ICO issues £200k fine for unsolicited text messages without valid consent

Share This Post

The Information Commissioner’s Office (ICO) has issued a £200,000 fine to Tax Return Limited (“TRL”) for sending out 14.8m unsolicited marketing text messages (which generated 2146 complaints).

The Privacy and Electronic Communications Regulation 2003 (PECR) only permit the sending of marketing emails or text messages if the recipient consents to receiving the messages or is a customer and hasn’t opted out of marketing (of similar products and services).

TRL indicated that it had sent the messages via a third-party and were relying on indirect consent (i.e. the third-party had got the consent to send the messages on TRL’s behalf) for the permission to send the messages. What the ICO’s investigation highlights is that despite the assurances from the third-party, TRL hadn’t carried out the necessary due diligence to ensure that the third-party’s data was indeed compliant and they had the pre-requisite consent. And whilst some examples of consents given were provided to the ICO, TRL were unable to provide evidence of consent from any of the complainants, mainly because the third-party where consent had been collected no longer operates. Furthermore, privacy statements and processing information that was supplied (taken from the third-parties who alleged that consent had been collected), was deemed by the ICO to also be inadequate as it did not provide enough information to indicate the “subscriber” would be receiving marketing messages from TRL.

So what does this tell us in a GDPR world?

  1. We must make sure that we are clear we have the right kind of consent when it is required. The GDPR is very clear about what appropriate consent should look like and the PECR rules are clear what is and isn’t lawful when it comes to marketing messages.
  2. There is nothing wrong with using third-party list providers, but provided we carry out appropriate due diligence to ensure that the right kind of consent is obtained: (a) evidence that consent has been given; (b) that the consent is GDPR compliance; (c) that the “subscribers” or the recipients of the marketing messages will expect to hear from our business (and therefore not be surprised).
  3. Document, document, document. We need to make sure we have the right documentary evidence highlighting that we did everything right and took this seriously. Simply taking the word of our providers is not enough – we need to document the due diligence and the outcomes.


More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy