Online Recruitment Firm Receives £130,000 PECR Fine

On 10th April 2023, the Information Commissioner’s Office (ICO) fined Join The Triboo Limited £130,000 for sending 107 million spam emails targeting jobseekers. The an online recruitment firm was found to have breached the Privacy and Electronic Communications Regulations (PECR) by sending unsolicited emails to individuals without their consent.

The PECR is a set of regulations, which amongst other things, govern the use of electronic communications (e.g. email, text message, and automated calling systems) for direct marketing purposes. In some cases, the regulations require that individuals must give their consent before receiving marketing messages, including job vacancies. When it comes to e mails, businesses cannot send unsolicited emails to individuals unless they have obtained their explicit consent to do so.

The UK General Data Protection Regulation (GDPR), which also applies to electronic communications involving personal data, defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This means that businesses must provide individuals with clear and concise information about what data they are collecting, how they will use it, and who they will share it with. Individuals must then be given the option to give their consent, and this consent must be freely given and specific to the intended processing activity. Businesses must also provide individuals with the option to withdraw their consent at any time.

Join the Triboo Limited was found to have breached PECR by sending unsolicited emails to individuals without their consent. The emails were sent in bulk to individuals who had not signed up to receive job alerts from the firm, and the content of the emails did not provide individuals with clear and concise information about the firm’s processing activities.

Andy Curry, ICO Head of Investigations, said:

“It’s an issue many of us face – opening up our email inboxes and it being filled with emails we did not ask for or consent to. This shouldn’t just be considered a fact of life – it is against the law.

We provide advice and support to legitimate companies that want to comply with the law. Last year, we released updated direct marketing guidance to help those very businesses.

That is, however, not what was happening in this case. This company did not properly seek permission from the people it chose to bombard with spam emails. The company used job seeking websites as a key component in its unlawful campaign.

In taking this action, we say to the public that we will continue to be on your side and protect you, and we say to any other organisation operating outside of the law that we will pursue every case like this brought to us to the fullest extent.”

The ICO’s decision to fine this online recruitment firm serves as a reminder of the importance of complying with data protection laws. This will enable businesses to build trust with their customers and create a safer, more secure online environment for everyone.

Our forthcoming PECR and Marketing workshop will consider this and other developments in detail. 

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates. Limited time. Terms and Conditions apply. Book Now!

Please call re ICO conference.

Working around the UK us Act Now speakers sometimes get messages or emails from the office staff.  If we can we pick these up and follow them up at lunchtime, coffee breaks etc.

Last week I received once such message and it looked promising. (See title of post). The ICO want to talk to me about his conference…    is it the invitation I’ve been waiting for to address 500 colleagues on the Data Protection joke book from A to B?  Is it an opportunity to run a workshop or maybe they want us to advise them on something.

My flying fingers could scarcely contain a feverish frisson of excitement as I dialed the digits.

It wasn’t the ICO. It was a company who to be truthful did identify themselves but did it so quickly that I missed it (but I have their number). Some gentle introductory questions about why we attended blah blah blah then they got to the main course. Who do we speak to in your company about encryption solutions? Head of Procurement? IT director?

I asked the obvious question and was told that they obtained my name and corporate details from the documentation given out at the recent DPO conference in Manchester. And to the obvious follow up question – yes they were ringing delegates to offer them Encryption solutions.

I ended the call using a well know technique and started wondering.  I wasn’t happy but had they breached any laws or regulations? DPA? Was it personal data? If it’s not personal then all the principle 6 rights disappear. Was it marketing?  A section 11 issue? That again specifies personal data.

Aha. They used the telephone. Isn’t that covered by PECR? And PECR is about subscribers not individuals. If we were registered with corporate TPS they’d be committing an offence wouldn’t they? Wouldn’t they?

What about the ICO? Should they have issued a list of delegates to all delegates? Was it not personal data but became personal data once it was worked on by another data controller? What schedule 2 condition applies to data collected at a conference and manipulated by the user to be used for marketing and selling.

I remember in the days when I spoke at conferences and the organisers would invite me to speak and they also invite me to email their flyer to all my colleagues in the sector. In those days it was routine to list email addresses of delegates in the conference documentation. Things have changed but dodgy practice still exists.

Did anyone else get this call? Were any offences committed?