The UK’s Information Commissioner’s Office (ICO) recently fined Ocean Finance, a UK-based financial services provider, £130,000 and issued an enforcement notice banning them from sending spam texts in response to 1,896 complaints received from consumers. The complaints arose over a direct marketing campaign, where Ocean Finance sent over 7 million unsolicited texts marketing a new credit card on behalf of another company. Although only 4.5 million text messages out of the 7.7 million were successfully transmitted, the ICO found all of the messages to be in breach of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which prohibits unsolicited direct text messages being sent to a consumer’s mobile telephone if they have not given their consent to receive the messages.
Ocean Finance alleged that they had been told by the third party company (whose identity has been redacted from the ICO’s decision) that they had the consumer’s permission to send the marketing material. Ocean Finance had a contract with the third party company, under which the third party company provided Ocean Finance with a list of names and telephone numbers of consumers who had consented to receiving text messages. Ocean Finance also provided examples of websites and privacy policies in which it claimed the relevant consent had been confirmed. The ICO acknowledged Ocean Finance’s belief that they were not committing unlawful behaviour, and found their violation of Regulation 22 to be a negligent, rather than deliberate, violation. However, the ICO’s head of enforcement, Steve Eckersley, stated that it is the responsibility of the company sending out the marketing data “to make rigorous checks to ensure personal data has been obtained fairly and lawfully,” and that it is insufficient to “rely on the word of a third party.”
Given that Ocean Finance fully cooperated with the ICO’s investigation, the fine was set at £130,000, which can be reduced to £104,000 if paid by 27 October 2016.
TIP: These fines show that the UK’s ICO will enforce breaches of direct marketing violations whether the breach is deliberate or negligent. The ICO has also published guidance for firms using phone, text, e-mail, and fax to carry out direct marketing activities in the UK.