmitted    2,670,140
    texts over a public electronic communicationnetwork by means of
 
    electronic mail to individual subscribers for the purposes of direct
 
    marketing contrary to regulation 22 of PECR.
 
 
                                    11                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
39.  Organisations cannot generally send marketing texts unless the
    recipient has notified the sender that they consent to such texts being
 
    sent by, or at the instigation of, that sender.
 
40.  The Commissioner is satisfied that the consent relied on by
 
      LWL did not amount to valid consent for the purposes of regulation 22
 
      PECR.
 
41.  The Commissioner is satisfied that LWL was responsible for this
 
    contravention.
 
42.  The Commissioner has gone on to consider whether the conditions
 
    under section SSA DPA were met.
 
 
      Seriousness of the contravention
 
 
 
43.  The Commissioner is satisfied that the contraventioidentified above
    was serious.
 
 
44.  This is because LWL sent 2,670,140 marketing text messages to
 
    individuals without their consent, resulting in excess of 10,000
 
    complaints, over a period of 41 days. The volume of texts and
    complaints over such a short period is substantial. Indeed, the
 
    Commissioner would go so far as to say that the ratio of complaints to
    the volume of data subjects in receipt of unlawful texts far exceeds any
 
    contravention she has witnessed to date.
 
 
45.  It is reasonable to suppose that the volume of contraventionis
 
    actually significantly higher, and spanned a broader period of time. LWL
 
    approximated  that during the period 1 May 2019 and 15 May 2020, it
    sent 17.23 million texts to--data,          6.43 million texts to.
 
    --        data and 1.37 million texts to        data. All these data
 
                                    12                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
    sources have been deemed non-compliant,  however as LWL's system
    overwrites data after a period of time, LWL have been unable to verify
 
    these figures.
 
 
46.  The Commissioner's Direct Marketing Guidance available on the ICO's
 
    website states that: "Organisations can generally only send marketing
    texts or emails to individuals (including sole traders and some
 
    partnerships) if that person has specifically consented to receiving
 
    them". Point 60 of the Guidance refers to the fact that freely given
    consent should be demonstrated where it is the "condition of
 
    subscribing to a service", however it is apparent that consent is not
    freely given in the case of data sourced by -  -    (LWL's largest
 
    provider of data) through '                ', because individuals are
 
    not able to register without subscribing to at least one marketing
    channel.
 
 
47.  Furthermore,  the Commissioner's guidance in relation to PECRstates
 
    that "making a large number of marketing calls based on recorded
 
    messages or sending large numbers of marketing text messages to
    individuals who have not consented to receive them [...] is likely to
 
    constitute a serious contraventioof the Regulations".
 
 
48.  The Commissioner is  therefore satisfied that condition (a) from section
 
    SSA (1) DPA is met.
 
 
      Deliberate or foreseeable  contravention
 
 
49.  The Commissioner has considered whether the contravention  identified
 
    above was deliberate. In the Commissioner's view, this means that
    LWL's actions which constituted that contraventionwere deliberate
 
 
 
                                    13                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
    actions (even if LWL did not actually intethereby to contravene
    PECR).
 
 
50.  The Commissioner considers that in this case that LWL's actions were
 
      deliberate, as despite having been notified that it was under
 
      investigatioby the Commissioner, and given her concerns about
      LWL's compliance with PECR, LWL has continued its marketing
 
      campaign without making any adjustments to its business model. LWL
 
      continues to send unlawful text messages even after the investigation
      was completed, and a Notice of Intent served upon LWL in which it's
 
      practices were deemed non-compliant.
 
 
51.  Further, and in the alternatithe Commissioner has gone on to
 
      consider whether the contraventionidentified above was negligent.
 
 
52.  First, she has considered whether LWL knew or ought reasonably to
    have known that there was a risk that this contraventiowould occur.
 
    She is satisfiedhat this condition is met, given that LWL's business
 
    model relied heavily on direct marketing.
 
