But we hired a consultant, cries UK pensions biz as it swallows £40k fine for 2 million spam emails
A legal boffin also gave us some useless advice, moans Grove Pensions
A pension-pushing biz has been fined £40,000 for sending 2 million spam emails in twelve months.
Kent-based Grove Pensions Solutions hired a marketeer to use third party email providers to distribute 2,108,924 emails - of which 1,942,010 were delivered - promoting its services. The ill-conceived plan continued for a year from October 2016, however, the company had not gained the correct consent.
After being alerted to Grove's activities by the Financial Conduct Authority, Brit data protection watchdog the Information Commissioner's Office (ICO) investigated and found the company had broken the Privacy and Electronic Communications Regulations (PECR).
The ICO did acknowledge that Grove had at least attempted to do the right thing, by hiring a "specialist" data protection consultancy to advise on the use of hosted marketing, and then checking this with an independent "data protection" solicitor.
However, it turned out the advice Grove received was shonky – and the ICO said that a "simple review of the customer journey would have exposed the issues apparent with the consents" it was using. As the instigator of the spam, the buck stopped with Grove.
"Ultimately, they are responsible for ensuring they comply with the law and they were in breach of it," said the ICO's director of investigations and intelligence Andy White.
In its penalty notice (PDF), the ICO pointed out that its own guidance states indirect consent – where a subscriber tells one organisation they consent to receiving marketing bumf from other organisations – won't be enough for texts, emails or automated calls.
It can only be valid if the user is given sufficient information at the point of consent – being told they will receive marketing from "similar organisations", from "partners" or from "selected third parties" won't make the grade.
In this case, the ICO said Grove was "not specifically named, or identified in such a way that would suggest they could lawfully instigate direct marketing to subscribers".
White added: "The ICO is here to provide businesses with guidance about electronic marketing and data protection, free of charge. The company could have contacted us and avoided this fine." ®
Sponsored: Becoming a Pragmatic Security Leader