The Information Commissioner’s Office (ICO) is targeting more than 400 companies believed to be using people’s personal details to promote online gambling websites.
The regulator is writing to companies demanding they set out how they use people’s personal details and send marketing texts. This includes where they got people’s personal information from and how many texts they sent.
The campaign is part of an investigation by the ICO into large numbers of spam texts linked to the gambling sector.
David Clancy, ICO anti-spam investigations manager, said:
“Companies must comply with the law when using people’s personal information. Not knowing the law or trying to pass the buck to another company in the chain is no excuse.
“The public expect firms to be accountable for how they obtain and use personal data when marketing by phone, email or text. Fail to be accountable and you could be breaking the law, risking ICO enforcement action and the future of your business.”
Failure to comply with the law can result in enforcement action from the ICO, including a fine of up to £500,000.
The ICO is writing to companies identified as being involved in affiliate marketing. This is when firms offer to pay organisations that bring them new customers, sometimes leading to a situation where neither party is taking any responsibility for complying with the rules. The gambling sector is an area where the ICO has become aware of particular problems around affiliate marketing.
Mr Clancy added:
“It’s thanks to consumers who’ve reported spam texts to us, as well as intelligence from other sources, that we’ve been able to progress our investigations to this stage.”
If businesses do not respond to the request for information, the ICO can use its powers to demand the information to be provided.
A new code of practice has been launched by the ICO this month which sets out how organisations should explain to people how they’re using their personal information.
Notes for Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
- The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
marketing calls, emails, texts and faxes;
cookies (and similar technologies);
keeping communications services secure; and
customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
- The rules on electronic mail marketing (which includes text messages) are in regulation 22 of PECR. In short, you must not send electronic mail marketing to individuals, unless:
they have specifically consented to electronic mail from you; or
they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
You must not disguise or conceal your identity, and you must provide a valid contact address so they can opt out or unsubscribe.
- Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.