Online Recruitment Firm Receives £130,000 PECR Fine

On 10th April 2023, the Information Commissioner’s Office (ICO) fined Join The Triboo Limited £130,000 for sending 107 million spam emails targeting jobseekers. The an online recruitment firm was found to have breached the Privacy and Electronic Communications Regulations (PECR) by sending unsolicited emails to individuals without their consent.

The PECR is a set of regulations, which amongst other things, govern the use of electronic communications (e.g. email, text message, and automated calling systems) for direct marketing purposes. In some cases, the regulations require that individuals must give their consent before receiving marketing messages, including job vacancies. When it comes to e mails, businesses cannot send unsolicited emails to individuals unless they have obtained their explicit consent to do so.

The UK General Data Protection Regulation (GDPR), which also applies to electronic communications involving personal data, defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This means that businesses must provide individuals with clear and concise information about what data they are collecting, how they will use it, and who they will share it with. Individuals must then be given the option to give their consent, and this consent must be freely given and specific to the intended processing activity. Businesses must also provide individuals with the option to withdraw their consent at any time.

Join the Triboo Limited was found to have breached PECR by sending unsolicited emails to individuals without their consent. The emails were sent in bulk to individuals who had not signed up to receive job alerts from the firm, and the content of the emails did not provide individuals with clear and concise information about the firm’s processing activities.

Andy Curry, ICO Head of Investigations, said:

“It’s an issue many of us face – opening up our email inboxes and it being filled with emails we did not ask for or consent to. This shouldn’t just be considered a fact of life – it is against the law.

We provide advice and support to legitimate companies that want to comply with the law. Last year, we released updated direct marketing guidance to help those very businesses.

That is, however, not what was happening in this case. This company did not properly seek permission from the people it chose to bombard with spam emails. The company used job seeking websites as a key component in its unlawful campaign.

In taking this action, we say to the public that we will continue to be on your side and protect you, and we say to any other organisation operating outside of the law that we will pursue every case like this brought to us to the fullest extent.”

The ICO’s decision to fine this online recruitment firm serves as a reminder of the importance of complying with data protection laws. This will enable businesses to build trust with their customers and create a safer, more secure online environment for everyone.

Our forthcoming PECR and Marketing workshop will consider this and other developments in detail. 

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates. Limited time. Terms and Conditions apply. Book Now!

Consent, marketing and those pesky GDPR emails

canstockphoto17854803

In recent weeks many companies have been bombarding their customers with emails asking for consent to keep them on a mailing list or even to contact them ever again. We even received one from our regular printer!

Such emails, saying things like “Let’s not say goodbye” or “Don’t leave me this way”, are a misguided attempt at complying with the General Data Protection Regulation (GDPR), which becomes enforceable next Friday (25thMay). The irony is that by trying to comply with one law companies could be falling foul of another.

It’s a myth, which has been busted by the Information Commissioner, that the introduction of GDPR means that the only legal basis for personal data processing (including for marketing) is consent. There are an additional five legal bases set out in Article 6:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

GDPR does not fundamentally change the position set out in the current Data Protection Act 1998 (DPA). A similar list to the one above can be found in schedule 2 of the DPA.

Consequently there is no need to send consent e-mails to regular contacts and existing customers whether or not they are on a mailing list. Often companies will be able to rely on the legitimate interest condition (explained above) to continue to make use of such data even for marketing purposes, subject to compliance with PECR (see later).

Where personal data for marketing purposes has been gathered through consent there is no need to automatically refresh permission in preparation for the GDPR. But it is important to check that existing permissions meet the higher GDPR consent standard.

The GDPR states that consent must be freely given, specific, informed, and there must be an indication signifying agreement. Opt out boxes and pre-ticked opt-in boxes will no longer do. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

Only where existing permissions do not meet GDPR’s higher standards or are poorly documented, will companies need to seek fresh consent, or identify a different lawful basis for processing. (See also the A29WP29 Guidelines on consent and our blog post here.)

But another equally important law has to be carefully considered. Where organisations are processing personal data to send out direct marketing, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) may also apply. PECR is 15 years old yet many organisations still fall foul of it. Failure to comply could lead to a fine of up to £500,000. When the E Privacy Regulation eventually replaces PECR, the fines will be in line with the GDPR i.e. up to 4% of gross annual turnover or EUR 20,000,000 which ever is higher.

PECR sets out the rules for sending direct unsolicited marketing to individuals and organisations using telephone, text, fax and email. Where such marketing is sent to individual subscribers, companies must get their consent (unless they rely on the so called “soft opt in”, namely that they collect an email address in the course of a sale of goods or services, and give the person the right to opt out of marketing emails at the time and in future communications). There is no such restriction when marketing to corporate subscribers i.e. a company e-mail address, even if it belongs to an individual.

The definition of marketing is very wide under PECR. Even sending an email asking someone to opt-in to receive emails or checking their marketing preferences is in itself a marketing email.

In 2017 Honda was fined £13,000 after the ICO found that it had sent 289,790 emails aiming to clarify customers’ choices for receiving marketing. The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn’t provide evidence that the customers’ had ever given consent to receive this type of email, which is a breach of PECR. Flybe was fined £70,000 after it sent an email to 3 million individuals titled “Are your details correct? ” advising them to amend any out of date information and update any marketing preferences.

Personal information on marketing databases and mailing lists is of two types. That which has been gathered through regular contact or consent with the individual and that which as been gathered by other means (including information scraped from the internet or bought). In each case the lawful basis for processing such data under GDPR has to be considered and, where it is being used for direct marketing, the PECR rules have to be complied with. Just firing off emails using standard wording may cause more problems than they will solve.

The final word to Steve, the deputy Information Commissioner:

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Need to train frontline staff quickly? Our GDPR e learning course is ideal for frontline staff. Our next GDPR Practitioner Certificate course in London is fully booked. We have 3 places left in Bristol.

We have just launched our GDPR helpline.

%d bloggers like this: