If there was any doubt as to whether breaches of Privacy and Electronic Communications Regulations (“PECR”) are on the UK data protection regulator’s (“ICO”) radar, the latest monetary penalty issued on 14 April 2023 really hammers home that this is a hot topic for the regulator. The monetary notice itself states ‘the issue of unsolicited marketing has also been widely publicised by the media as being a problem.’

Background:

Join the Triboo (“JTT”) describes itself primarily as an operative of job search websites but a large part of its business model, as discovered during the ICO investigation, is lead generation and hosted direct marketing. This means that JTT was ‘managing’ the sending of direct marketing emails from its ‘business partners’ to individuals who had signed up on JTT job recruitment websites. JTT took this part of their job seriously – to the extent that between 1 August 2019 and 19 August 2020 (a period of just over a year) JTT sent a confirmed total of 107 million direct marketing messages to 437,324 individuals. This means that each individual received on average during that period 244 direct marketing emails.

As JTT’s partners didn’t have direct relationships with the individuals, JTT was responsible for collecting the appropriate consents and ensuring transparency. JTT was found by the ICO to have breached PECR and was fined £130,000. Whilst this decision is relatively significant from a PECR compliance perspective, whether these fines would outweigh the commercial gain of sending such communications remains to be seen. 

The decision makes for interesting reading on how easy it is to get consent collection for direct marketing wrong and how carefully the customer journey should be considered. For background, JTT did ask for consent from individuals when their data was collected, and on some of the job applications sites they asked for consent for marketing from JTT and marketing from JTT’s partners, with a link to a privacy notice.

ICO’s decision:

The ICO found that:

  • the consent was not specific;
  • it did not inform the individual:
    • as to what marketing activity would take place;
    • neither what means the marketing activity would come via;
    • nor who the marketing activity would be by or on behalf of (the privacy policy in some instances stated that marketing may be carried out for 'third parties' who may operate in 'any business sector' and are referred to as 'business partners' and 'clients'. There was then a list of broad generalised categories and subcategories of organisations on behalf of which marketing may be sent).

In short, whilst JTT had made an attempt at compliance, the information just wasn’t good enough. In particular, the ICO commented that in order to ensure consents were compliant JTT should have consulted ICO guidance or obtained further advice if it was unclear.

The ICO acknowledged that JTT has taken steps to carry out a legal review of its processes and procedures, and has since updated its consent statements, but brutally concluded the changes made are still insufficient to equate to compliant consent statements, particularly as:

  • all marketing channels remain bundled together; and
  • the statements do not reference any of the third parties on behalf of whom JTT host marketing.

Interestingly, the ICO did also acknowledge that JTT had not deliberately set out to contravene PECR.  

Takeaways:

This decision really acts as a timely reminder of the requirements of a GDPR marketing permission. 

In particular the ICO made it very clear that the consent statements and privacy policies should have been specific as to what and how marketing was to occur, and informed individuals as to the identity of third parties on whose behalf JTT hosted marketing. The ICO noted in relation to these two consent requirements that:

  • Specific: just agreeing to ‘marketing activity’ is not sufficient to meet the specific requirements. Further, bundling channels into one consent will also not be considered valid as it is not specific; and
  • Informed: the details of the consent should not be hidden in a privacy policy as it will not meet the informed requirements. Further, consent will not be valid if individuals are asked to agree to receive marketing from or on behalf of "similar organisations", "partners", "selected third parties" or some other similar generic description as, again, this will fail on the requirement to be informed.

Aside from Lead Works whose investigation led to this investigation, ‘business partners’ themselves weren’t named in the decision and weren’t fined. This is an interesting move by the ICO who has previously focussed its attention on the brands (just ask Saga), which shows the ICO are now turning their attention to the service provider.

While this decision highlights the importance of hosted marketeers/lead generation marketeers obtaining appropriate consent for direct marketing and being transparent with individuals when consents are collected, any organisations relying on this type of hosted marketing/lead generation service, should really test their service providers processes and ensure appropriate due diligence is carried out before relying on a third party to carry out marketing campaigns on their behalf.