 
53.  LWL is registered with the ICO as a data controller and as such should
    be aware  of the Regulations.As the sender of the texts it was the
 
    responsibility of LWL to ensure valid consent had been obtained prior to
 
    their transmission.
 
 
54.  The Commissioner has published detailed guidance for those carrying
 
    out direct marketing explaining their legal obligations under PECR.This
    guidance explains the circumstances under which organisations are
 
    able to carry out marketing over the phone, by text, by email, by post,
    or by fax.
 
 
 
                                    14                                                                •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
55.  Furthermore, the issue of unsolicited marketing has been widely
    publicised by the media as being a problem.
 
 
56.  LWL had a DPIA in place dated 20 October 2019 which demonstrates
 
    awareness on  the part of LWL as to its statutory obligatioIt.contains
 
    the following statement:
 
    LW have considered the fact that there is a degree of public concern
    over the sales of personal data. The legislation is clear on the point of
    consent and the subsequent enforcement action brought by the
 
    Regulator (ICO) has reinforced the legislation and demonstrated a clear
    pathway to take for businesses engaged in the sale of personal data
 
    This unambiguously references public concern regarding data sales,
 
    and an awareness of enforcement action taken by the ICO.
 
 
57.  It is therefore reasonable to suppose that LWL knew or ought
 
    reasonably to have known that there was a risk that these
    contraventions would occur.
 
 
 
58.  The Commissioner has also considered whether LWL failed to take
    reasonable steps to prevent the contraventions.
 
 
59.  Reasonable steps could have included seeking appropriate guidance on
    the rules in relation to electronic direct marketing and ensuring the
 
    consent on which it sought to rely on was valid, putting in place
 
    contractual arrangements to ensure the veracity of the data, and
    conducting sufficient due diligence in relation to its data providers.
 
 
60.  In this case, LWL failed to put in place contractual arrangements with
    data suppliers despite sourcing significant volumes of data from these
 
    suppliers. Any due diligence appears to be minimal and there is a lack
 
    of evidence in relation to thisBy their own admission, LWL conducted
    most of their due diligence checks on '                ', by looking
 
                                    15                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
    at the website and testing the registration pages, however had these
    checks been sufficient LWL should have known that the website was
 
    non-compliant. In fact, LWL only became aware of a page that sourced
 
    a significantmount of--            data when the ICO investigation
    commenced. LWL purports to rely on their entry to the S.H.I.E.L.D.
 
    scheme as reassurance of compliance, however no evidence in relation
    to this has been provided.
 
 
 
61.  LWL appear to have placed great reliance upon due diligence
    conducted by third parties in relation to data capture websites, and the
 
    fact that there had been legal input from lawyers engaged by other
    organisations who also utilised those same websites. LWL have
 
    provided minimal evidence in relation to any due diligence provided by
 
    others and appear to have assumed that as others were reliant upon it,
    then their own business model must also have been compliant. It would
 
    have been reasonable for LWL to carry out its own checks as to
    how consent was being obtained via the websites, notwithstandingany
 
    assurances by its third-partdata providers - such checks would have
 
    alerted LWL to the inadequacy of the consents being obtained via the
    sites for the purposes of third-pardirect marketing. In short, simple
 
    reliance on assurances of indirect consent alone without undertaking
    proper due diligence is not acceptable.
 
 
 
62.  Furthermore,  LWL has continued to send significant numbers of
    marketing texts to individuals throughoutand since, the course of the
 
    Commissioner's investigation,incurring a substantial amount of
 
    complaints. This would suggest that no remedial measures have been
    taken to prevent further contraventionsand an apparent continuing
 
    disregard for its obligations under PECR. Indeed, since August 2020 to
    the date of this Notice, a further 28,350 complaints about marketing
 
    texts from LWL have been received by the 7726 reporting service.
 
                                    16                                                              •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
 
63.  In representations made to the Commissioner, LWL states that at no
 
    time was it made aware that its practices were non-compliant.The
    Commissioner views  the fact that an organisation is under investigation
 
    should be sufficient impetus for that organisation to review its own
 
    practices in lineith the Regulations. Irrespective of the timing of any
    awareness on LWL's part, it is apparent that LWL has not heeded the
 
    Commissioner's concerns and has continued its campaign in blatant
 
    disregard for the Regulations.
 
