Fines for companies breaking anti-spam rules reach new highs
The Information Commissioners’ Office (ICO) has the power to issue fines of up to £400,000 to companies that fail to comply with data handling and antispam law and it’s a power that they’re increasingly willing to wield.
Download Premium Resource – GDPR briefing guide
Our round-up of the best guidance on the latest European Union data protection and privacy legislation and how it affects you and your business Are you ready for the GDPR? The GDPR (General Data Protection Regulation (Regulation (EU) 2016/679) comes into force in all 28 countries in Europe on 25th May 2018. It has been agreed by the EU in this directive and how it must be implemented to remain compliant differs according to interpretation in different countries.
Access the GDPR briefing
Since 2015, The ICO has issued fines of over £8.7 million to UK organizations that have broken the rules.
104 separate monetary penalty notices have been issued in the same period.
With GDPR taking effect from May 2018, it’s more important than ever that companies understand their responsibilities regarding the handling and protection of consumer data.
As the fines data reveals, the consequences for companies that break the rules can be very serious indeed.
Companies under closer scrutiny
The ICO are taking their duties more seriously. In 2017 there was an increase in the total value of fines issued of 58% over the previous year.
Clearly laying out their intentions, the Head of Enforcement at the ICO, Steve Eckersley commented:
“Companies who pester the public must understand they won’t get away with it. The ICO will take action.”
Improved complaints process
Consumers are increasingly aware of their rights regarding unwanted texts, calls and email and the process of complaining to the ICO has become much easier and transparent in recent years.
They have an excellent ‘report a concern’ section of their website that makes it quick and easy for consumers to complain or seek help.
We’re rightly becoming increasingly intolerant when companies intrude on our personal spaces and we’re now much more likely to take active steps against it.
Fines show upward trend
Since August 2015, a total of 104 monetary penalties have been issued to organizations that have broken anti-spam or data protection rules.
In 2017, there was a 58% increase in the total value of fines issued by the ICO, a rise from £2.9 million to £4.9 million.
The fines have been issued for 4 main categories of illegal activity;
Email spam, SMS spam, nuisance calls and data protection breaches.
Spam phone calls attract highest fines
Nuisance calls accounted for 46% (£4,017,000) of all monetary penalties issued since August 2015.
Automated calling technology has allowed unscrupulous companies to target million of individuals at their home address.
In May 2017, Keurboom Communications, a company behind a staggering 99.5 million nuisance calls was fined a record £400,000 by the ICO.
“These calls have now stopped but our work has not. We’ll continue to track down companies that blight people’s lives with nuisance calls, texts and emails.”
Steve Eckersley – ICO
Data breaches attract record number of fines
Data breaches, where organizations have failed to protect consumer data adequately, accounted for 34% (£2,996,501) of all fines issued since August 2015.
Data breaches also attracted the largest numbers of fines. A total of 41 companies and organizations were fined, 39% of all fines.
One of the most notable data breaches was by Talk Talk Telecom in October 2016.
They were issued with a £400,000 fine for security failings that allowed a cyber attacker to access the personal data of 155959 customers and the bank details of 15656.
Commenting on the case, Information Commissioner Elizabeth Denham said:
“TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease.”
Financial Services sector tops fines list
Financial services proved to be the worst industry sector for receiving ICO fines. The sector received 24 separate penalties since August 2015, accounting for 23% of all fines.Perhaps surprisingly, the charity sector came second in terms of the number of fines issued. 11 monetary penalties were handed out, 10.5% of all fines issued.
Charity fines were mainly for data breaches where charities were sharing customer data with other organizations without the customers’ consent.
In many cases, their attempts at bending the rules to their benefit have resulted in an investigation, an enforcement action and a fine.
Average fine for SMS spam exceeds £100,000
Fines for SMS breaches topped £100,000, with the average fine being £108,000. By comparison, fines for email spamming were, on average, just over £40,000.
Text spam is more intrusive that email spam and is therefore far more likely to generate more complaints.
Thankfully SMS spam has massively reduced in recent years. Not long ago, most of us received multiple texts a month offering payday loans, PPI or accident compensation.
Largely, due to the efforts of the ICO and some robust EU legislation, those days are long gone.
‘Grey areas’ can no longer be exploited
The fines serve as a powerful lesson to those companies using third party data for direct marketing, who feel they are immune from prosecution, being one step removed from the process of actually sending email or texts.
Companies who purchase email or SMS data from third-party suppliers are responsible for conducting their own due diligence on the data.
It is their responsibility to check that the data they are using has the correct ‘opt-in’. It is not acceptable to rely on third-party assurances that use of the data complies with the law.
Businesses have to be able to demonstrate that people on the list have given their permission.
In February 2016, credit broker Digitonomy was fined £120,000 for being responsible for millions of texts being sent without proper consent.
“We say it over again – any business that has instigated a marketing campaign is responsible for the information involved. Businesses need to get it right or we will take action.”
Depending on the word of another company is simply not acceptable and is not an excuse. Digitonomy is paying a hefty price for not meeting its responsibilities.” – Steve Eckersley – ICO
A grim future for spammers
What this data makes clear is that there is no place to hide for organizations that attempt to break the rules.
Quite rightly, the ICO is sending a strong message that any company found to have been involved in illegal activity will be investigated and fined.
The risks strongly outweigh any perceived reward. Ignorance of the rules will offer companies no defence. It is the responsibility of organizations of all sizes to make sure that all their activities remain on the correct side of the law.
This zero-tolerance approach to rule-breaking may mean that spam becomes a thing of the past. We may be heading for a bright new age where our mobiles and inboxes remain spam-free and our junk folder weirdly empty.
This is something we could all look forward to.
Thanks to Henry Cazalet for sharing their advice and opinion in this post. Henry is Director and co-founder of The SMS Works, which provides a low cost and reliable SMS API for developers. He’s been involved in the world of business SMS and mobile marketing since 1999. You can follow him on Twitter or connect on LinkedIn.