WIREDGOV

A South Wales firm has been fined £60,000 by the Information Commissioner for allowing its lines to be used to send spam texts to more than 270,000 people, without their consent.

A total of 274,423 unsolicited text messages promoting pay day loans were sent between November 2016 and January 2017 via SIM cards registered to STS Commercial Limited of Bridgend, which was against the law. The company, which is registered as an IT service provider, had previously been linked to another investigation by the ICO into other similar practices.

The activity came to light when the ICO met with network providers, one of which had identified unsolicited marketing activity in the Bridgend area.

In responding to a notice from the ICO, the network later reported receiving 268 complaints through its spam reporting system during this period.

The Commissioner’s investigation revealed that STS relied on the consent of a third party but did not carry out sufficient due diligence checks to ensure that the data complied with the Privacy and Electronic Communications Regulations (PECR). Neither the third party nor STS could provide evidence to support this.

ICO Head of Enforcement, Steve Eckersley, said:

“Companies that send spam texts to people without their consent are flouting the law and I hope today’s fine acts as a stark warning. Having previously been given the opportunity to clean up its act, STS continued to engage in this activity and have now been penalised.”

During the Commissioner’s previous investigation, STS and its directors were reminded of their obligations under PECR, provided with a link to the Commissioner’s Direct Marketing Guidance, and informed of the Commissioner’s powers.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations (PECR) 2003.
3. The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on:
   • marketing calls, emails, texts and faxes;
   • cookies (and similar technologies);
   • keeping communications services secure; and
   • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.
     
     We aim to help organisations comply with PECR and promote good practice by offering advice and guidance.
4. The European Union’s General Data Protection Regulation (GDPR) is a new law which applied in the UK from 25 May 2018.
5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
7. To report a concern go to ico.org.uk/concerns.