Grove Pension Solutions Ltd has been fined £40,000 for sending just over 2 million unsolicited emails.
What’s interesting about this case is that a third-party was used to send the emails making use of hosted marketing campaigns. They even checked with a data protection expert and lawyer before instructing the marketing program to be carried out, but this was not enough, with the ICO commenting that this “proved to be inaccurate” advice:
“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.
Even seeking advice and checking compliance was not enough to save them from receiving the fine – the ICO even adds, rather cheekily, that they would have given them advice for free!
The detail of the case is in the penalty notice.
Essentially the case came to light after the FCA (Finance Conduct Authority) alerted the ICO to Grove’s activities – the ICO had only received a couple of separate complaints.
Grove had instructed a marketing agent to deal with their marketing activities. The agent in turn made use of email providers who collected consent for email marketing via a number of websites, but on inspection of these websites and the information provided to the ICO, the ICO concluded that those people opting-in via the websites would not have known to expect emails from Grove.
In a comprehensive response to the ICO, Grove set out how they received independent advice from a data protection consultancy and verified that advice with a data protection solicitor and both had concluded it was lawful for them to send the emails.
The ICO found Grove guilty of breach of Regulation 22 of PECR (Privacy and Electronic Communications Regulations 2003 – the law that sets out, amongst other things, the rules for direct marketing), meaning they did not have the appropriate consent from the data subjects for the purposes of sending the emails. The ICO also highlighted that their direct marketing guidance says ”
So, what can be learnt from this case?
- Even with evidence of due diligence, if that due diligence is wrong, it won’t stop you receiving a fine – this seems rather harsh, but we assume that Grove will now be suing for damages the data protection consultancy and the law firm given that they acted on their advice
- You have to be careful when you’re relying on third-parties to do your email marketing for you – even if on the face of it, it looks as though they’re compliant, you need to be sure that the consent collected is compliant consent – the ICO highlights that their direct marketing guidance states “organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages“
- Consent has to be specific enough for the subscribers to understand precisely what they’re consenting to and who they will receive marketing messages from, “general third parties” is not sufficient, nor will terms like “similar organisations” or “selected third parties”. But counter to that, an exhaustive list of potential organisations is also not suitable. But what is clear is that Grove weren’t named as a potential sender of marketing emails and therefore consent was not valid.
Of course, where consent is concerned this will be even more relevant to GDPR compliant consent requirements (this case was actioned under old-Data Protection).
If you’re using third-parties to send your email marketing to subscribers the third-party has curated, you may need to so some checking and due diligence to ascertain the subscribers are expecting to hear from you.