London-based firm Tax Returned Limited has been fined £200,000 by the Information Commissioner’s Office (ICO) for sending out millions of unsolicited marketing text messages.
The ICO’s investigation found that, between July 2016 and October 2017, the company broke the law by sending 14.8 million marketing text messages without valid consent through a third party service provider.
As the instigator of the campaign, Tax Returned should have taken reasonable steps to make sure the data they obtained complied with the Privacy and Electronic Communications Regulation (PECR), which includes getting specific, prior consent from people receiving the messages.
The firm also claimed that some of the consents were received through generic third party consent found on privacy policies of certain websites.
However, the ICO found that the wording of the policies was not clear enough and that neither Tax Returned nor the third party service provider were listed on most of those privacy policies.
The ICO has also served an enforcement notice on Tax Returned, ordering the firm to stop its illegal marketing activity.
Steve Eckersley, ICO’s Director of Investigations, said:
“Spam texts are a real nuisance to people across the country and this firm’s failure to follow the rules drove over 2,100 people to complain.
“Firms using third party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third party consent is also not enough and companies will be fined if they break the law.”
People can report nuisance calls, texts and emails at ico.org.uk. Spam texts can also be reported by forwarding them to 7726.
If you need more information, please contact the ICO press office on 0303 123 9070, or visit the media section on our website.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
The ICO aims to help organisations comply with PECR and promote good practice by offering advice and guidance. The ICO will take enforcement action against organisations that persistently ignore their obligations.
- The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000.
- Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO.
- To report a concern to the ICO, visit ico.org.uk/concerns.