A £1.35m fine has been meted out by the ICO to a catalogue retailer, Easylife Limited. The mail order business profiled 145k of its customers for inferred heath conditions in order to market products to them over the phone but without telling those customers that it was going make such inferences.

The fine serves as a reminder to marketeers that they should not focus solely on an end communication’s compliance with e-privacy requirements (in Easylife's case, this was subject to a separate £130k fine and enforcement notice) – the associated processing of personal data which informs the targeting of that communication is just as important. The fine also stresses the importance of ensuring that such profiling is undertaken with individuals’ knowledge to avoid invisible processing; and that there is an appropriate lawful basis for doing so – including when it comes to inferring special category data.  

The health campaign

Easylife sells household products through catalogues. It ended up on the ICO’s radar after a telemarketing company which conducted outbound calling for Easylife was subject to a separate investigation by the ICO. (To set the tone, note that the supplier promoted funeral plans during the pandemic).

Easylife’s health telemarketing campaign, which was conducted by an unnamed third party, was in the crosshairs. There were 122 ‘trigger products’ in Easylife’s catalogue. A purchase of one of these products would trigger a marketing call to the customer using personal data of which Easylife was the data controller. Easylife had linked those trigger products to several health conditions which Easylife had inferred the customer was likely to have. It would then use those inferences to attempt to sell the customer health supplement products which would allegedly help with the inferred health issues.

Apparently most calls were targeted at customers who were inferred to have arthritis. (It turns out that Easylife’s target market was older people with long-term health conditions). A purchase of one of 80 of the 122 products would lead Easylife to infer that the customer had arthritis. That customer would then be called to sell them glucosamine patches – an alleged therapeutic for arthritis.

The ICO’s concerns 

The ICO was concerned that the use of transactional data to influence decisions about which customers to subject to telemarketing was profiling; and that special category data was being processed where those decisions were based on inferences about a health condition a customer was likely to have.

It noted that there was no reference to profiling in Easylife’s privacy notice. Easylife also relied on its own legitimate interests for the processing and provided the ICO with a deficient legitimate interests assessment which did not relate to the health campaign and which inaccurately answered the questions posed in that assessment. Easylife also argued that it only processed transactional data – not special category data.

The ICO cited the (somewhat controversial) CJEU decision earlier this summer in Case C-184/20 (on inferring sexual orientation from personal data published online), as well as his own guidance, in support of his view “that the transactional data from which Easylife made and relied on inferences was special category data, which Easylife unlawfully processed. Easylife used the transactional data to infer that the customer probably had a particular health condition, to alleviate which specific products were then marketed to the data subject, in direct marketing telephone calls.” [sic]

Since consent was the only basis on which Easylife could process special category data in the context of its health campaign, Easylife had contravened Articles 6 and 9 of the UKGDPR. Failing to inform individuals of profiling of their special category data also meant that they could not have reasonably expected it to happen – invisible processing being a breach of Article 5(1)(a) of the UKGDPR. The deficient privacy notice was also a breach of Article 13(1)(c) of the UKGDPR.  

Calculating the fine

In deciding to fine Easylife, the ICO applied its Regulatory Action Policy. The starting point for the fine was £750k given that it concerned the processing of special category data of some 145k individuals (many of whom were potentially vulnerable) who were profiled for inferred health conditions. The processing, which took place over a year, was invisible with assumptions being made about health conditions based on purchased goods.  

The ICO increased the starting point by £50k given Easylife’s failure to obtain explicit consent and its attendance at a previous compliance meeting. A decrease in that same amount was then applied as a result of mitigations – in particular, a £200k CRM system, improved SLAs and contracts with processors, improving consent statements and ceasing to profile individuals.

The sum was then increased by £100k to £850k for failing to conduct a DPIA.

In then considering whether a penalty of £850k would be “effective, proportionate, and dissuasive” the ICO looked at Easylife’s accounts. These showed a turnover of some £51.5m for the y/e 31 December 2020 – which Easylife described as an “exceptionally profitable year” (presumably buoyed by its sale of face masks). Its estimated turnover for the year to December 2022 was around half that; and it would likely incur a substantial loss. The retailer also apparently had concerns about the increased cost of doing business.

All that considered, the ICO increased the penalty by £500k to £1.35m.    

Some final thoughts

  • When it comes to direct marketing, don’t focus just on the end communication but consider the entire chain of processing of personal data leading up to that communication.
  • Be careful who you associate with – the suppliers you choose may result in your own activities being brought into focus.
  • Unsurprisingly, the decisions of Europe’s highest court are still of regulatory relevance in the UK.
  • The ICO is clear that personal data used to make inferences about health is special category data and should be treated accordingly. Treat other Article 9-protected characteristics with similar care.
  • Remember that invisible processing is one of the ICO’s triggers for a DPIA – fail to do one at your cost (in this case, an extra £100k).
  • Don’t expect a pat on the back if there are zero complaints about invisible processing – where individuals are in the dark about the processing at issue, the absence of complaints is, according to the ICO, "unsurprising".