The ICO (Information Commissioner’s Office) has fined Grove Pension Solutions £40,000 for sending nearly 2 million unsolicited marketing emails.
The pensions firm’s campaign, which took place between October 2016 and October 2017, violated the PECR (Privacy and Electronic Communications Regulations).
Tried to do the right thing
Grove’s PECR failure wasn’t for a lack of effort. The organisation hired a data protection consultant for advice, and ran its plan past an independent data protection solicitor.
Unfortunately, the counsel was either wrong or Grove didn’t take it on board. Either way, the ICO pointed out that the organisation was responsible for its own actions.
The ICO’s director of investigations and intelligence, Andy White, said: “Spam email uses people’s personal data unlawfully, filling up their inboxes and promoting products and services which they don’t necessarily want.
“We acknowledge that Grove Pension Solutions Ltd took steps to check that their marketing activity was within the law, but received misleading advice. However, ultimately, they are responsible for ensuring they comply with the law and they were in breach of it.
“The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine.”
What are the PECR’s consent requirements?
The PECR states that organisations must obtain explicit consent whenever they send unsolicited electronic communications for marketing purposes. Unlike the GDPR (General Data Protection Regulation), the requirements apply even when personal data isn’t being processed.
In this instance, Grove relied on indirect consent. That is to say, it used email addresses provided by people who, in the process of consenting to another organisation’s service, agreed to be contacted by third parties.
However, the ICO’s PECR guidance states that it’s not enough to say that an individual might be contacted by “similar organisations”, “partners” or “selected third parties”.
The request must be from the organisation in question, or a third party that specifically names the organisations that will be given access to individuals’ contact information.
Don’t make the same mistake
As Grove learned to its cost, the PECR can be a minefield to navigate, particularly when you also need to meet the GDPR’s requirements. Any organisation that’s unsure about its compliance status should consider our PECR Audit Service.
With this service, an independent assessor reviews your processes and delivers a detailed report, showing you how to resolve any areas of non-compliance.