The Information Commissioner’s Office (ICO) has fined Easylife Ltd £1,350,000 for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent.
The company was also fined £130,000 for making 1,345,732 predatory direct marketing calls.
Easylife is a catalogue retailer that sells household items, as well as services and products under their Health, Motor, Supercard, and Gardening Clubs.
The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent.
For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.
Out of 122 products in Easylife’s Health Club catalogue, 80 items were considered to be ‘trigger products’. Once these products were purchased, Easlylife would profile the customer to target them with a health-related item.
The ICO found that significant profiling of customers and ‘invisible’ processing of health data took place. It is ‘invisible’ because people were unaware the company was collecting and using their personal data for that purpose. This is against data protection law.
In a separate investigation the ICO found that, between 1 August 2019 and 19 August 2020, Easylife made 1,345,732 unwanted marketing calls to people registered with the Telephone Preference Service (TPS).
Under the Privacy and Electronic Communications Regulations (PECR), live marketing calls should not be made to anyone who has registered with the TPS, unless they have told the caller that they wish to receive calls from them.
The ICO received 25 complaints about Easylife, with people saying they felt angry, anxious, threatened, and distressed in response to their calls. One of the complainants was an elderly hearing-impaired person registered with the TPS who had been unable to hear most of the call, where another individual was mis-sold two subscriptions and required a family member’s help to arrange a refund.
John Edwards, UK Information Commissioner, said:
“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.
“The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.
“Easylife was not only found guilty of breaching data protection law, but our investigation also discovered that they made thousands of predatory marketing calls to people who clearly did not want to receive them. It is clear from the complaints we received that people felt threatened and distressed by the company’s aggressive tactics. This is unacceptable. Companies making similar nuisance calls and causing harm to people can expect a strong response from my office.”
Members of the public who believe their personal data has been misused or they have been the victim of nuisance texts, calls or emails, should report them to the ICO, get in touch via live chat or call our helpline on 0303 123 1113.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- The ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to up to £17.5 million, or 4% of total global annual turnover, whichever is higher.
- This penalty was issued under the DPA2018 for infringements of the GDPR.
- The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on: marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
- The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000. It can also apply for court orders for winding-up companies and, by working closely with partners, get directors disqualified. More details of this work are available here.
- Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.