ICO issues £200k fine for unsolicited text messages without valid consent

The Information Commissioner’s Office (ICO) has issued a £200,000 fine to Tax Return Limited (“TRL”) for sending out 14.8m unsolicited marketing text messages (which generated 2146 complaints).

The Privacy and Electronic Communications Regulation 2003 (PECR) only permit the sending of marketing emails or text messages if the recipient consents to receiving the messages or is a customer and hasn’t opted out of marketing (of similar products and services).

TRL indicated that it had sent the messages via a third-party and were relying on indirect consent (i.e. the third-party had got the consent to send the messages on TRL’s behalf) for the permission to send the messages. What the ICO’s investigation highlights is that despite the assurances from the third-party, TRL hadn’t carried out the necessary due diligence to ensure that the third-party’s data was indeed compliant and they had the pre-requisite consent. And whilst some examples of consents given were provided to the ICO, TRL were unable to provide evidence of consent from any of the complainants, mainly because the third-party where consent had been collected no longer operates. Furthermore, privacy statements and processing information that was supplied (taken from the third-parties who alleged that consent had been collected), was deemed by the ICO to also be inadequate as it did not provide enough information to indicate the “subscriber” would be receiving marketing messages from TRL.

So what does this tell us in a GDPR world?

  1. We must make sure that we are clear we have the right kind of consent when it is required. The GDPR is very clear about what appropriate consent should look like and the PECR rules are clear what is and isn’t lawful when it comes to marketing messages.
  2. There is nothing wrong with using third-party list providers, but provided we carry out appropriate due diligence to ensure that the right kind of consent is obtained: (a) evidence that consent has been given; (b) that the consent is GDPR compliance; (c) that the “subscribers” or the recipients of the marketing messages will expect to hear from our business (and therefore not be surprised).
  3. Document, document, document. We need to make sure we have the right documentary evidence highlighting that we did everything right and took this seriously. Simply taking the word of our providers is not enough – we need to document the due diligence and the outcomes.