ICO Marketing Law Breaches

ICO Marketing Law Breaches

PECR Breaches

Throughout 2021/22, the Information Commissioner’s Office (ICO) issued over £1,700,000 in fines for breaches of the direct marketing laws. This included extensive PECR breach fines for ‘We Buy Any Car’. The ICO has powers under the Privacy and Electronic Communications Regulations 2003 (PECR) which enables them to take action to change the behaviour of anyone who breaches the regulation. The regulator’s enforcement powers include criminal prosecution, audits and imposing fines of up to £500,000.

Working alongside the UK General Data Protection Regulation (UK GDPR), the PECR defines rules and guidelines on an individuals’ privacy rights with regards to electronic communications. These include: –

  • Marketing calls, emails, texts and faxes
  • Cookies
  • Secure communications
  • Customer privacy in relation to: –
    • traffic and location data
    • itemised billing
    • line identification
    • directory listings.

High Profile Fines

So far, 17 fines have been issued in relation to PECR breaches which include some high profile organisations. The ICO received numerous complaints from the public regarding unsolicited emails received from We Buy Any Car. The regulator’s investigation found that whilst initial emails sent to customers were within the law, subsequent marketing emails were sent without obtaining consent. Over a period of 12 months, We Buy Any Car sent in excess of 190,000,000 emails and 3,600,000 SMS messages without consent. The ICO levied a £200,000 fine against the organisation.

Further high profile fines over the past year have included the Saga Group (Saga Services Ltd (SSL) and Saga Personal Finance (SPF)), who were fined £150,000 and £75,000 respectively alongside enforcement notices ordering them to stop illegal direct marketing within 30 days or face court action. The Saga businesses used data lists to send over 150,000,000 emails between them without consent.

Sports Direct also received a fine of £70,000 relating to a 3-month period where they sent re-engagement emails to previous customers who had not been contacted for some time. The emails were sent without obtaining new consent and no proof of existing consent.

Getting Consent Right

Obtaining consent and using this lawful basis compliantly is one of the fundamental requirements of the UK GDPR and PECR. Know Your Compliance Limited have provided thousands of organisations with GDPR templates for getting consent right; including consent checklists, policies, consent procedures and consent statement in privacy notices. Take a look at our market leading GDPR Policy Templates and Data Protection Toolkits to see how we cna help you.