The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO has today announced fines totalling £495,000 to well-known companies that between them sent more than 354 million nuisance messages.

We Buy Any Car was fined £200,000 for sending more than 191 million emails. The firm also sent 3.6 million nuisance texts. Saga Services Ltd and Saga Personal Finance were fined £150,000 and £75,000 respectively for instigating more than 157 million emails between them. Sports Direct has been fined £70,000 for sending 2.5 million emails.

None of the companies had permission from people to send them marketing emails or texts. This is against the law.

Andy Curry, ICO Head of Investigations, said:

”Getting a ping on your phone or constant unwanted messages on your laptop from a company you don’t want to hear from is frustrating and intrusive.

“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected

“Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”

The ICO’s investigations into the companies were sparked by complaints from the public.

Details of each case are below:

We Buy any Car sent emails to people who had requested an online valuation of their vehicles. The Information Commissioner found that the initial emails sent after a valuation request were made within the law, but that subsequent emails which also promoted the We Buy Any Car service were unlawful because they contained marketing as well as being sent without consent. The company sent more than 191 million emails between April 2019 and April 2020, plus 3.6 million text messages. It has been has been fined £200,000.

Both Saga Services Ltd (SSL) and Saga Personal Finance (SPF) instigated emails using partner companies and their affiliates. These companies used data lists of people who had not given the companies permission to contact them. SSL instigated more than 128 million emails between November 2018 and May 2019 and SPF more than 28 million over the same period.

The companies say they relied on indirect consent, however the laws around electronic messages are stricter as they are more intrusive and this form of consent is not adequate. SSL has been fined £150,000 and SPF £75,000. Both companies have also been issued with Enforcement Notices ordering them to stop any illegal direct marketing within 30 days or face court action.

Sports Direct sent 2.5 million emails as part of a re-engagement campaign between December 2019 and February 2020 with people they had not contacted for some time. They were unable to show any evidence of consent to contact the recipients. The company has been fined £70,000.

The ICO has issued 17 fines totalling more than £1.7 million so far this year (2021/22) for breaches of direct marketing laws. You can read more about this enforcement action here and our work to recover fines here.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on:
    • marketing calls, emails, texts and faxes;
    • cookies (and similar technologies);
    • keeping communications services secure; and
    • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
  4. The ICO’s powers under the Privacy and Electronic Communications Regulations (PECR) which cover nuisance marketing include issuing fines of up to £500,000. It can also apply for court orders for winding-up companies and, by working closely with partners, get director’s disqualified. More details of this work are available here.
  5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
  6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
  7. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.