Tag: Marketing

ICO Takes Action Against “Robo Calls” 

The Information Commissioner’s Office (ICO) has warned the public to be on their guard against unlawful “robo calls” – automated marketing calls designed to sound as though the recipient is talking to a human.  

The warning comes after the ICO fined two energy companies a total of £550,000 for making such calls.  Home Improvement Marketing Ltd (HIM), based in Pembrokeshire, was fined £300,000 and issued with enforcement notice. Green Spark Energy Ltd (GSE), based in Durham, was fined £250,000 and also issued with an enforcement notice.  Both firms used avatar software, which gave the call recipients the impression they were talking to ‘Jo, Helen or Ian’ from the UK – but were in fact scripted lines recorded by voice actors and played by call agents abroad.  

The rules for making automated calls are set out in Privacy and Electronic Communications Regulations 2003 (PECR) and are stricter than for making live calls.  Automated marketing calls can only be made to people who have previously informed the caller that they consent to such communications being sent by or at the instigation of the caller. Consent must be freely given, specific and informed.  The caller should also identify to the recipient which organisation they are from.  The ICO has published Direct Marketing Guidance for organisations as well as advice to individuals about how to protect themselves and their loved ones from such calls.  

The maximum fine for a breach of PECR is currently £500,000. When the new Data (Use and Access) Act 2025 comes fully into force, this will increase to UK GDPR levels i.e. 4% of gross annual turnover or £17.5Million (whichever is higher).  

These and other developments will be covered in our forthcoming GDPR Update course.  

HelloFresh fined by the ICO

The Information Commissioner’s Office (ICO) has fined food delivery company HelloFresh £140,000 for a campaign of 79 million spam emails and 1 million spam texts over a seven-month period

HelloFresh, under its official name Grocery Delivery E-Services UK Limited, was deemed to contravene regulation 22 of the Privacy and Electronic Communications Regulations 2003. 

Key points from this case include: 

  1. Inadequate Consent Mechanism: The opt-in statement used by HelloFresh did not specifically mention the use of text messages for marketing. While there was a mention of email marketing, it was ambiguously tied to an age confirmation statement, which could mislead customers into consenting. 
  1. Lack of Transparency: Customers were not properly informed that their data would continue to be used for marketing purposes for up to 24 months after they cancelled their subscriptions with HelloFresh. 
  1. Continued Contact Post Opt-Out: The ICO’s investigation revealed that HelloFresh continued to contact some individuals even after they had explicitly requested for the communications to stop. 
  1. Volume of Complaints: The investigation was triggered by numerous complaints, both to the ICO and through the 7726 spam message reporting service. 
  1. Substantial Fine: As a result of these findings, HelloFresh was fined £140,000. 
     
    Andy Curry, Head of Investigations at the ICO, emphasised the severity of the breach, noting that HelloFresh failed to provide clear opt-in and opt-out information, leading to a bombardment of unwanted marketing communications. The ICO’s decision to impose a fine reflects their commitment to enforce the law and protect customer data rights. 

This case serves as a reminder of the importance of complying with data protection and electronic communications regulations, especially in terms of obtaining clear and informed consent for marketing communications.

Dive deeper into the realm of data protection with our UK GDPR Practitioner Certificate, offering crucial insights into compliance essentials highlighted in this blog. Limited spaces are available for our January cohort – book now to enhance your understanding and navigate data regulations with confidence. 

Online Recruitment Firm Receives £130,000 PECR Fine

On 10th April 2023, the Information Commissioner’s Office (ICO) fined Join The Triboo Limited £130,000 for sending 107 million spam emails targeting jobseekers. The an online recruitment firm was found to have breached the Privacy and Electronic Communications Regulations (PECR) by sending unsolicited emails to individuals without their consent.

The PECR is a set of regulations, which amongst other things, govern the use of electronic communications (e.g. email, text message, and automated calling systems) for direct marketing purposes. In some cases, the regulations require that individuals must give their consent before receiving marketing messages, including job vacancies. When it comes to e mails, businesses cannot send unsolicited emails to individuals unless they have obtained their explicit consent to do so.

The UK General Data Protection Regulation (GDPR), which also applies to electronic communications involving personal data, defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This means that businesses must provide individuals with clear and concise information about what data they are collecting, how they will use it, and who they will share it with. Individuals must then be given the option to give their consent, and this consent must be freely given and specific to the intended processing activity. Businesses must also provide individuals with the option to withdraw their consent at any time.

Join the Triboo Limited was found to have breached PECR by sending unsolicited emails to individuals without their consent. The emails were sent in bulk to individuals who had not signed up to receive job alerts from the firm, and the content of the emails did not provide individuals with clear and concise information about the firm’s processing activities.

Andy Curry, ICO Head of Investigations, said:

“It’s an issue many of us face – opening up our email inboxes and it being filled with emails we did not ask for or consent to. This shouldn’t just be considered a fact of life – it is against the law.

We provide advice and support to legitimate companies that want to comply with the law. Last year, we released updated direct marketing guidance to help those very businesses.

That is, however, not what was happening in this case. This company did not properly seek permission from the people it chose to bombard with spam emails. The company used job seeking websites as a key component in its unlawful campaign.

In taking this action, we say to the public that we will continue to be on your side and protect you, and we say to any other organisation operating outside of the law that we will pursue every case like this brought to us to the fullest extent.”

The ICO’s decision to fine this online recruitment firm serves as a reminder of the importance of complying with data protection laws. This will enable businesses to build trust with their customers and create a safer, more secure online environment for everyone.

Our forthcoming PECR and Marketing workshop will consider this and other developments in detail. 

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates. Limited time. Terms and Conditions apply. Book Now!