UK's ICO slaps £120k fines on Arron Banks' insurance biz and Leave.EU campaign

Commish also promises audit for the firms' data protection practices

Old pound coins in a stack

The Leave.EU campaign and Brexiteer Arron Banks' insurance biz Eldon have been fined a total of £120,000 for dodging direct marketing rules.

The companies came under the scrutiny of data protection watchdog the Information Commissioner's Office during its long-running investigation into the use of personal data in political campaigns.

In addition to the fines, the ICO will audit the firms' data protection practices, including how they process personal data and what policies and training are in place. The body noted that it is a criminal offence to obstruct such an audit or destroy information covered by it.

Both Leave.EU and Eldon Insurance – trading as GoSkippy Insurance – have been fined £60,000, with Leave.EU's being split between two separate incidents.

The smaller of the two Leave.EU fines, £15,000, was doled out after the biz sent 300,000 political marketing messages using Eldon's customer details. This was due to the firms having closely linked systems that didn't properly separate insurance customers from political subscribers.

The larger fine of £45,000 was for a separate incident, in which Eldon sent more than one million emails that offered discounted GoSkippy services to Leave.EU subscribers. That same incident earned Eldon Insurance a £60,000 fine.

Under direct marketing laws (Privacy and Electronic Communications Regulations), companies must have consent from users in order to send such emails.

When questioned about the consent, Leave.EU tried to argue they weren't unsolicited emails because subscribers had agreed to receive newsletters, and a privacy policy referred to information from third parties.

However, this policy – which was from a different data controller but that the ICO accepted for the purposes of this investigation would have been understood to apply to Leave.EU – did not say who the third parties were, or what type of marketing they might receive.

The ICO said that neither Leave.EU nor GoSkippy had gained the proper consent, noting that it was up to GoSkippy to ensure it had that consent.

It added that GoSkippy had worked "to ensure its own marketing, from which it, not Leave.EU, would benefit, was to be included in the emails" and said the lack of a formal contract did not go in its favour.

Rather, it is "indicative of a more informal, blurred, arrangement, whereby GoSkippy was able to instigate the inclusion of its own marketing material as it wished".

Although the ICO announced the monetary penalties today, it publicly revealed its plans to fine the companies last November – at which point it said both would be penalised £60,000, meaning Leave.EU has had £15,000 knocked off its bill.

However, both firms' representations – which are allowed after the commissioner announces an intention to fine, but before the final penalty is decided – pointed to the fact they had received no complaints relating to the incident.

Neither does the ICO refer to receiving any complaints itself, something that is usually highlighted in enforcement notices.

It is possible that this could be used by the firms to appeal the decision; as data protection consultant Tim Turner pointed out on Twitter, Xerpla – which was fined £75,000 for a similar breach – won its appeal at tribunal.

Should the firms decide to simply pay up, they will get a 20 per cent discount for paying by 5 March. ®

Sponsored: Balancing consumerization and corporate control




Biting the hand that feeds IT © 1998–2019