On 26 March 2019, the Information Commissioner's Office (“ICO”) issued a fine of £40,000 to Grove Pension Solutions Limited (“Grove”) for sending c 2m direct marketing emails to individual subscribers between 31 October 2016 - 31 October 2017 without having their consent. This was despite getting advice from a “specialist data protection consultancy” to advise on the uses of hosted marketing.
Grove worked with a marketing agent to use third party email providers to distribute the 2m emails promoting Gove’s services. These individual subscribers had not, however, consented to receive communications from Grove and had no previous relationship with it. The terms and conditions and privacy policies of the email providers did not specifically name Grove as an organisation from whom individual subscribers would receive direct marketing. As Grove instigated that the direct marketing emails be sent, it was its own responsibility to ensure that it complied with Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). The ICO acknowledged that despite Grove taking a "generally positive and pro-active approach to data protection", it still failed to comply with PECR. This is because it had relied on indirect consent that had not been properly obtained and it had failed to conduct appropriate due diligence.
This is a very interesting case as it shows that enforcement action will not be determined on the basis of the number of complaints received by the ICO from individuals (there were relatively few complaints) but rather the number of offending emails sent out. It also shows that even if professional advice is obtained and relied on, it is still the responsibility of the organisation concerned to ensure compliance (and it will have to face the consequences for non-compliance). Importantly, this case was pre the General Data Protection Regulation 2016/679 ("GDPR") regime and demonstrates the consequences of only breaching PECR under old law. If an organisation now fails to comply with PECR and its offending emails include Personal Data (which is highly likely as individuals' email addresses often include their name), then such an organisation would also be subject to the much higher penalties contained in the GDPR. Breach of PECR can result in a monetary penalty of up to £500,000 whereas breach of GDPR can result in a monetary fine of approximately up to £17,000,000.
If you are trying to rely on indirect consent for PECR you must be aware the threshold for compliance is high – it will not be sufficient to rely on a subscriber telling one organisation that they consent to receiving marketing emails from another organisation.