Analysing the ICO PECR Fines for Unsolicited Marketing

In the past 12 months, the ICO (Information Commissioner’s Office) issued 24 PECR (Privacy and Electronic Communications Regulations) monetary penalty notices relating to breaches of the direct marketing rules.

The combined fines cost £2.25 million – an average of £93,750 (or 19% of the maximum fine under the PECR).

Digging deeper into the numbers

Looking at the monetary penalty notices more closely, we know the following:

By unsolicited marketing type

 Number of penalty noticesCombined finesAverage fine
Calls to businesses417%£355,00016%£88,750
Calls to individuals1250%£1,355,00060%£112,917
Emails14%£130,0006%£130,000
Emails and texts28%£155,0007%£77,500
Texts521%£255,00011%£51,000

Note: This doesn’t necessarily reflect PECR non-compliance as a whole; just the ICO’s enforcement priorities.

By sector

 Number of penalty noticesCombined finesAverage fine
Finance, insurance and credit313%£280,00012%£93,333
General business14%£65,0003%£65,000
Marketing1667%£1,570,00070%£98,125
Retail and manufacturing14%£135,0006%£135,000
Utilities313%£200,0009%£66,667

Note 1: This doesn’t necessarily reflect PECR non-compliance as a whole; just the ICO’s enforcement priorities.

Note 2: The percentages under ‘Number of penalty notices’ add up to 101% due to rounding.

Can the ICO do more?

We asked Louise Brooks, our head of consultancy, whether she felt that the ICO had been doing  good job on enforcement in this area:

“The ICO has shown itself to be fairly consistent with PECR enforcement, certainly in the marketing arena.

“To give you an idea of the numbers: the ICO issued just 1 GDPR fine in the past 12 months, but 35 reprimands. Whereas for the PECR, it issued 24 monetary penalty notices and 0 reprimands. So I feel that the ICO could do more to regulate GDPR breaches.

“It would be good to see the same commitment to active enforcement for breaches of the GDPR [General Data Protection Regulation], too. The reality is that the ICO has effectively replaced monetary penalty notices for GDPR breaches with reprimands, which are nothing more than a slap on the wrist.”

All ICO monetary penalty notices

The table below gives the details on all ICO monetary penalty notices in relation to unsolicited direct marketing activities (i.e. PECR breaches) from December 2022 until November 2023.

The entries have been sorted chronologically.

Note: (C)TPS stands for ‘(Corporate) Telephone Preference Service’, which individuals and businesses may register for if they don’t wish to receive unsolicited direct marketing (i.e. ‘nuisance’) calls.

Organisation nameSectorUnsolicited marketing typeFineDate
Utility Guard LimitedMarketing1,932 unsolicited marketing calls to TPS-registered numbers£20,000December 2022
Repair Plans UK LimitedMarketing21,347 unsolicited marketing calls to TPS-registered numbers£70,000December 2022
Boiler Cover Breakdown LimitedMarketing9,075 unsolicited marketing calls to TPS-registered numbers£120,000December 2022
Boiler Breakdown LimitedMarketing348,724 unsolicited marketing calls to TPS-registered numbers£140,000December 2022
Allapplianceservices UK LtdMarketing99,313 unsolicited marketing calls to TPS-registered numbers£85,000December 2022
Ryan Hill PartnersMarketing463,360 marketing texts sent without consent£70,000December 2022
Monetise Media LimitedMarketing3,506,157 marketing emails and texts sent without consent£125,000December 2022
It’s OK LimitedRetail and manufacturing1,752,149 unsolicited marketing calls to TPS-registered numbers£200,000February 2023
Join the Triboo LimitedMarketing107,000,000 marketing emails sent without consent£130,000April 2023
UK Direct Business Solutions LimitedMarketing410,369 unsolicited marketing calls to (C)TPS-registered numbers£100,000May 2023
Ice Telecommunications LtdMarketing72,682 unsolicited marketing calls to (C)TPS-registered numbers£80,000May 2023
Maxen Power Supply LimitedUtilitiesUsed overseas call centres to make unsolicited marketing calls to businesses£120,000June 2023
Crown Glazing LtdUtilities503,445 unsolicited marketing calls to TPS-registered numbers£130,000June 2023
Fortis Insolvency LimitedFinance, insurance and credit558,354 marketing texts sent without consent£30,000June 2023
This Is The Big Deal LimitedUtilities39,906,342 emails and 1,511,547 texts (both unsolicited marketing) sent without consent£30,000August 2023
Simply Connecting LtdMarketing441,830 marketing texts sent without consent£40,000September 2023
SGS Home Protect LtdMarketing24,214 unsolicited marketing calls to TPS-registered numbers£70,000September 2023
Cover Appliance LtdMarketing511,499 unsolicited marketing calls to TPS-registered numbers£200,000September 2023
F12 Management LtdMarketing1,346,019 unsolicited marketing calls to TPS-registered numbers£200,000September 2023
House Hold Appliances 247 LtdMarketing19,069 unsolicited marketing calls to TPS-registered numbers£55,000September 2023
RHAP LtdMarketing15,288 unsolicited marketing calls to TPS-registered numbers£65,000September 2023
MCP Online LtdFinance, insurance and credit20,939 unsolicited marketing calls to (C)TPS-registered numbers£55,000September 2023
Digivo Media LimitedFinance, insurance and credit415,041 marketing texts sent without consent£50,000October 2023
Argentum Data Solutions LtdGeneral business2,330,423 marketing texts sent without consent£65,000October 2023

How does the ICO decide to take action?

When we put the question to Louise, she explained:

“The ICO doesn’t proactively investigate organisations for PECR infringements, but relies on being notified of breaches through complaints. This can be directly, via the online reporting tool, or through other mechanisms, like the 7726 spam reporting service.

“PECR violations are largely a numbers game, and enforcement is reliant on us as individuals reporting bad practices.”


Free guide: GDPR and PECR – A guide for marketers

To learn more about the UK marketing rules under the PECR and the GDPR, download our free white paper today.

It explains what you need to do to ensure your marketing activities are lawful, including:

  • The key legal requirements for marketers to take into account;
  • When you need consent, and how to ensure it’s valid; and
  • Best practices for using cookies and other tracking technologies.

Expert Insight with Louise Brooks

On Monday (4 December), we’re sitting down to chat to Louise about the ICO’s recent statement giving the UK’s top websites just 30 days to make sure they comply with cookie laws. If they don’t, the Commissioner has threatened enforcement action.

She’ll be giving us her views on:

  • The ICO’s enforcement methods;
  • What we might expect once the 30 days are up; and
  • How organisations are weighing up the benefits of using tracking technologies against the need for regulatory compliance.

Read our interview with Louise.

Author

Add a Comment

Your email address will not be published. Required fields are marked *