A finance brokerage firm responsible for sending thousands of spam text messages has been fined £40,000 by the Information Commissioner’s Office (ICO).
Monevo Limited, based in Macclesfield, Cheshire, sent 44,172 unsolicited marketing texts promoting loans in three months.
The law says that businesses must have obtained specific consent from people confirming they are willing to receive marketing texts from, or on behalf of, their firm. Monevo Limited did not have this consent.
ICO Head of Enforcement Steve Eckersley said:
“Nobody wants to be bombarded with text messages they didn’t agree to receive.
“That’s why the law is clear. Businesses must be able to confirm that people have given their permission to receive text messages or emails - and they must have the evidence to prove it.”
An ICO investigation, prompted by 130 complaints from the public between April and June 2016, revealed Monevo’s telemarketing affiliate had obtained the personal details used to send the messages from competition and money saving websites.
The privacy notices on those websites were generic and unspecific, for example noting that data collected would be shared with unspecified third parties ranging from home improvement companies to health and beauty services. None of these sites indicated the data would be used for sending marketing text messages from Monevo.
Mr Eckersley said:
“It is not acceptable to rely on assurances given by suppliers. Businesses need to make rigorous checks that personal data used on their behalf is used fairly and lawfully, and must be certain that they have the necessary consent.”
Mobile phone users can report the receipt of unsolicited marketing text messages to the GSMA’s Spam Reporting Service by forwarding the message to 7726 (spelling out “SPAM”). The GSMA represents the interests of mobile operators worldwide and the ICO is provided with access to the data on complaints made to the 7726 service.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
- The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
- Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.