 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] [DONATE] | |
First-tier Tribunal (General Regulatory Chamber) |
||
|
You are here: BAILII >> Databases >> First-tier Tribunal (General Regulatory Chamber) >> Quick Tax Claims Ltd v Information Commissioner [2025] UKFTT 444 (GRC) (25 April 2025) URL: https://www.bailii.org/uk/cases/UKFTT/GRC/2025/444.html Cite as: [2025] UKFTT 444 (GRC) |
||
[New search] [Printable PDF version] [Help]
Neutral citation number: [2025] UKFTT 444 (GRC)
Case Reference: FT/EA/2024/0421
First-tier Tribunal
(General Regulatory Chamber)
Information Rights
Heard by Cloud Video Platform
Heard on: 24 March 2024
Decision given on: 25 April 2025
Before
JUDGE TAFT
MEMBER PALMER-DUNK
MEMBER SCOTT
Between
QUICK TAX CLAIMS LTD
Appellant
and
INFORMATION COMMISSIONER
Respondent
Representation:
For the Appellant: Mr Omar, Director
For the Respondent: Miss Iyengar, Counsel
Decision: The appeal is Dismissed
Definitions: "ICO" .....................the Information Commissioner's Office
"PECR"....................the Privacy and Electronic Communications Regulations 2003
Mode of hearing: The Tribunal was satisfied that it was fair and just to conduct the hearing using Cloud Video Platform (CVP), all parties were able to join remotely. The Tribunal was satisfied that it was fair and just to conduct the hearing in this way. Prior notice of the hearing had been published on the gov.uk website, with information about how representatives of the media or members of the public could apply to join the hearing remotely in order to observe the proceedings. As such, the hearing was held in public.
REASONS
Introduction
1. The Appellant is a claims management company dealing with PPI tax refunds.
2. In a Notice of Appeal dated 22 October 2024, the Appellant sought to challenge an Enforcement Notice dated 26 September 2024 finding that the Appellant contravened Regulations 22 and 23 of PECR by sending unsolicited SMS (text messages) for direct marketing purposes over the period 12 February to 12 May 2023 without the consent of the recipients and without an opt out.
3. At the outset of the hearing, the Appellant was permitted to amend its Notice of Appeal to also challenge the Monetary Penalty Notice dated 26 September 2024 arising out of the same alleged breaches of PECR. This judgment does not deal with that challenge, which will be heard on 1 July 2025 following a Case Management Order dated 24 March 2025. The findings below in relation to breaches of PECR will however be relevant to the challenge to the Monetary Penalty Notice.
The Law
4. Regulation 22 PECR provides that
(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person's similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
(4) A subscriber shall not permit his line to be used in contravention of paragraph (2)."
5. Regulation 23 provides that
A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail
(a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed;
(b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided;
(c) where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC Directive) Regulations 2002; or
(d) where that electronic mail encourages recipients to visit websites which contravene that regulation.
6. "Electronic mail" is defined by Regulation 2 PECR as "any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service".
7. "Direct marketing" is defined by Section 122(5) of the Data Protection Act 2018 as "the communication (by whatever means) of advertising or marketing material which is directed to particular individuals".
8. Regulation 2 PECR was amended by the Data Protection, Privacy and Electronic Communications (Amendment) (EU Exit) Regulations 2019 to confirm that "consent" corresponds to the UK GDPR definition of "consent". Article 4(11) UK GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
9. UK GDPR has a number of recitals. As the High Court confirmed in RTM v Bonne Terre Ltd [2025] EWHC 111 (KB), "recitals do not have distinct operative effect, but are aids to construction".
10. Recital 32 confirms that:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
11. Recital 42 confirms that:
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
12. Recital 43 confirms that:
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
13. In Leave.EU Group Ltd and Eldon Insurance Services Ltd -v- Information Commissioner [2021] UKUT 26 (AAC), the Upper Tribunal confirmed that the CJEU decisions of Case C-673/17 Verbraucherzentrale Bundesverband eV v Planet49 GmbH (EU:C:2019:801) [2020] 1 WLR 2248 ('Planet49') and Case C-61/19 Orange Romania SA v ANSPDCP (EU:C:2020:901) ('Orange Romania') are "high authority as to the proper approach to the meaning of consent in this context" [at para 51], that context being Regs 22 and 23 PECR.
14. Planet 49 confirms that to be specific, consent "must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject's wishes for other purposes" [at para 58]. For there to be informed consent, "a user must be in a position to be able to determine easily the consequences of any consent he or she might give" [at para 74].
15. In Orange Romania, the CJEU held that before there can be informed consent "the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed" [at para 40].
16. Section 40 Data Protection Act 1998 provides that:
(1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Act referred to as "an enforcement notice") requiring him, for complying with the principle or principles in question, to do either or both of the following-
(a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be specified, such steps as are so specified, or
(b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.
(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.