 
64.  The Commissioner is therefore satisfied that condition (b) from section
    SSA (1) DPA is met.
 
 
    The Commissioner's    decision to impose a monetary    penalty
 
 
65.  The Commissioner has taken into account the following aggravating
 
    features  of this case:
 
 
  •  The texts misleadingly appeared to be sent by Avon. LWL accepts that
 
      it deliberately did not identify itself in the body of the texts as the
      sender so as to not "confuse" recipients, and as such were in breach of
 
      regulation 23 of PECR.
 
 
  •  LWL has continued to run the marketing campaign both during, and
 
      since,the Commissioner's investigation and despite the ICO's
      concerns,without attempting to amend or review its practices. Indeed,
 
      all the contraventionwhich are the subject of this Notice occurred
 
      after LWL were notified it was under investigatioFurthermore, LWL
      has continued to send unlawful marketing texts after the Commissioner
 
      completed her investigationon 26 June 2020, and issued a Notice of
      Intent in which LWL's practices were deemed non-compliant.
 
 
                                    17                                                            •
 
                                                            ICO.
                                                            Information Commissioner's Office
 
 
•  Since August 2020 to the present time, an additional 28,350
  complaints have been received by the 7726 SPAM reporting tool about
 
  texts sent by LWL.
 
 
•  LWL sought to capitalise on the pandemic by sending a significant
 
  number of text messages relating to, and directly referencing, the
  ensuant lockdown when the population was at its most vulnerable and
 
  advertising the potential financial gains by becoming an Avon
 
  representative.1,698 complaints were received regarding this
  particular message.
 
 
•  LWL repeatedly indicated long standing compliance with PECRin its
 
  communications  with the Commissioner which was blatantly untrue.
 
  LWL also failed to be completely transparentduring the course of the
  investigation.For example, when asked to provide details of the body
 
  of texts sent by LWL, it initially provided only 19, when it later
 
  transpired 65 separate texts were utilised. In representatioto the
  Commissioner, LWL stated that those omitted were simply variants of
 
  the original texts however the Commissioner's view remains that LWL
  were not completely open and transparent  in relation to her enquiry.
 
 
•  Furthermore, LWL failed to inform the Commissioner in its response to
 
  enquiries about marketing methods that it also conducted email
 
  marketing. The Commissioner has since been made aware that·­
  -      conducted hosted marketing for LWL, and that over a 12 month
 
  period had sent 7.5 million emails on LWL's behalf, including activity
 
  during the contravention period. Between the contravention period 16
  May 2020 - 26 June 2020  the number of emails transmitted was
 
  1,006,000.
 
 
 
                                  18                                                              •
 
 
                                                              ICO.
                                                              Information Commissioner's Office
66.  The Commissioner considers there are no mitigating factors to be
 
    considered in this case.
 
 
67.  For the reasons explained above, the Commissioner is satisfied that the
 
    conditions from section SSA(l) DPA have been met in this case. She is
    also satisfiedthat the procedural rights under section 55B have been
 
    complied with.
 
 
68.  This has included  the issuing of a Notice of Intent,  in which the
 
    Commissioner set out her preliminary thinking, and invited LWL to make
    representations in response.
 
 
 
69.  The Commissioner    has received  and considered  Representations  in
    response  to the Notice of Intent dated 9th & 22nd December 2020, and
 
    5th, 13th & 20th January 2021.
 
 
70.  The Commissioner is accordingly entitled to issue a monetary penalty in
 
    this case.
 
 
71.  The Commissioner has considered  whether, in the circumstances, she
 
      should exercise her discretion so as to issue a monetary penalty. She
 
      has decided that a monetary penalty is an appropriate and proportionate
      response to the finding of a serious contraventionof regulation22 of
 
      PECRby LWL.
 
