What sanctions can the ICO impose for unsolicited marketing communications?

The Information Commissioners Office (ICO) continues to issue fines in relation to unsolicited marketing communications. In recent months, fines have ranged from £2,000 to £200,000 depending on the severity of the breach of UK data protection laws.

Under sections 21 and 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), persons or organisations are required to obtain consent before contacting customers by phone or email for the purposes of direct marketing. Where there is a contravention of PECR, the ICO has the power to impose a fine of up to £500,000.

In December 2021 the ICO issued a £50,000 fine to Virgin Media in relation to 451,515 price freeze emails sent to customers that had opted-out of marketing communications, 451,217 of which were actually received. In fact, the emails were specifically sent to customers that had previously opted-out of marketing communications and suggested that if the customer opted-in they would not miss out on Virgin Media’s “great offers”. The ICO determined that Virgin Media’s actions amounted to a serious breach of PECR and that a significant financial penalty was appropriate in the circumstances. It is worth noting that only one customer complained to the ICO in respect of the email communications, which triggered the ICO’s initial investigation but nevertheless resulted in Virgin Media receiving a hefty fine.

Similarly, in February 2022 the ICO fined a Welsh home improvement company, Home2Sense Limited for making unsolicited calls to customers for the purposes of direct marketing. In total it was found that the company made 675,478 nuisance calls between June 2020 and March 2021, offering insulation services to people registered with the Telephone Preference Service (TPS). The TPS is the UK’s “do not call” register for landline and mobile numbers. Customers that have registered with the TPS for more than 28 days cannot be contacted by law unless the recipient has notified the company that they do not object to receiving marketing calls. As it transpired, following more than 60 complaints, Home2Sense failed to engage with the ICO’s investigation, attempting to place the blame on its staff, and as a result, the ICO determined that a fine of £200,000 was appropriate.

One final recent noteworthy fine was issued back in January 2022 to Energy Suite Limited, a company that markets boiler, heating, insulation, glazing and other energy-saving grants to homes under Government funded schemes. The ICO found that between 1 March and 13 November 2020, Energy Suite made at least 1,246 cold marketing calls to individuals whose numbers were listed on the TPS register. As a result, the ICO issued Energy Suite with a fine of £2,000, showing that the ICO are prepared to act even where the number of communications is relatively small in number.

What does this mean for your business?

These recent examples are a timely reminder for organisations of all sizes that the ICO will not hesitate to use its enforcement powers where there have been instances of unsolicited communications. Organisations should respect the preferences of their customers. Furthermore, businesses should be aware that ICO involvement may not be the only consequence of such conduct. It is possible that your organisation could face both reputational harm and data breach claims, incurring legal costs and management time.

Accordingly, to avoid the risk of receiving a fine, it is important to ensure that any marketing communications are only made to customers that have consented to receive such communications. Your organisation ought to have technical measures in place to ensure this happens in practice.