17. Section 48 provides a right of appeal to this Tribunal. Section 49 provides that:
(1) If on an appeal under section 48(1) the Tribunal considers-
(a) that the notice against which the appeal is brought is not in accordance with the law, or
(b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently,
the Tribunal shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and in any other case the Tribunal shall dismiss the appeal.
(2) On such an appeal, the Tribunal may review any determination of fact on which the notice in question was based.
18. In Leave.EU, the Upper Tribunal confirmed that the right of appeal is a full merits review [at para 23].
19. Also in Leave.EU, the Upper Tribunal confirmed that the number of messages involved is a proper factor to take into account when considering the seriousness of any breach of PECR [at para 81].
Factual Background
20. The ICO conducted an investigation after 66,793 reports were made to the 7726 spam reporting service about SMS messages sent by the Appellant. In response, the Appellant confirmed that it had sent 7,863,547 SMS messages during the period 12 February to 12 May 2023, of which 4,983,449 were successfully delivered. The Appellant confirmed that it had acquired data from third parties - WRM Media Limited (WRM), Ortex Marketing Limited (OML) and Hudson and Clarke Group Limited (HCG) - and provided the ICO with links to consent statements and privacy policies from those organisations.
21. The ICO asked the Appellant to explain why some of the complainants reported that there was no opt out option. The Appellant advised that some messages were sent with no opt out but that recipients of those messages were only contacted once.
ICO's findings
22. The ICO found that the Appellant had contravened Regs 22 and 23 PECR by sending 4,983,499 unsolicited direct marketing SMS messages without valid consent. It held that consent was not valid because it was not freely given, specific or informed.
23. The ICO found that 93% of the messages did not contain a valid opt out. It also found that, contrary to the Appellant's representations, there were 50 instances of subscribers receiving more than one message without an opt out.
24. The ICO considered that this was a serious contravention because it said 4,983,499 messages were sent at a time of a cost of living crisis when recipients might be more susceptible to the Appellant's marketing.
25. The ICO did not consider that it was a deliberate contravention but did consider that the Appellant ought to have known that there was a risk the contraventions would occur: the ICO said that because the Appellant relied entirely on direct marketing for its business, it should have sought to familiarise itself with the relevant legislation. The ICO referred to its own detailed guidance and telephone helpline. It further found that the Appellant failed to take reasonable steps to prevent the contraventions, again referring to its own guidance that organisations acquiring and using marketing lists should undertake rigorous checks to satisfy themselves that the data was obtained lawfully and with the necessary consent. The ICO specifically found that the Appellant failed to carry out adequate due diligence.
26. The ICO then issued a Monetary Penalty Notice and Enforcement Notice on 26 September 2024.
Grounds of Appeal
27. The Appellant complains that the ICO did not adequately consider the consents obtained from the third-party organisations from which the Appellant purchased the personal data. It asserts that consents were clear, specific, freely given and informed in compliance with PECR. It further asserted that a clear opt out mechanism was provided and that complainants were not contacted more than once.
Response
28. The Respondent asserts that the Appellant has not provided evidence that valid consents were in place in respect of the direct marketing messages it sent. It relies upon its findings that the consents from the three third party websites could not be relied upon due to deficits in the consent mechanisms.
Appellant's Reply
29. The Appellant's reply asserts that recipients of SMS messages it sent without an opt out link were "automatically" opted out of further communications, and it did not send follow-up messages. It says that recipients of messages with an opt out link might receive up to three follow-up messages.
30. The Appellant suggests that this Tribunal should determine whether the consents provided to the third-party organisations were valid for the purposes of PECR.
31. The Appellant further suggests that it has implemented a new legal compliance programme, mandatory data protection training and robust supplier vetting and that this should be taken into account in mitigation.
Issues
32. The Appellant accepts that it sent the messages as set out in the Enforcement Notice, that the messages were electronic mail, that they were unsolicited and that they were direct marketing. The issues for the Tribunal to determine are therefore:
(a) Whether message recipients had provided consent for direct marketing by the Appellant by way of SMS; and
(b) Whether the messages provided the recipient with a means to opt out of further messages.
33. The Appellant accepts that if the Tribunal finds that there was a contravention of PECR, that contravention was likely to cause recipients of the SMS damage or distress.
34. If the Tribunal finds that there was a breach of PECR, we must determine whether the ICO exercised their discretion appropriately.
Evidence
35. The Tribunal considered a bundle of 417 pages as well as an electronic file containing 3 spreadsheets and 28 videos. This included:
(a) A spreadsheet showing the source of the personal data obtained by the Appellant and the date on which the message recipients purportedly opted in to receive direct marketing from the Appellant.
(b) Screenshots of the third-party organisations' websites, including the consent wording and privacy policies.
(c) Videos of the user journey through those websites. The Appellant accepted that these were an accurate reflection of the user journey save that it asserted that the videos of the OML user journey failed to show a page in which consent could be "refined". The page to which the Appellant referred is contained within the Bundle.
(d) A spreadsheet showing the text of the SMS messages sent, the time and date they were sent and the number to which they were sent.