 
72.  The Commissioner's  underlying  objective in imposing  a monetary
 
      penalty notice is to promote  compliance  with PECR. The making of
 
      unsolicited direct marketing calls is a matter of significant public concern.
      A monetary penalty in this case should act as a general encouragement
 
      towards compliance with the law, or at least as a deterrent against non­
 
      compliance, on the part of all persons running  businesses currently
 
                                    19                                                            •
 
 
                                                            ICO.
                                                            Information Commissioner's Office
    engaging in these practices. This is an opportuto reinforce the need
    for businesses to ensure that they are only telephoning consumers who
 
    want to receive these calls.
 
 
73.  The Commissioner has also considered the likely impact of a monetary
 
    penalty on LWL and in doing so has reviewed financial evidence supplied
 
    by LWL.
 
 
    The amount of the penalty
 
 
74.  Taking into account all of the above, the Commissioner has decided that
 
    the amount  of the penalty is £250,000  (Two  hundred  and fifty
    thousand  pounds).
 
 
    Conclusion
 
 
 
75.  The  monetary penalty must be paid to the Commissioner's  office by
    BACS transfer or cheque by 1 April 2021 at the latest. The monetary
 
    penalty is not kept by the Commissioner  but will be paid into the
    Consolidated Fund which is the Government'sgeneral bank account at
 
    the Bank of England.
 
 
76.  If the Commissioner receives full payment of the monetary penalty by
 
    31 March 2021 the Commissioner will reduce the monetary penalty by
 
    20% to £200,000  (Two hundred thousand    pounds).  However, you
    should be aware that the early payment discount is not available if you
 
    decide to exercise your right of appeal.
 
 
77.  There is a right of appeal to the First-tier Tribunal (InfoRights)
 
      against:
 
 
 
                                  20                                                            •
 
                                                            ICO.
                                                            Information Commissioner's Office
      a)  the imposition of the monetary penalty
 
          and/or;
 
 
      b)  the amount of the penalty specified in the monetary penalty
          notice.
 
 
70. Any notice of appeal should be received by the Tribunal within 28 days
 
    of the date of this monetary penalty notice.
 
 
71. Informationabout appeals is set out in Annex 1.
 
72. The Commissioner will not take action to enforce a monetary penalty
 
    unless:
 
 
  • the period specified within the notice within which a monetary penalty
 
    must be paid has expired and all or any of the monetary penalty has
    not been paid;
 
 
  • all relevant appeals against the monetary penalty notice and any
 
    variation of it have either been decided or withdraand
 
  • period for appealing against the monetary penalty and any variation of
 
    it has expired.
 
73. In England, Wales and Northern Ireland, the monetary penalty is
 
  recoverable by Order of the County Court or the High Court. In
  Scotland, the monetary penalty can be enforced in the same manner
 
  as an extract registered decree arbitral bearing a warrant for execution
  issued by the sheriff court of any sheriffdom in Scotland.
 
 
 
 
 
 
                                  21                                                    •
 
                                                  Information Commissioner's Office
 
 
Dated the 1 day of March 2021
 
 
Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                              22                                                          •
 
                                                          ICO.
                                                          Information Commissioner's Office
 
 
 
ANNEX 1
 
SECTION  55 A-E OF THE DATA PROTECTION      ACT 1998
 
 
 
RIGHTS  OF APPEAL AGAINST    DECISIONS  OF THE COMMISSIONER
 
 
1.  Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
 
against the notice.
 
2.  If you decide to appeal and if the Tribunal considers:-
 
 
a)  that the notice against which the appeal is brought is not in accordance
with the law; or
 
b)  to the extent that the notice involved an exercise of discretion by the
 
Commissioner, that she ought to have exercised her discretion differently,
 
the Tribunal will allow the appeal or substitute such other decision as could
have been made by  the Commissioner. In any other case the Tribunal will
dismiss the appeal.
 
 
3.  You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
 
 
 
          GRC & GRPTribunals
          PO Box 9300
          Arnhem House
 
          31 Waterloo Way
          Leicester
          LEl 8DJ
 
 
a)  The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.
 
