On 3 November, the ICO imposed a monetary penalty of £70,000 on Nouveau Finance Limited for marketing activities carried out on Nouveau’s behalf by a third party in contravention of the Privacy and Electronic Communications Regulations.
Nouveau used a third party to send out 2.2 million unsolicited marketing texts to generate leads. This resulted in 92 complaints. The text messages were sent to mobile numbers obtained from third party suppliers.
The Regulations require that the recipient of the text messages must have notified the sender that he consents to receiving messages from or on behalf of the sender (in this case Nouveau), unless the ‘soft opt-in’ exemption applies (which would not have been available here).
Whilst the third party suppliers had used some consent wording at the time of collecting the data, the ICO deemed the wording, which referred to sharing data with ‘trusted partners’ and ‘carefully selected third parties’ for marketing, to be too vague to constitute valid consent. The ICO held that Nouveau did not have the necessary consent to send the text messages and was in breach of the Regulations.
Nouveau could also not demonstrate to the ICO that it had undertaken adequate due diligence as to the third party’s collection of consent. The ICO has made it clear that it is not acceptable to merely rely on a third party’s assurances that consent has been obtained; proper due diligence must be undertaken.
This is a timely reminder to financial services firms of the need to ensure that marketing consents are robust (ie clear and in accordance with the ICO’s guidance) and, where a third party is involved in obtaining that consent or sending communications on the firm’s behalf, detailed due diligence is undertaken and a suitable contract is put in place.