Direct Marketing Fines

The Information Commissioner’s Office has been busy in recent weeks issuing fines to companies for making unsolicited marketing telephone calls and sending out unsolicited marketing emails.

The UK GDPR is quite clear when it comes to direct marketing. Article 21 states that:

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

There are, typically, two main ways in which individuals can object to direct marketing – either by contacting the company directly, or by registering their address with the Mailing Preference Service and/or their telephone number with the Telephone Preference Service. It then becomes unlawful for the company to make or send unsolicited marketing communications to the individual.

At the end of October, the £45,000 fine issued to Unite hit the press after the trade union made over 57,000 unsolicited direct marketing calls to individuals who had registered their details with the Telephone Preference Service. They’d made just under 1.4 million calls in total, so 96% of them were perfectly legal. However, the ICO received 27 complaints, and that was enough to trigger the investigation and fine.

A few weeks earlier, Your Home Improvements had been found guilty of making 1,700 unsolicited marketing calls over a two-month period, suggesting to home-owners that their (non-existent) boiler insurance cover was due to expire, and requesting credit card details in order to renew the insurance. It was a scam, plain and simple. They were fined £20,000 as a result, and the company is now in the process of being struck off the Companies Register.

A somewhat bigger fine was recently imposed on a more well-known business, as We Buy Any Car were ordered to pay £200,000 as a result of sending out 191 million marketing emails and over 3.5 million text messages to individuals without ensuring it had lawful grounds under the UK GDPR to do so. The sheer scale of the marketing campaign probably went a long way to justifying the size of the fine. But they weren’t the only big name to find themselves on the receiving end of the ICO’s ire.

Saga and Sports Direct were fined a combined total of £145,000 to sending over 30 million direct marketing messages without having first ensured they had a lawful basis to do so.

The UK GDPR lays down two lawful grounds which allows marketing communications to be sent to an individual:

• Either with the individual’s consent.
• Or where the company has a ‘legitimate interest’ in sending the communication, and the individual’s data protection and privacy rights do not override that interest.

Many companies do not obtain (or want to obtain) consent to send marketing communications, and therefore rely heavily on the term “legitimate interest”. And whilst it’s not an absolute black-and-white rule, the ICO has previously given guidance which suggests that the following types of marketing communication could be a justifiable “legitimate interest”:

• Marketing communications sent by post where the recipient is not registered with the Mailing Preference Service
• ‘Live’ telephone calls (ie. made by a human, not a computer) where the recipient is not registered with the Telephone Preference Service
• Emails or texts to business recipients
• Emails or texts to individuals (ie. non-business recipients) where that individual is an existing customer of the company, and the email/text relates to goods or services similar to those previously bought by that individual from the company

The ICO’s guidance also goes on to provide an indication of what would not be classed as a “legitimate interest”, meaning that in the following scenarios, obtaining the individual’s consent would be the only way to go:

• Marketing communications sent by post where the recipient is registered with the Mailing Preference Service
• ‘Live’ telephone calls where the recipient is registered with the Telephone Preference Service
• Automated telephone calls
• Emails or texts to individuals (ie. non-business recipients) where the individual is not an existing customer of the company
• Emails or texts to individuals (ie. non-business recipients) where the individual is an existing customer of the company, but the email/text relates to goods or services that are not similar to those previously bought by that individual from the company

And don’t forget, before relying on “legitimate interest” as a lawful ground for sending unsolicited marketing communications, the company must undertake (and keep a written record of) a legitimate interest assessment, and ensure its privacy policy is easily-accessible and provides members of the public with all the relevant information that a data controller is required to publish.

The complexity of lawfully sending marketing communications under the UK GDPR can be off-putting to many businesses. If you would like to better understand what is compliant or would like advice on your particular situation, please contact a member of BPE's Commercial team who will be able to assist you. 

These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.