Excerpt
The ICO issued a penalty against Unite the Union for unsolicited direct marketing calls despite having explicitly opted out and by those who had not given informed valid consent to receive such calls.
Our analysis
In this case, the Information Commissioner was investigating whether Unite the Union had violated Regulation 21 of the Privacy and Electronic (EC Directive) Regulations 2003 (PECR) by contacting individuals to promote life insurance without their consent. The Commissioner received 27 complaints from individuals who claimed to have received unsolicited calls despite not giving consent, and two complainants explicitly opted out of such marketing but still received further calls. The Commissioner discovered that 57,665 calls were made to individuals registered with the Telephone Preference Service Ltd (TPS) for 28 days or longer, which is prohibited under Regulation 21 unless consent is given. The Commissioner found that Unite did not provide sufficient information to individuals about the use of their personal information, and that the individuals were only "broadly informed," which is not enough to establish valid consent. The Commissioner determined that this violation of Regulation 21 was serious and warranted a monetary penalty. However, the Commissioner found that Unite did not deliberately set out to contravene the PECR, but was negligent in not making use of the resources provided by the Information Commissioner's Office. The Commissioner found that Unite failed to take reasonable steps to prevent the risk of contravention materializing and considered the complaints of 27 individuals to be sufficient to warrant a monetary penalty.
Outcome
The Commissioner issued a monetary penalty in the sum of £45 000 (to be discounted with 20% to £36 000 in the event that the fine is paid timeously and no appeal pursued).
Parties
ICO and Unite the Union
Case number
Enforcement action - 25 October 2021
Decision
Related deceptive patterns
Nagging is a form of adversarial resource depletion. Every time an app or a website interrupts the user with a request to do something, this depletes the user's time and attention. This is like a tax that the provider imposes on users who do not want to comply with the provider's wishes. Although the cost is non-financial, it adds up and eventually becomes non-trivial. At this point the user may decide that it’s more cost effective to just give in and agree to whatever the provider is asking for, even if it is against their best interests.
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Related laws
Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Outlines the certification mechanisms available for demonstrating compliance with the regulation.
Mentions certification bodies as a potential entity to provide accreditation and certification for data protection compliance.
Prohibits unsolicited electronic marketing communication without prior consent, except in certain circumstances.