A credit broker has been fined £120,000 by the Information Commissioner’s Office (“ICO”) under section 55A of the Data Protection Act 1998 for sending millions of marketing texts, all of which were sent without proper consent. The news was released on the ICO’s website on 15 February 2017 as an investigation had revealed that Digitonomy Ltd had used affiliated marketing companies to send out over five million messages all of which offered cash loans as part of a marketing campaign.

Digitonomy had contravened regulation 22 of the Privacy and Electronic Communications (e-Privacy) Regulations 2003 (“PECR“), which generally prohibits the sending or instigating of a transmission of unsolicited communications to a consumer for the purpose of direct marketing, unless that person has given their prior consent.

The law clearly states that data subjects must provide companies with specific consent to the receipt of marketing text messages. Evidencing such consent is particularly difficult where, like Digitonomy, you are relying on consumer details which have been obtained by a third party on your behalf. By way of example, Digitonomy Ltd stated their consent wording from affiliate companies was “you consent to us and our trusted partners contacting you by SMS, mail, email, telephone and automated message”. This wording was insufficient to protect Digitonomy as one of the “trusted partners”.

Consent must be freely given, specific and informed and involve a positive indication signifying the individual’s agreement. This enforcement action should provide fair warning to businesses who buy marketing lists from third parties, contract with third parties to carry out the marketing for them, or even share contact details within a corporate group for marketing purposes to make thorough checks and be satisfied that personal data has been obtained fairly and lawfully with the necessary consent.

The 2015 case of Optical Express (Westfield) Limited v Information Commissioner was a clear statement of the law in this area, in which the First-tier Tribunal found that consent has to be provided to the sender of the communications. Data subjects must understand that they are providing a marketing consent to a specific third party, or failing that, have some reasonable expectation as to the identity of the third party (for example, the industry it operates in and the type of goods and services it might attempt to sell). Further, consent must always be explicit and obtained on a clear opt-in basis.

This latest salvo in the ICO’s on-going war with the spammers is also a salutary lesson for companies operating across the full-range of B2C sectors about the dangers or relying on woolly indirect marketing consents, and the care that must be taken when obtaining marketing lists from commercial partners or group companies.