The First-tier Tribunal (FTT) has found that a man who delayed payment of tax because he was...
Businesses that rely on data supplied by third parties for marketing purposes should undertake timely due diligence to ensure that the necessary consent for such use has been obtained. The consequences of failing to do so were demonstrated recently when the Information Commissioner's Office (ICO) issued a monetary penalty to a debt advice company under Section 55A of the Data Protection Act 1998.
After reviewing complaints received via Mobile UK's Spam Reporting Service, the ICO identified a total of 4,033 such complaints relating to text messages that appeared to have been sent by the company over a four-month period. The ICO sent an initial investigation letter to the company and, following further attempts to obtain the information requested, eventually issued an Information Notice.
In its response to the Information Notice, the company stated that, over the relevant period, 129,902 text messages had been successfully delivered, and that its lead supplier of marketing data, which had recently gone into liquidation, had not replied to its requests for evidence that the relevant mobile numbers had consented to receiving text messages from it.
The ICO found that, in sending the text messages, the company had contravened Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). It had failed to conduct appropriate checks that valid consent had been obtained for it to send the messages. The ICO was satisfied from the evidence it had seen that the company did not have the necessary consent.
The ICO found that the contravention was serious. While it did not consider that the company had deliberately set out to contravene the PECR, the contravention was negligent: the company knew or ought reasonably to have known that there was a risk that contraventions would occur, and had failed to take reasonable steps to prevent them. It was not acceptable to rely on assurances from third-party suppliers without undertaking proper due diligence. The company should have requested copies of opt-in statements and privacy policies from its lead supplier before sending the text messages, rather than waiting until it was under investigation by the ICO.
The ICO decided to issue a monetary penalty of £30,000.