 
                                  23                                                                •
 
                                                              ICO.
                                                              Information Commissioner's Office
 
b)  If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.
 
4.  The notice of appeal should state:-
 
 
    a)    your name and address/name and address of your representative
    (if any);
 
 
    b)    an address where documents may be sent or delivered to you;
 
    c)    the name and address of the Information  Commissioner;
 
    d)    detailsof the decision to which the proceedings relate;
 
 
    e)    the result that you are seeking;
 
    f)    the grounds on which you rely;
 
 
    g)    you must provide with the notice of appeal a copy of the
    monetary penalty notice or variation notice;
 
 
    h)    if you have exceeded the time limit mentioned above the notice
    of appeal must include a request for an extension of time and the
    reason why the notice of appeal was not provided in time.
 
 
5.  Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.
 
 
6.  The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory  Instrument  2009 No.
 
1976 (L.20)).
 
 
 
 
 
 
 
                                    24
</pre>

Latest revision as of 10:01, 21 April 2021

ICO - Leads Work Limited (Monetary Penalty)
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 22 Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.03.2021
Published: 05.03.2021
Fine: 250000 GBP
Parties: Leads Work Limited
National Case Number/Name: Leads Work Limited (Monetary Penalty)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

The UK DPA (ICO) fined Leads Work Limited approximately €288,000 for sending unsolicitated direct marketing communication to individual subscribers, in breach of Regulation 22 of the PECR. The ICO considered the GDPR's definition of consent.

English Summary

Facts

Leads Work Limited (LWL) operates within the "multi-level marketing" sector. It enlists downstream recruits under the Avon band name.

The UK DPA (Information Commissioner's Office or ICO) received various complaints from individuals concerning text messages/SMS sent under the Avon name. During the Covid-19 pandemic, individuals complained again about Avon sending them unsolicited text messages. Between April 2020 and May 2020, 835 complaints of this nature were recorded by the ICO.

Upon investigating further, the ICO identified LWL as the sender of these messages. The ICO notified LWL of the growing complaints concerning these texts. LWL responded to the investigation with information on how they acquired the individuals' data: by purchasing this from third parties and through a website (avon.leadsword.co.uk).

The ICO identified that the core data supplier was from an organisation who's website had an opti-in , a privacy notice and an option to unsubscribe. LWL was included as one of the third parties with who data was shared. However, LWL was not included within the list of organisations from whom individuals could expect marketing from. Additionally, it was not possible for individuals to submit details without selecting a marketing channel. The website was also vague, confusing and lengthy.

The ICO also identified other websites that contributed to collecting personal data used by LWL to send direct marketing SMS. LWL stated that lawyers had create the website's legal framework and believed it to be compliant with the legal requirements.

LWL estimated that between May 2019 and May 2020, around 25 million texts were sent to individuals whose personal data was collected from the above websites.

Dispute

Is sending direct marketing texts to individuals without their consent in breach of Regulation 22 PECR?

Holding

The UK DPA recalled the wording of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as well as the definition of consent under Article 4(11) GDPR.

It then went on to clarify that consent to direct marketing was not freely given, specific or informed because the website indicating LWL as a recipient of personal data was vague, confusing and lengthy.

Similar conclusions were reached regarding other websites used to collect personal data used for direct marketing purposes by LWL. These websites had vague consent statements and did not refer to LWL in their policies (listing Avon instead in certain cases). Even where Avon was listed, the ICO highlighted that individuals could not be reasonably expected to know that Avon was linked to LWL. Therefore, consent was not informed and specific.

The ICO therefore concluded that LWL relied on invalid consent to send direct marketing texts to individuals. It found that LWL was in breach of Regulation 22 of the PECR. The UK DPA highlighted the gravity of the contravention due to the amount of messaged sent without the recipients' consent. It also noted LWL's deliberate or foreseeable infringement of the law without taking reasonable steps to prevent them.

As a result of this infringement, the ICO imposed a fine of £250,000 (approx. €288,000) on Leads Work Limited.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

See the original source link for to access the decision in English.