October 6, 2022
It’s a tough day for EasyLife, the UK-based catalogue retailer which received two whopping fines today from the Information Commissioners Office, or ICO. The fines - £130K and £1.35 million respectively - have been incurred as a result of non-compliance with a series of data protection obligations. In this article, we explain what happened, how to avoid it, and what this means for EasyLife.
Founded in 1992, EasyLife is a catalogue retailer that features a series of offerings, from garden solutions, to technology products. Unfortunately for EasyLife, their methods in marketing these products directly conflicted with data protection obligations and constituted unlawful activity. In response, the ICO issued two fines, one for unsolicited direct marketing telephone calls, and another for unlawfully profiling customers. Let’s explore both fines, and outline why the ICO had to come down hard and heavy.
First up, unsolicited direct marketing. In the data protection world, PECR (or the Privacy and Electronic Communications Regulations) covers a number of things, in particular, direct marketing by electronic means and cookies.
Under PECR, if you are sending information to a particular individual (via email, phone call, etc), which includes advertising or marketing, it's considered “direct marketing”. Most PECR rules apply specifically to “unsolicited” marketing, whereby a customer has not consented or asked for specific information related to the product or service that’s being advertised.
While unsolicited direct marketing messages themselves are fine (otherwise nobody would be allowed to send newsletters) there are a number of rules that need to be complied with.
The key step that EasyLife failed to do was check the Telephone Preference Service – the central database which allows people to indicate they do not want to receive any marketing calls.
In the case of EasyLife, these rules were flouted, resulting in unsolicited direct marketing phone calls that directly contracted PECR rules. This triggered a £130K fine for EasyLife, which would be bad enough in itself if not for….
The UK GPDR is a principle-based law, there are general overarching rules which guide organisations to collect and use people’s information responsibly. One of these principles stipulates that organisations must use people’s information legally, fairly and transparently (e.g. be clear about what is being collected and what it is being used for).
This is especially important for sensitive information about people, known as special category data, because there is a higher risk to the person it relates to if misused. The starting point for special category data is that organisations are not allowed to collect or use it, and there are very limited circumstances in which it is permitted.
Special category data includes
In the case of EasyLife, the business unlawfully profiled customers by inferring health conditions, based on their previous purchases. The company appears to have used the purchase to assume what medical condition the person had, then used this an opportunity to try and sell a related product. The customers did not know their information was going to be used this way, and in any event – it would have fallen short of the limited exceptions where this would be allowed (e.g. explicit consent, which is a higher threshold than standard consent.)
In other words, a big data protection no-no. This resulted in the ICO issuing a whopping £1.35 million fine.
Part of the investigation was prompted by complaints made to the TPS and the Commissioner, but interestingly some of the activities came to light as part of an investigation into a telemarketing company which potentially carried out direct marketing aimed at exploiting the COVID-19 pandemic. So while this investigation unearthed EasyLife’s activities, it’s likely we’ll be seeing more monetary penalties issued relating to unsavoury business practices adopted during the global pandemic.
EasyLife now has 28 days to appeal the fines or pay up, leaving the business in a particularly difficult situation that could have been avoided. The ICO notices flag that EasyLife should have been well aware of what constituted compliant practice, and that is why the regulator considers EasyLife’s approach negligent.
Perhaps one unusual component of this case is that EasyLife did in fact have a data protection compliance officer on payroll, but did not ask for their advice about the matters which have landed the company in hot water. It is important that if your business is paying someone to help keep your practices compliant, then use that resource responsibly – get them involved with decisions and listen to their advice (even if you decide not to follow it).
If you do deal with a lot of personal information as part of your business and you don’t already have a Data Protection Officer (or someone else responsible for data protection compliance) then you should consider appointing someone – provided you’re going to ask their advice when needed.
For businesses that conduct any form of direct marketing, it’s crucial to abide by the rules set by PECR and GDPR. Be clear about compliance obligations, seek consent, understand who you’re marketing on the behalf of, and crucially - remember that you're unlikely to be able to use special category data without the customer's explicit consent. For those in the telemarketing arena, it's important to check the TPS (Telephone Preference Service) first, and ensure you’re not straying into unsolicited activities.
Unsure of whether your marketing activities are up to scratch? Speak with our data protection experts to ensure you’re squeaky clean.