WIREDGOV

We have fined two companies a total of £225,000 for sending millions of unsolicited marketing messages in breach of the law.

Allay Claims Ltd, based in Newcastle-upon-Tyne, has been fined £120,000 for sending more than 4 million unlawful marketing text messages between February 2023 and February 2024. The messages promoted PPI tax refund services and were sent without valid consent or compliance with the rules on the ‘soft opt-in’ exemption. 

ZMLUK Limited (formerly Zuru Media Ltd), based in Bristol, has been fined £105,000 for sending over 67 million marketing emails between January and July 2023 without valid consent. The emails promoted a range of products and services using data sourced from third parties, where people were not given clear and informed choices about receiving marketing. 

Andy Curry, Head of Investigations at the ICO, said: 

“Unwanted marketing messages are more than just an irritation – they're an intrusion that can cause real distress. 

“The law here is clear: businesses must only send marketing messages to people who have freely and knowingly consented to receiving them. Relying on vague or third-party consent, or sending marketing messages under the guise of service updates, isn’t enough. 

“We want to thank every member of the public who reported these messages. Public reporting plays a crucial role in our work, and where we see organisations causing harm through unlawful marketing, we will not hesitate to step in.” 

Details of the contraventions 

Allay Claims Ltd sent 4,046,947 SMS messages promoting PPI tax refund services. We found that the texts were clearly promotional in tone, encouraging people to make further claims and directing them to external landing pages. These messages were not service updates, as Allay later claimed, but direct marketing communications designed to prompt action.  

During the investigation period, more than 46,000 complaints about these messages were submitted through the mobile reporting service 7726, and a further rise in complaints continued even after Allay was aware of our concerns. The investigation showed that Allay had failed to offer a simple way for customers to refuse marketing when collecting their details. As a result, we concluded that the company could not rely on the soft opt‑in exemption as it claimed, and had breached Regulation 22 of PECR. 

ZMLUK Limited sent 67,772,285 emails between January and July 2023 using data sourced primarily from a third‑party website. Individuals signing up to this website were presented with a long list of 361 “partner” companies, without any mechanism to choose which organisations could contact them. We found that this meant individuals could not give informed, specific consent, rendering the consent invalid.  

Examples of the messages complained about included promotional emails urging recipients to “earn and save up to £50,000” on solar and storage products and to take action on energy‑saving opportunities. Although ZMLUK was sending the emails on behalf of Zuru Jersey Ltd, the company was responsible for ensuring compliance with PECR as the sender. The investigation also revealed that ZMLUK relied heavily on third‑party data without carrying out sufficient due diligence checks to understand how consent was obtained. We have concluded that ZMLUK did not have valid consent for the emails it sent, and that the company had failed to take reasonable steps to prevent unlawful marketing activity. 

What the law says

Under Regulation 22 of the Privacy and Electronic Communications Regulations (PECR), organisations cannot send marketing messages by email or text without consent, unless they meet the strict conditions of the ‘soft opt-in’ exemption. Consent must be freely given, specific, informed and unambiguous. 

The ‘soft opt-in’ exemption only applies if: 

• The recipient’s details were collected during the sale or negotiations for a sale. 
• The marketing relates to similar products or services. 
• The recipient was given a clear and simple way to refuse marketing at the time their details were collected and in every subsequent message. 

Generic or bundled third‑party consent (e.g., “selected partners” or long lists without true choice) does not meet these standards. Pre‑ticked boxes and buried privacy‑policy notices do not constitute valid consent or a simple opt‑out. 

Advice for the public 

If you get nuisance text messages: 

• Do not reply to suspicious texts or click on any links. 
• Report spam texts for free by forwarding the message to 7726. 
• Consider blocking the sender on your phone and report persistent offenders to the ICO.

If you get nuisance emails: 

• Use your email service’s ‘Report spam’/‘Report phishing’ tools and consider blocking the sender. 
• If it’s from a legitimate organisation, you can use the ‘unsubscribe’ link. 
• Never download attachments or enter personal/financial details from unsolicited emails. 
• You can report nuisance emails to the ICO and forward phishing to the NCSC at report@phishing.gov.uk. 

Businesses should consult the our direct marketing guidance to ensure compliance with the law.

Notes to editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.