Posted by: Mike Clarke
ICO Action Review: Q3 2023
The enforcement actions taken in the third quarter underscore the ICO’s focus on corrective processes while continuing to issue significant financial penalties to businesses that are flagrantly breaching the regulations.
Enforcement This Quarter
Financial Penalties
- This Is The Big Deal Limited £30,000
- Simply Connecting Ltd £40,000
- House Hold Appliance 247 Ltd £55,000
- RHAP £65,000
- SGS Home Project Ltd £70,000
- Cover Appliance Ltd £200,000
- F12 Management Ltd £200,000
Penalties for Sending Unsolicited Emails and SMS Messages
This Is The Big Deal Limited sent over 39 million emails and 1.5 million texts (100,000 of which without a suitable opt out) to people who had not opted in to receive such messaging. Despite the high volume of outbound messages, the fine itself was small in scale as it was compared to the company size and profit and considered to be suitably punitive.
Simply Connecting Ltd was also fined for sending over 440,000 text messages without suitable opt-in processes in place.
Penalties for Not Following TPS Requirements
The remainder of the monetary penalties were issued for outbound calls being made to people who were on the Telephone Preference Service register and had not opted in to receive these calls. Household Appliance 247 Ltd, RHAP and SGS Home Project Ltd had all made relatively low volumes of calls but had not taken action to clean their lists beforehand. Nevertheless, the fines issues were still substantial.
Cover Appliance Ltd were investigated following several reports that they had contacted vulnerable individuals who had not opted in to receive their calls. The complaints also alleged the use of pressure tactics, but these were refuted by Cover Appliance Ltd. They responded that all details were screened against the Telephone Preference register prior to acquisition and that all calls began by asking consent to continue the conversations. Throughout the investigation it was decided over 500,000 calls had taken place which had not been properly screened and that some of the numbers used did not properly disclose Cover Appliance Ltd as the caller which hindered the recipient’s ability to lodge a formal complaint. This action was interpreted by the ICO as a deliberate attempt on behalf of Cover Appliance Ltd to evade coming to the attention of the regulator which meant their actions were viewed as deliberate and not just negligent.
Further investigation into Cover Appliance Ltd showed repeated attempts to contact the same individuals, the use of spoof numbers designed to hide their identity and trying to process bank charges that had been previously declined. Due to the financial gains made by Cover Appliance Ltd it was decided a £200,000 fine would be issued to remove the financial incentives for conducting business in this manner.
F12 Management Ltd were investigated for conducting over 1.3 million calls which had not undertaken checks against the TPS registry and did not have suitable opt-ins. During the investigation it was decided by the ICO that F12 Management Ltd had intentionally contravened these regulations for monetary gain, they also felt that they were being resistant to engaging with the ICO investigation. While reviewing the call recording evidence, it was also determined that the call handlers were being aggressive on calls. This led to an ICO decision that the financial penalty issued had to be significant to remove any financial gain from the breach in regulations and encourage a change in practice moving forward.
How to Avoid Similar Fines
The penalties issued during this period in relation to the TPS highlight the importance of understanding the requirements placed on businesses in relation to the TPS and how “my supplier told me that my data was TPS cleansed when I bought it” doesn’t ever get anyone off the hook. Attempting to circumvent TPS rules by phoning customers and asking if it’s OK to phone them it seems is also a little optimistic.
The rules relating to the TPS are clear that all data that doesn’t have an explicit opt-in must be checked against the TPS register before it is called and rechecked against the updated TPS register at least every 28 days so that individuals adding their numbers to the TPS will stop receiving unsolicited calls within four weeks.
For data that has been opted-in, a record of when the customer opted in, what they agreed to and when they agreed to it, is required. Remember that opt-ins must be specific to the business that is using the data and there must be a policy in place to delete data after a reasonable period of non-contact.
Greenlight provide our customers with an optional TPS cleansing service that will ensure that all non-opt-in data is automatically checked against the most recent TPS at point of import, and against the most up to date TPS register every 24 hours ensuring that you never run the risk of being in breach of the TPS rules.
Final Thoughts
In the third quarter of 2023 the ICO has continued to follow enforcement trends it has established earlier in the year. Larger monetary penalties were issued where a clear intent to circumvent regulations was found, sending a strong signal that the ICO will be aggressive in stamping out this type of behaviour. Simultaneously issuing smaller penalties when the breach has occurred due to an oversight or misunderstanding. These smaller penalties are generally not significant enough to risk business operations but still push businesses to be more vigilant when it comes to compliance.
This rise in the volume of actions taken compared to last year seems to be aimed at creating a climate of awareness. It will be interesting to see the impact this rise in public enforcement will have moving forward.