The government as well as the appropriate regulators have recognised that nuisance calls can result in widespread harm and inconvenience. The ICO has committed to continuing its ongoing enforcement action against the businesses responsible for unsolicited nuisance marketing, and a long-running joint action plan has been formulated with Ofcom, the communications regulator to tackle the damage caused by these calls and messages.
Natasha King, examines a recent spate of penalties levied by the ICO against several businesses for violating electronic marketing rules in this week’s issue of In Perspective. She also looks at the ICO’s updated guidelines for live phone call direct marketing. Are marketing communications within your organisation GDPR and PECR compliant?
ICO fines four firms targeting people with home improvement predatory marketing calls
What happened
- Four UK-based companies have been fined a total of £370,000 by the Information Commissioner’s Office (ICO) for making predatory marketing calls.
- Over 820,000 home improvement-promoting phone calls were made to people registered with the Telephone Preference Service – a statutory register of people who have said they do not want to receive marketing calls.
- According to the ICO, a large majority of the complainants were vulnerable or elderly, with some having ongoing health conditions.
- The ICO started its investigation into predatory marketing calls generated by the sector in 2020, after vouchers of up to £5,000 were offered to home owners to improve energy efficiency.
- As the ICO had previously seen with “green scheme” and other initiatives, complaints soon came in from people who had been called regarding loft, window and wall insulation.
- According to the ICO, all of the complainants were registered with the Telephone Preference Service (TPS), a statutory register of people who have said they do not want to receive marketing calls.
- The investigation found the companies were deliberately or negligently flouting electronic marketing laws to make a profit. Some of the companies also used different trading names, which is illegal.
- The firm names included Posh Windows UK Limited, Green Logic UK Ltd, Euroseal Windows Limited and Eco Spray Insulations Limited.
Why it matters
- The news comes just a month after bike retailer Halfords was fined £30,000 after an investigation found it had sent nearly 500,000 unwanted marketing emails, as previously reported by Xcina Consulting.
- “The complaints we received showed that people were distressed, upset, worried and inconvenienced by the calls,” ICO head of investigations, Andy Curry, said.
- “We will continue to take strong action to protect the public by investigating and taking enforcement measures against companies where we find that they have flouted the law.”
- The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000.
- It can also apply for court orders for winding-up companies and, by working closely with partners, get directors disqualified. More details of this work are available here.
- The ICO has previously confirmed that some of their investigations have begun with just a single complaint from a member of the public.
Catalogue retailer Easylife fined £1.5 million for breaking data protection and electronic marketing laws
What happened
- This month, the ICO has fined Easylife Ltd £1.35 million for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent.
- The company was also fined a further £130,000 for making 1,345,732 predatory direct marketing calls.
- Easylife is a catalogue retailer that sells household items, as well as services and products under their Health, Motor, Supercard, and Gardening Clubs.
- The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent.
- For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.
- Out of 122 products in Easylife’s Health Club catalogue, 80 items were considered to be ‘trigger products’. Once these products were purchased, Easlylife would profile the customer to target them with a health-related item.
- The ICO found that significant profiling of customers and ‘invisible’ processing of health data took place. It is ‘invisible’ because people were unaware the company was collecting and using their personal data for that purpose, which breached data protection law.
- In a separate investigation the ICO found that, between 1 August 2019 and 19 August 2020, Easylife made 1,345,732 unwanted marketing calls to people registered with the Telephone Preference Service (TPS).
- Under the Privacy and Electronic Communications Regulations (PECR), live marketing calls should not be made to anyone who has registered with the TPS, unless they have told the caller that they wish to receive calls from them.
Why it matters
- The ICO received 25 complaints about Easylife, with people claiming they felt angry, anxious, threatened, and distressed in response to their calls. One of the complainants was an elderly hearing-impaired person registered with the TPS who had been unable to hear most of the call, where another individual was mis-sold two subscriptions and required a family member’s help to arrange a refund.
- John Edwards, UK Information Commissioner, said: “Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.
- “The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.
- “Easylife was not only found guilty of breaching data protection law, but our investigation also discovered that they made thousands of predatory marketing calls to people who clearly did not want to receive them. It is clear from the complaints we received that people felt threatened and distressed by the company’s aggressive tactics. This is unacceptable. Companies making similar nuisance calls and causing harm to people can expect a strong response from my office.”
ICO issues new guidelines for live direct marketing calls
What happened
- The Information Commissioner’s Office (ICO) has published new guidance this month on direct marketing using live telephone calls.
- The guidelines encompass both essential and recommended best practices for marketers to follow in order to comply with the Privacy and Electronic Communications Regulations 2003 (PECR), which sets rules for sending marketing communications by electronic means.
- The ICO’s guide includes detailed explanations of the following:
- What constitutes a ‘direct marketing’ call
- The rules specific to live direct marketing calls
- How to comply with the rules on direct marketing calls in practice
- Other requirements to take into account, such as compliance with data protection law in addition to PECR where applicable.
- The ICO’s guidance can be read in full by clicking here, however, some of the key points are summarised below:
- In general, consent is not required under PECR to make most types of live unsolicited marketing calls. They can be made to people and businesses if:
- they have not objected to the live marketing calls (never call someone who previously indicated they did not want to receive such calls); or
- the number is not listed on the Telephone Preference Service (TPS) in the case of B2C marketing, or in the case of B2B marketing, the Corporate Telephone Preference Service (CTPS) (always screen numbers against the TPS or CTPS before calling).
- There are stricter rules for direct marketing calls about claims management servicesand pension schemes.
- When making a live marketing call, the telephone number (or a valid alternative contact number) must be displayed to the call receiver. Withheld numbers are not permitted when making direct marketing calls.
- PECR sits alongside the UK data protection regime. If personal data is being processed when making live marketing calls (e.g. knowing the name of the person being contacted), both PECR and data protection requirements must be considered and complied with.
- Where data protection rules apply, consideration as to whether the marketing activity is fair, lawful and transparent, as well as complying with individual’s data protection rights (such as the right to object to direct marketing) is necessary.
Why it matters
- Whilst telephone marketing can bring about several advantages over other forms of advertising due to the ability to speak with customers directly and learn about their needs, complaints about its intrusive nature and reports of telephone scams and fraud have led to a growing backlash against telephone marketing.
- With the ICO issuing over £2.8 million in penalties against companies responsible for nuisance calls, texts and emails in 2021/22 alone, it is clear that the regulator is keen to take a strong stance against organisations violating direct marketing rules.
- Conducting compliant direct marketing is essential in safeguarding a company’s reputation and preventing inappropriate targeting and excessive use of customer information for marketing purposes.
- Any organisation considering conducting direct marketing by telephone should take heed of the ICO’s new guidance, and only begin direct marketing once the requirements outlined are being fulfilled and have been embedded into the organisations internal policies and processes.
- A fundamental part of maintaining compliance is ensuring that effective internal processes and controls are in place to maintain suppression lists, record contact preferences and manage unsubscribe requests, to ensure that an individual’s preferred means of contact or their clear wish to not receive any further material is respected, thus minimising the likelihood of a complaint.
- The Data & Marketing Association (DMA) have crafted a package of GDPR guidance for organisations, tailored to the specific needs of the UK’s marketing industry.
- The guidance provides further insight around the key steps organisations need to be compliant; real world case studies to illustrate what compliance looks like; and commentary from thought-leaders from around the industry.
- The guidance series is available here and has been devised with the help of the ICO, and partners ISBA and the Data Protection Network.