Iain Garfield, Partner at BPE Solicitors, looks at the recent spate of fines issued by the ICO to organisations who have not adhered to the UK GDPR when making marketing calls and communications.
The Information Commissioner’s Office has been busy in recent weeks issuing fines to companies for making unsolicited marketing telephone calls and sending out unsolicited marketing emails.
The UK GDPR is quite clear when it comes to direct marketing. Article 21 states that:
“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
There are, typically, two main ways in which individuals can object to direct marketing – either by contacting the company directly, or by registering their address with the Mailing Preference Service and/or their telephone number with the Telephone Preference Service. It then becomes unlawful for the company to make or send unsolicited marketing communications to the individual.
At the end of October, the £45,000 fine issued to Unite hit the press after the trade union made over 57,000 unsolicited direct marketing calls to individuals who had registered their details with the Telephone Preference Service. They’d made just under 1.4 million calls in total, so 96% of them were perfectly legal. However, the ICO received 27 complaints, and that was enough to trigger the investigation and fine.
A few weeks earlier, Your Home Improvements had been found guilty of making 1,700 unsolicited marketing calls over a two-month period, suggesting to home-owners that their (non-existent) boiler insurance cover was due to expire, and requesting credit card details in order to renew the insurance. It was a scam, plain and simple. They were fined £20,000 as a result, and the company is now in the process of being struck off the Companies Register.
A somewhat bigger fine was recently imposed on a more well-known business, as We Buy Any Car were ordered to pay £200,000 as a result of sending out 191 million marketing emails and over 3.5 million text messages to individuals without ensuring it had lawful grounds under the UK GDPR to do so. The sheer scale of the marketing campaign probably went a long way to justifying the size of the fine. But they weren’t the only big name to find themselves on the receiving end of the ICO’s ire.
Saga and Sports Direct were fined a combined total of £145,000 for sending over 30 million direct marketing messages without having first ensured they had a lawful basis to do so.
The UK GDPR lays down two lawful grounds which allows marketing communications to be sent to an individual:
- Either with the individual’s consent.
- Or where the company has a ‘legitimate interest’ in sending the communication, and the individual’s data protection and privacy rights do not override that interest.
Many companies do not obtain (or want to obtain) consent to send marketing communications, and therefore rely heavily on the term “legitimate interest”. And whilst it’s not an absolute black-and-white rule, the ICO has previously given guidance which suggests that the following types of marketing communication could be a justifiable “legitimate interest”:
- Marketing communications sent by post where the recipient is not registered with the Mailing Preference Service
- ‘Live’ telephone calls (ie. made by a human, not a computer) where the recipient is not registered with the Telephone Preference Service
- Emails or texts to business recipients
- Emails or texts to individuals (ie. non-business recipients) where that individual is an existing customer of the company, and the email/text relates to goods or services similar to those previously bought by that individual from the company
The ICO’s guidance also goes on to provide an indication of what would not be classed as a “legitimate interest”, meaning that in the following scenarios, obtaining the individual’s consent would be the only way to go:
- Marketing communications sent by post where the recipient is registered with the Mailing Preference Service
- ‘Live’ telephone calls where the recipient is registered with the Telephone Preference Service
- Automated telephone calls
- Emails or texts to individuals (ie. non-business recipients) where the individual is not an existing customer of the company
- Emails or texts to individuals (ie. non-business recipients) where the individual is an existing customer of the company, but the email/text relates to goods or services that are not similar to those previously bought by that individual from the company
Sending marketing communications is not straight forward as the legislation under the UK GDPR can be quite complex. Any communications not carried out correctly could lead to action from the ICO including significant financial penalties.
For advice and support about the steps you should take to ensure that you are marketing your organisation appropriately, contact Iain Garfield, Partner in the Commerical team at firstname.lastname@example.org or call 01242 248246
LinkedIn: BPE Solicitors LLP