£120,000 ICO fine allegedly based on inaccurate information
The fined company was accused of working with a third-party to distribute more than four million unsolicited text messages
A Payment Protection Insurance (PPI) compensation company based in Manchester has been fined 120,000 by the ICO for sending more than four million unsolicited direct marketing text messages, but the company claimes the watchdog's report was based on inaccuracies.
The ICO's enforcement notice claims Hall and Hanley used a third-party company to send 4,883,167 text messages between 1 January 2018 and 26 June 2018.
The total amount of messages actually received was 3,560,211 and these were enough to spark well-over a thousand complaints issued to the data protection watchdog.
One complaint read: "I have not given this company any of my personal information. I have never had any contact with this company. Receiving text messages like this is very concerning as I don't know what other information they have on me, or where they got this information".
The text message recipients' data that was used by the third-party direct marketing distributor was taken from four websites: getyaoffers.co.uk, petesdeals.co.uk, prizereactor.co.uk, and myloanoffers.co.uk.
The ICO then reviewed the privacy policies of these websites to determine whether Hall and Hanley was listed as a third-party recipient of the sites' user details - this is where the disagreement lies.
The ICO claims that out of the four companies, Hall and Hanley was named as a third party in just two of the privacy policies and in those, subscribers had no option to select which third-party received their details.
"It does not appear that potential subscribers were provided with an option to select which of the many listed third parties they may wish to receive marketing about, or the method by which they would wish to receive any marketing," read the ICO enforcement notice. "It also appears to be the case that consent to third-party marketing was a necessary condition of subscribing to the services offered by these sites."
Since issuing the report, Hall and Hanley has told IT Pro that the aforementioned information in the enforcement notice is incorrect and that the company was in fact, listed in all four policies but later removed because of changes made to the websites' policies following GDPR's implementation.
"We have provided the ICO evidence of this, and also a letter personally written from the owners of the other 2 websites proving this," said Peter Carpenter, compliance at Hall and Hanley. "They have completely ignored our representations and facts on these matters."
Carpenter added: "We are appealing this and are confident this will be overturned."
After contacting the ICO about the claims made by Hall and Hanley, questioning the alleged inaccuracies in the enforcement notice, IT Pro was issued with a response that glossed over the question and re-iterated the sections of the enforcement notice that have been questioned by the PPI compensation company.
We have since pressed the ICO for a more succinct response in relation to the claims made by Hall and Hanley, but declined to comment further.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now