The UK Information Commissioner’s Office (“ICO”) has issued a Monetary Penalty Notice to pensions release provider Grove Pensions Solutions Ltd (“Grove”), fining it £40,000 after the company used contact details collected by a third party for its direct marketing campaign. Grove used a specialist third-party marketing agency to send emails on its behalf to mailing lists, negligently failing to obtain valid consent from individuals who received the marketing emails. Despite seeking external advice (including legal advice), the ICO decided that Grove should have known of the risk that its conduct would breach rules on direct marketing, particularly given recent widespread publicity of this issue in the UK. The fine was imposed under the Data Protection Act 1998.

Through its marketing agent, Grove sent almost two million direct marketing emails between October 31, 2016, and October 31, 2017. The agent provided lead generation services, which included working with email providers who sent pre-approved emails to opted-in subscribers on Grove’s behalf. Although email recipients had given consent to the third parties that delivered marketing emails on Grove’s behalf, Grove was not specifically named as a sender of marketing communications when the relevant consents were obtained, and had no previous relationship with the individuals.

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) requires that individuals provide consent to the sender before any unsolicited direct marketing communications are delivered. This consent can be provided through an affirmative opt-in, or via the ‘soft opt-in’ rule (which allows marketing to individuals whose details have been collected in the course of a sale, provided the marketing is in respect of similar products and services, and that the recipient has been given the means to opt out of such marketing).

In the Monetary Penalty Notice issued to Grove, the ICO reminds organizations that it is the responsibility of the instigator of direct marketing emails to ensure compliance with the PECR, including obtaining valid consent. Indirect consent (i.e., where consent is collected by a third party on behalf of the company conducting the marketing) is generally not sufficient in a direct marketing context “because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages.” Specifically, general agreement to receive marketing from “similar organizations” or “selected third parties” is not valid.

Grove was advised by both a data protection consultancy and a data protection solicitor. The fact that Grove had sought external advice did not absolve it from responsibility. Under the circumstances, however, the ICO considered Grove’s conduct negligent, rather than deliberate. The ICO noted that “a simple review of the customer journey would have exposed the issues apparent with the consents being relied upon.”

In calculating the penalty of £40,000, the ICO took into account a number of mitigating factors. In particular, Grove generally was aware of its obligations under the PECR, the number of complaints was small, there was no evidence that it had engaged in unlawful direct marketing for a longer period, and Grove cooperated with the ICO throughout the investigation.

This enforcement action follows a fine of the same amount levied against Vote Leave last month for sending almost 200,000 unsolicited texts. These penalties demonstrate the ICO’s determination to promote compliance with the PECR. It regards the sending of unsolicited marketing email as a “matter of significant public concern.”