On 7 November 2016, the UK Information Commissioner's Office ("ICO") fined a loan matching service firm £70,000 for hiring a company to send spam SMS messages to over 2 million individuals on its behalf.

The messages were sent over a period of 6 months and, crucially, were sent without checking whether the recipients had consented to receiving them. They were thereby considered to be "unsolicited communications for the purposes of direct marketing by means of electronic mail" in contravention of The Privacy and Electronic Communications (EC Directive) Regulations 2003 ("The PECR") which regulates marketing by electronic means (including via SMS messaging, telephone, email, and fax).

The fine was imposed despite a finding by the ICO Commissioner that the company did not deliberately breach The PECR, but did so negligently on the basis that it ought reasonably to have known that such behaviour would amount to a contravention (given that, in particular, "the company is involved in a business heavily reliant on direct marketing, and the fact that the issue of unsolicited text messages has been widely publicised by the media as being a problem").

The Regulations provide clarification that electronic mail for the purposes of direct marketing should only be sent where either the recipient provides his express permission or where:

  1. "that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
  2. the direct marketing is in respect of that person's similar products and services only; and
  3. the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication."

This penalty comes as a warning shot to businesses across the UK. Any company which is found to have engaged in illegal marketing under the PECR may face civil and/or criminal sanctions, including fines of up to £500,000.

The Commissioner has advised that "organisations buying marketing lists from third parties, or contracting with third parties to carry out marketing for them, must make rigorous checks to satisfy themselves that the third party has obtained the personal data it is using fairly and lawfully, and that they have the necessary consent."