Analysing the ICO PECR Fines for Unsolicited Marketing

Since March 2022, the ICO (Information Commissioner’s Office) has issued 42 monetary penalty notices for PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) breaches relating to unsolicited direct marketing.

In total, these have cost UK organisations £4,080,000 so far.

Note: We first published a version of this blog on 1 December 2023. We’ll continue to update this page as the ICO releases new data.


What’s the difference between a monetary penalty notice and an enforcement notice?

Louise Brooks, our head of consultancy, explains:

“The ICO has several enforcement powers for infringements of the PECR and the UK GDPR [General Data Protection Regulation] that can be used in combination depending on the circumstances.

“A monetary penalty notice is just a fine, whereas an enforcement notice requires an organisation to do other things – implement policies, for example.

“An organisation can be fined without an enforcement notice and vice versa.

“So, it’s perfectly possible for an organisation to have all the right accountability documents and procedures in place but still be fined.”

With that in mind, this page only accounts for monetary penalty notices under the PECR, and not enforcement notices. This includes the HelloFresh case, for which the ICO issued a fine but not an enforcement notice.


When were the fines issued?

On average, the ICO issues 1.6 PECR fines a month.

However, as you can see in the graph below, the ICO tends to issue multiple fines within a short period, then lets a month or more pass without issuing fines at all.

That said, the ICO has consistently issued at least one PECR fine a quarter over the past two years:

Note: Q2 2022 is the first full quarter’s worth of data available on the ICO’s website. And Q2 2024 is, of course, still ongoing.


How high are the fines?

The average PECR fine is £97,143. However, this varies a lot over time:

To smooth out this graph, here is the average fine per quarter:

So, the average fine climbed towards the end of 2022 and into early 2023, then dropped off, and is now climbing again.


Can the ICO do more?

We asked Louise Brooks whether she felt that the ICO had been doing a good job on enforcement in this area:

“The ICO has shown itself to be fairly consistent with PECR enforcement, certainly in the marketing arena.

“It’d be good to see the same commitment to enforcement for breaches of the GDPR, too. The reality is that the ICO has effectively replaced monetary penalty notices for GDPR breaches with reprimands, which are nothing more than a slap on the wrist.”

Louise goes into more detail on ICO enforcement in this interview.


3 biggest fines in the past 6 months

The following table shows the three biggest fines of the past six months:

Note: ‘TPS’ stands for ‘Telephone Preference Service’. There’s also a ‘CTPS’: ‘Corporate Telephone Preference Service’.

You can find out more about the Outsource Strategies Ltd, Poxell Ltd and HelloFresh cases on the ICO website.


Which sectors has the ICO fined?

Since March 2022, the ICO has fined six sectors (based on the ICO’s own categorisation):

Note that this only reflects the ICO’s enforcement priorities – not PECR non-compliance as a whole. Mapping the sectors against the time of the fine makes this clearer:

As the above graph shows, the ICO tends to concentrate on one or two sectors at a time.

The average fine per sector varies between £52,500 and £125,000. However, those are for the two sectors with the fewest PECR fines, so are more prone to data skewing.


Which types of unsolicited marketing receive the most and biggest fines?

Broadly speaking, the ICO distinguishes between four types of unsolicited marketing:

  1. Texts
  2. Emails
  3. Calls to individuals
  4. Calls to businesses

‘Nuisance’ calls typically lead to more and higher fines:

Note that some fines were for both emails and texts. When we account for this, it becomes even clearer that nuisance calls lead to worse penalties than written nuisance messages:

It’s also worth noting that for the nuisance calls made to people registered with the (C)TPS, all but one fine were for using a public telecoms service to make those calls.

The exception case, Green Logic UK Ltd, received the second-lowest fine out of all fined nuisance callers since March 2022: £40,000.


How does the ICO decide to take action?

When we put the question to Louise Brooks, she explained:

“The ICO doesn’t proactively investigate organisations for PECR infringements, but relies on being notified of breaches through complaints. This can be directly, via the online reporting tool, or through other mechanisms, like the 7726 spam reporting service.

“PECR violations are largely a numbers game, and enforcement is reliant on us as individuals reporting bad practices.”

With that in mind, and considering the data we just analysed, is it worth becoming compliant? Louise explains:

“I usually present things to clients as follows: ‘This is what the law says. This is the gap between what you’re doing and that law. And these are the changes I think you need to make to be compliant.’

“‘However, given your operational circumstances of X, Y and Z, you may consider taking a risk-based approach, but you should be mindful of A, B and C.’

“That A, B and C might be, for example, a recent fine or what the guidance says.

“And then I just leave it with the client! I just need to tell them what they should be doing to comply, but I understand that the organisation then has to weigh up the risk of making that change against the risks of non-compliance materialising.”


How can DQM GRC help?

We understand the reality of compliance – we’ve analysed the ICO data.

If you want advice from an expert who can help you meet your privacy obligations while you continue to meet your business objectives, get in touch with us.

We’ll assign you an experienced consultant who’ll:

  • Tell you what your risks are; and
  • Give you practical advice and guidance on how to make changes.

That advice is completely tailored to your organisation. We recognise that every organisation is different, and that our offerings must reflect that.

Author

  • Kyna Kosling

    Kyna (pronounced “KEE-na”) has worked at GRC International Group since January 2018, and posted on the blog since October 2023. She spends a lot of her time interviewing subject-matter experts and crunching numbers.

    View all posts

Add a Comment

Your email address will not be published. Required fields are marked *