The ICO has fined three companies for nuisance marketing

The ICO has fined three companies for a total of £415,000 due to nuisance marketing practices after receiving several complaints.

 

The ICO has fined three companies a total of £415,000 for nuisance marketing. Colour Car Sales Limited, Solarwave, and LTH Holdings were fined for various offenses including unsolicited calls and spam text messages. Many of the individuals receiving phone calls complained that they had been on the telephone preference service and should not have been receiving them. In all cases, the companies lacked the valid consent required in order to send direct marketing to customers. This is a violation of the Privacy and Electronic Communications Regulations (PECR). Under the PECR, the ICO has the power to impose a fine of up to £500,000 on a data controller for various violations of privacy rights in relation to electronic communications.

 

Colour Car Sales Ltd was found to have been sending spam text messages directing people to various car finance websites.

 

A credit intermediary for used car finance, Colour Car Sales Limited of Stroke-on-Trent was found to have sent several spam text messages between October 2018 and January 2020. These messages were sent to numerous people directing them to various car finance websites. Several complaints were made by the recipients of those text messages, to the ICO. This was a violation of regulation 22 of the PECR. Regulation 22 applies to the transmission of unsolicited communications via electronic mail to individual subscribers. This regulation prohibits the sending or initiating of unsolicited communications for the purposes of direct marketing by email. This form of communication is only allowed in instances where the contact information was received from the individual during the course of negotiations or a sale, and the recipient has been given a free and simple means of refusing the use of their contact details for those purposes.

 

Solarwave Ltd was fined for making unsolicited marketing calls about solar panel maintenance to people registered with the TPS.

 

Solarwave Limited, a Solar energy company in Grays, Essex was found to have made over 73,000 unsolicited marketing phone calls. These calls were made between January and October 2020. These calls were made to people who should not have been receiving phone calls at all, as they were all registered with the Telephone Preference Service (TPS) list. This list clearly outlines those individuals who have rightfully opted out of receiving unsolicited marketing calls and it is imperative to ensure that this list is adhered to, so as to avoid violating that right. Various complaints were made against the company, claiming that the company consistently called customers and even ignored stop requests. The company was found to have violated regulation 21 of the GDPR. This regulation applies to the making of unsolicited calls which can only be made if an individual has given their consent to that company to receive such calls, if the number is registered with the Telephone Preference Service.

 

Over the course of a year, LTH Holdings was found to have been making unsolicited calls selling funeral plans to people who are registered with the TPS.

 

1.4 million calls were made between May 2019 and May 2020 by LTH Holdings, a telephone marketing company from Cardiff. The ICO also received 41 complaints against this company and has reported that the company’s marketing techniques had become persuasive, aggressive and coercive which raised much concern. What was found to be of particular concern is the fact that the target market possibly included people who tend to have been more vulnerable. LTH holdings was also found to be in violation of regulation 21 of the PECR. The ICO commissioner maintains a list of registered numbers belonging to subscribers who have notified them that they do not wish to receive unsolicited calls at the moment, under regulation 26 of the PECR. The TPS is a limited company who operates on the commissioners behalf maintaining this register. Businesses a.m. to make direct marketing phone calls can subscribe to the TPS for a fee, and stay up-to-date on this list to ensure that they do so within regulation.

 

The companies were fined a total of £415,000 for the various offenses.

 

After receiving several complaints of misconduct against the three companies the ICO issued enforcement notices ordering them to stop marketing until consent has been obtained. A fine of 170,000 pounds was imposed on Colour Car Sales Limited for the spam text messages, while Solarwave and LTH Holdings were fined £100,000 and £145,000 respectively, for making unsolicited phone calls. This is a total of £415,000 which the ICO has fined and will be working to recover from the three companies. Under the PECR, the ICO has the power to impose a fine on a data controller of up to £500,000 on individual companies.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

New German law

New German law regulating eprivacy and data protection

New German law recently adopted, regulates eprivacy and data protection in telecommunications and telemedia.

 

Last month, German parliament adopted a new law regulating eprivacy and data protection in telecommunications and telemedia. Previously, the laws regulating German data protection contained partially contradictory provisions, which led to legal uncertainty on various matters. In the past, data protection and privacy inquiries were typically split between two laws, the Telemedia Act and Telecommunications Act, until May 20th when the Data Protection Act was passed. This act aims to unify the country’s rules and bring them in line with the EU’s GDPR. This new law, commonly known as TTDSG, could however be superseded by European law soon, as discussions on the new ePrivacy Regulation intensify. 

 

The new German law implements the ePrivacy directive with regard to the use of cookies.

 

The ePrivacy directive, which became EU law in 2009, states that websites are obligated to collect visitors’ informed consent to the use of cookies. The new German legislation implements the cookie consent rules of the 2009 ePrivacy Directive with a view to GDPR and the 2019 EU Court judgment in Planet49, Case C-673/17. Failure to obtain explicit consent to the use of cookies from internet users is incompatible with EU law, as rulings from both the EU court of justice and the German High Court demonstrate. The recently amended telecommunications act had been challenged by the opposition, who claimed that it did not contain sufficient data protection provisions. 

 

Fibre optics use and development stand to benefit from this new German law.

 

Germany currently lags behind most EU countries in the arena of fibre optics use and development with only 4.7% of broadband being fibre optic connections. Many European countries like Sweden, Lithuania and Spain have their fibre optic connections falling somewhere between 69% and 75% of broadband. Fiber optics provide a dedicated synchronous Internet bandwidth, which is not shared with any other Internet client. Fiber is generally faster and more reliable, allowing faster downloads. The Telecommunications Act sets clear standards for the entitlements to Internet access based on “80% of the Internet speed used by consumers in upload and download,” according to MP Falko Mohrs. The amendment not only solidifies the legal right to internet access, but also contains a list of other services. These include interference-free accommodation of video conferencing, which is imperative to citizens’ abilities to participate in the digital world. By introducing this benchmark, Mohrs believes that the fibre-isation of the  country is being driven forward. The benchmark is set and  reviewed annually in collaboration with the country’s network agency. 

  

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Telephone marketing rules post-Brexit

Many UK businesses are planning to shift to telephone marketing. In this blog we go through the requirements that should be met in order to do it in compliance with the ePrivacy rules.

UK businesses are no longer clearly protected by ePrivacy country of origin rule when marketing directly in EU countries, so many of them are now looking for alternatives. Are the rules on telephone marketing less strict than the ones on electronic mail marketing?

What does the ePrivacy Directive say about unsolicited communications?

Pursuant to the ePrivacy Directive “Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing […] are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation”.

Accordingly, national implementation of the ePrivacy Directive in each Member State regulates the rules that apply in each country.

ePrivacy country of origin rule principle allows the sender to rely on the benefit of the own country less strict rules as long as there is single market. However, this does not apply to UK businesses anymore after Brexit, therefore the rules of the destination country should be considered before marketing directly in EU countries.

Automated calls

Automated calls are subject to stricter requirements. Pursuant to the ePrivacy Directive, the use of automated calling systems without human intervention (automatic calling machines) and facsimile machines (fax) for the purposes of direct marketing is only allowed in respect of subscribers who have given their prior consent.

General consent for marketing, or even consent for live calls, is not enough and it needs to cover automated calls specifically.

Telephone marketing from the UK through live calls

In EU countries

UK businesses that wish to market other businesses or individuals in EU countries should check national laws in order to confirm the following elements: 

  1. Whether consent is required;
  2. Where consent is not required, whether the number is listed in the national opt-out register or whether the data subject has explicitly objected to receiving calls from that particular business.

Most EU countries have implemented opt-out registers rather than the consent requirement, but this must be assessed on a case by case basis in order to ensure full compliance.

In the UK

UK businesses that wish to market other businesses or individuals in the UK should take the following steps:

  1. Check whether the number is registered with the TPS or CTPS.
  2. Check whether the data subject has objected to receiving calls from them.

In a nutshell, marketing calls can be freely made unless the person has opted-out from them or is registered with the TPS or CTPS. No marketing calls should be made to any number listed on TPS or CTPS unless that person has specifically consented to calls from the particular business. Telephone marketing is also prohibited when it is for the purpose of claims management services, unless the person has specifically consented to them.

Calls in relation to pension schemes are subject to special rules.

Additional requirements

Once determined that the call can be made in compliance with the relevant rules, a set of additional requirements should be applied, namely: 

  • Say who is calling;
  • Allow the number (or an alternative contact number) to be displayed to the person receiving the call;
  • Explain where the controller’s privacy policy can be found and 
  • Provide a contact address or freephone number if asked.

EU ePrivacy rules update

As reported in one of our latest blogs, earlier this month EU Member States agreed upon a negotiating mandate for revised ePrivacy rules, which would repeal the current ePrivacy Directive, starting to apply two years after its publication in the EU Official Journal. The ePrivacy Regulation may introduce new rules on telephone marketing, such as the obligation to present the calling line identification assigned to them or use a specific code or prefix identifying the fact that the call is a direct marketing call. 

 

Do you make telephone marketing? Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Regulatory case law, September 2015: atmospheric pollution and reimbursement of government licences

In September the European Court of Justice ruled on refusal to grant reimbursement of the charges paid for government licences under subscription contracts for mobile telephony service, and the limitation of emissions of volatile organic compounds due to the use of organic solvents in certain activities and installations.
Read more “Regulatory case law, September 2015: atmospheric pollution and reimbursement of government licences”