ICO fines contact-tracing service for using personal data for marketing

Tested.Me Ltd sent 84,000 ‘nuisance' emails to people who had scanned QR codes to check into venues during the COVID pandemic

The UK’s data protection regulator has hit contact-tracing service provider Tested.Me Ltd with an £8,000 fine for using people’s contact details obtained through QR code-scanning to send unwarranted marketing messages.

The contact-tracing company provided venues, such as pubs and restaurants, with the technology to allow customers to check-in on arrival through a QR code scanning system during the height of the COVID-19 pandemic

The Information Commissioner’s Office (ICO) found, however, that the company had marketed its own Digital Health Passport App to tens of thousands of people who’d registered at venues using their technology, at a later date.

As a result, the regulator deemed that Tested.Me Ltd contravened the Privacy and Electronic Communications Regulations 2003 by sending 83,904 emails to people between 11 September and 5 November last year. Specifically, the firm was supposed to ensure valid consent to send those messages had been acquired, but it hadn’t done so.

While the ICO feels the company didn’t deliberately set out to violate PECR, the contravention was deemed negligent, and, as a result, the firm has been fined £8,000. This will be reduced to £6,400 if Tested.Me Ltd pays the fine by 7 June. 

The fine has been administered under Section 55 of the Data Protection Act 1998. IT Pro asked the ICO why the newer and more robust Data Protection Act 2018 wasn’t used as the basis for the penalty.

Related Resource

Are you failing to deliver a single view of the customer?

Ensure 'connectedness' across four business areas to achieve personalisation

Are you failing to deliver a single view of the customer? - person surrounded by icons - whitepaper from CrederaDownload now

This illicit practice is something privacy activists had been warning for months last year as society began to emerge from the first lockdown last summer. A combination of poor guidance and lax enforcement led to a surge in third-party companies promising to offer contact tracing services to businesses desperate to comply with the rules. 

According to legal and policy officer with Big Brother Watch, Madeleine Stone, the problem wasn’t just that it was likely that contact tracing data was used for marketing purposes, but that this entire regime was normalising mass data collection.

“I think there absolutely is a risk [of organisations misusing the data for marketing purposes] and I think it's probably quite likely that it is happening,” Stone warned at the time. “I'm sure that some companies are completely doing this by the book but there are probably a lot that aren't.

“It only takes one, one of these third-party apps to have a data breach, or to mishandle data, or to use it for marketing purposes, or to sell it on to someone else, and we have a serious issue for all those potentially hundreds of thousands of people who've put their data through this system.”

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Researchers send “unhackable” quantum data over 370-mile optical fiber
data protection

Researchers send “unhackable” quantum data over 370-mile optical fiber

11 Jun 2021
New study shows global privacy investments increasing
data protection

New study shows global privacy investments increasing

2 Jun 2021
Misconfigured cloud services exposed 100 million Android users' data
data breaches

Misconfigured cloud services exposed 100 million Android users' data

21 May 2021
Senators introduce a new bill to protect consumer data privacy
data protection

Senators introduce a new bill to protect consumer data privacy

20 May 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021