£200,000 fine for direct marketing campaign in breach of the DPA and PECR

Direct marketers who breach the Data Protection Act 1998 (“DPA“) and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR“) will continue to be a regulatory hotspot as indicated  by a recent £200,000 Monetary Penalty Notice levied by the Information Commissioner’s Office (“ICO”) against Home Energy & Lifestyle Management Ltd (“HELM“).

Readers may recall that the threshold for issuing Monetary Penalty Notices for nuisance calls and spam texts was reduced by the Government from 6 April 2015 after lengthy lobbying by the ICO.

Lessons to learn from this Monetary Penalty Notice include:

1. Ignorance or confusion about the law is no excuse. HELM alleged they were not aware different regulations applied for live and automated marketing calls;
2. Data controllers should check any proposed marketing campaign complies with its obligations under the DPA and PECR before starting such campaign. This includes checking the consents received from the relevant data subjects meet the consent required for the proposed marketing campaign, TPS screening before any live or automated calls, providing data subjects with a means of stopping any automated calls, ensuring their statements are not misleading, not repeatedly calling data subjects;
3. Data subjects can report unsolicited calls, texts, emails and faxes via the ICO’s online reporting tool. In addition, mobile phone users can report spam texts to the Mobile Network Operators spam text reporting service by forwarding the messages to 7726 (spelling out SPAM).

The strength of the ICO’s feeling on this matter, which all data controllers who undertake direct marketing should note, is illustrated by the ICO stating:

1. HELM’s actions which constituted the contravention of the PECR were deliberate, even if HELM did not actually intend to contravene PECR;
2. The Commissioner considers that even if the distress likely to have been suffered by each affected individual was less than substantial, the cumulative impact would clearly pass the threshold of “substantial”. In addition, given the number of affected individuals, it was inherently likely that at least a small proportion of those individuals would have been likely to suffer substantial distress on account of their particular circumstances.

The ICO inferred the fine would have been greater had HELM not fully co-operated and advised it would not be running such a campaign in the future.

Michelmores would be delighted to help any data controllers who engage in direct marketing and have any queries in relation to their legal obligations under the PECR and DPA.