Co-written by Jason Riley (Trainee Solicitor) and Laura Trapnell (LLP Partner and Head of Intellectual Property Team)
The Information Commissioner’s Office (ICO) has fined LAD Media Ltd and IT Protect Ltd £50,000 and £40,000 respectively for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Between 6 January 2016 and 10 March 2016, LAD Media Ltd was found to have sent nearly 400,000 unsolicited spam text messages to individual subscribers whose consent had not been obtained.
The PECR states that organisations must only send marketing text messages to individuals who have agreed to receive them (except where there is a clearly defined customer relationship). The penalty notice from that case reminds organisations that where marketing lists are obtained from third parties or where they liaise with third parties to carry out marketing on their behalf, the organisation must rigorously check that the data has been obtained lawfully and that the individuals, whose data has been obtained, have provided their explicit consent. This can be achieved by the organisations ensuring that they have the appropriate systems and processes in place which are fit for purpose.
Conversely, IT Protect Ltd was found to have breached the PECR after repeatedly calling individuals registered with the Telephone Preference Service (TPS).
Anyone who has registered with the TPS, or in the case of organisations those that have registered with the Corporate Telephone Preference Service (CTPS), should not be contacted with marketing calls unless they have either previously told the caller that they wish to receive such calls or provide consent to continue during the phone call itself.
Considering that the ICO succeeded Ofcom as oversight regulators of the TPS in December 2016 and the fact that the ICO can impose a monetary penalty of up to £500,000 on those found to have breached the PECR, the above examples serve as worthy reminders to organisations, such as charities, of their responsibilities to comply with data protection law. Both cases serve as warnings for organisations looking to outsource their marketing processes and remind those organisations of their responsibilities to remain vigilant as to how such information and data has been obtained and used.
Given the implementation of the General Data Protection Regulation next year, businesses will have to focus on compliance in light of the significant increase in penalties to be levied in respect of data breaches.
If you have any queries about data protection law, or are seeking advice as to processes recommended to comply with data protection law including the PECR, please contact me.