The ICO has fined a credit broker £20,000 for sending unsolicited communications in breach of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. Munee Hut markets its services partly through affiliates that send marketing texts that direct recipients to Munee Hut’s website. Between mid-2015 and spring 2016, 885 complaints were made about receipt of unsolicited texts about the company. An affiliate based in Belize had sent around 64,000 texts using data from several websites, which had generic and unspecific privacy notices. The notices tended to say that data would be shared with trusted third parties, but none said they would be used for sending unsolicited texts by or on behalf of the company. The ICO held is was Munee Hut’s responsibility to ensure sufficient consent had been acquired, and that it had not done so. The Regulations require that the recipient of the mail should have notified the sender of consent to messages being sent by, or at the instigation of, the sender. The ICO said that informing individuals that their details will be shared with unspecified third parties meant that consent was neither freely given nor specific, both of which are conditions that must be met for the consent to be valid. In deciding the penalty, the ICO found that although the breach was not deliberate, it was negligent, as the company knew or ought reasonably to have known there was a risk the breach would occur. The risks are well known and the company did not undertake sufficient due diligence on what its affiliate had done to obtain the necessary consents.