ICO Issues Fine for Failure to Comply with Privacy Rules

The ICO has this week announced it is fining Tempcover Limited £85,000 for sending a total of 29,970,419 unsolicited direct marketing messages to subscribers without valid consent.

Background

Tempcover Ltd is a company that provides short-term motor insurance and is a controller under data protection law. Mobile UK is an entity representing the interests of mobile subscribers in the UK. Mobile UK has a Spam Reporting Service, and subscribers can report a spam message by forwarding the spam message to Mobile UK. Mobile UK compiles the spam reports on a monthly basis and provides a report to the ICO.

Findings

In May 2020, upon analysing the monthly reports provided by Mobile UK, the ICO ascertained that between 1 November 2019 and 18 May 2020 there were a total of 13 complaints received from which Tempcover could be identified, 12 of these were made via the 7726 service and 1 was made directly to the Commissioner. Accordingly, the ICO initiated an investigation against Tempcover.

Enforcement Action

The ICO concluded that between 26th May 2019 and 26th May 2020 subscribers had received 29,970,419 unsolicited direct marketing messages that were sent by Tempcover. These messages were a breach of the Privacy and Electronic Communications Regulations 2003 (PECR).

In order for Tempcover to comply with its obligations under PECR, Tempcover should have either held valid opt-in consent, or relied on the soft opt-in mechanism under PECR which permits the marketing of similar goods and services, provided customers are given the ability to opt-out of that marketing. By failing to provide an opportunity of opting out from direct marketing and making the agreement to marketing a condition of service, it cannot be said that the consent obtained by Tempcover from the subscribers was "freely given" nor could Tempcover rely on the soft-opt in mechanism.

This breach of PECR was considered to be serious due to the high number of messages which were sent. However, the ICO concluded that Tempcover did not deliberately set out to contravene the PECR. Nevertheless, Tempcover was considered to be negligent as "Tempcover knew or ought reasonably to have known that there were risks inherent in its direct marketing activities, given that during the investigation the Commissioner was provided with copies of Tempcover's own training materials which made specific reference to PECR, and the need for compliance with this legislation". The ICO concluded that Tempcover "failed to take reasonable steps to prevent the contraventions".

The ICO considered that an aggravating factor in the decision to fine Tempcover was it having financially benefit from the messages, but also ta mitigating factor was that it had incorporated new mechanisms which allow subscribers to opt out of direct marketing at the point which consent is obtained.

Comment

This enforcement action demonstrates the ICO'S willingness of imposing fines on organisations who may or may not know that they are engaging in unsolicited marketing. This case is an example of a fine that could have been avoided. The ICO acknowledged that it was open to Tempcover to rely on the soft opt-in mechanism under PECR as it was marketing similar goods and services. However, unfortunately in this case, the ability to opt-out was not provided and therefore the soft opt-in could not apply.

A copy of the ICO's enforcement notice is available to view at - https://ico.org.uk/action-weve-taken/enforcement/tempcover-ltd/