(e) A further spreadsheet showing only the SMS messages containing no opt out, again with the text, the time and date they were sent and the number to which they were sent.
(f) A further sheet filtering those messages further to show only those messages sent to the same number more than once, again with the text of the message, the time and date they were sent and the number to which they were sent.
Submissions - Appellant
36. The Appellant maintained that the ICO had failed to provide evidence that it had sent messages without an opt out to the same recipient on more than one occasion. It asserted that these communications complied with PECR because recipients were automatically opted out.
37. The Appellant further asserted that there was valid informed consent and asked the Tribunal to make a finding on that.
38. The Appellant further asserted that the ICO had unfairly ignored its efforts at compliance with mandatory training, stronger supplier vetting and automatic opt outs.
Submissions - Respondent
39. The Respondent asserted that the burden of proof lies with the Appellant by analogy with Doorstep Dispensaree Limited v Information Commissioner [2024] EWCA Civ 1515.
40. The Respondent suggested that this was more of a legal than factual dispute, both in terms of the nature of consent and on the basis that it said that it did not matter if recipients received only one message - it is the Respondent's case that there was still a breach of Regulation 23 PECR if messages did not contain an opt out. It said that a message without an opt out is intrusive even if there is no further message.
41. Nevertheless, its fall-back position was that there was evidence of at least 50 recipients who received more than one message not containing an opt out. It suggested that the spreadsheet provided evidence of that.
42. In respect of consent, the Respondent asserted that consent is not specific if data subjects are not told the type of direct marketing they might receive or the organisation they might receive it from. It asserted that consent is not informed if this information is hidden away in small print or a privacy policy. Whilst it conceded that ticking a box might be affirmative, the Respondent asserted that when processing has multiple purposes, consent must be provided for each of them.
43. The Respondent suggested that the Tribunal needed to consider users' experience and particularly how disruptive it was to step out of the process they were intending in order to understand the consent they were providing. The Respondent further suggested that the Tribunal should ask itself whether the time this would take was proportionate to the prizes on offer in the third-party organisations' competitions.
44. The Respondent's submission was that the volume of information provided by each of the third-party organisations was overwhelming and that it was not realistic for users to spend hours reviewing it before providing their consent.
45. The Respondent further asserted that it was not necessary for users to provide their consent to third party direct marketing for the services provided by the third-party organisations. It was not necessary for the purpose of entering into competitions and it was not necessary for the purpose of providing insurance quotes. It was said that users might expect to consent to direct marketing from insurance providers but not from organisations of the nature of the Appellant. Competition winners might expect to consent to direct marketing related to the prizes on offer but again not from organisations of the nature of the Appellant.
46. In respect of the competition on WRM's website, which provided the option to email an entry rather than enter via the website, the Respondent suggested that this was a nuisance and inconvenience.
47. The Respondent referred to the OML video user journeys, which it said showed that it was not possible to enter the competitions without ticking the consent box. It was said that whilst it was possible to email to opt out, this was again a nuisance and inconvenience.
48. The Respondent referred to the 58 companies listed on the HCG privacy policy with links to their websites and own privacy policies. It said that it would be overwhelming for a data subject to review the policy and then click through. In reality, the Respondent says, no data subject would do this.
49. In respect of mitigation, the Respondent suggested that PECR is not straightforward, so it is important for organisations intending to use direct marketing to familiarise themselves with its provisions. The Respondent says that the Appellant would still be liable even with its apparent misunderstanding as to the law because the failure to familiarise itself was negligent. Here, it is said there was only minimal due diligence on the consents obtained by third party organisations, which again was negligent.
Tribunal's Findings of Fact
50. We make these findings on the balance of probabilities.
51. The Tribunal first dealt with the issue of consent in relation to the three third party organisations from which the Appellant purchased the personal data.
WRM
52. The Appellant confirmed that the personal data of 19,172 of the complainants were sourced from this site. The spreadsheet provided by the Respondent shows that 17,963 recipients provided their consent to marketing before the Appellant was incorporated. They cannot therefore have consented to receive direct marketing from the Appellant.
53. WRM asked users for data to enter prize draws for cash and shop vouchers. To enter a competition, site users were required to enter personal data including their telephone number and to consent to "partners" contacting them by email, phone, text or post.
54. Very small grey blurred text on a white background under a large blue "Register Now" button indicates that users can email to enter competitions without receiving marketing. It is not as easy to enter the competition by email as it is to click the "Register Now" button.
55. Above the "Register Now" button, text confirms that "by clicking 'Register Now' below, you consent to allowing WRM Media Ltd to process your registration and to use the data you supply to show you targeted offers and marketing communications from our partners. You also agree to our Privacy Policy, and consent to us sending offers to you via e-mail, and to be contacted by phone or e-mail if you win a prize. I understand that my data will be passed to Marketing Service Providers who use it to help organisations better understand their customers and find others like them. They will also share your data with their customers for marketing purposes. To understand more click here"
56. In blue text there is the option to "click here to fine-tune your consent options". This brings up a page in which users can opt in to receive marketing by post, phone, SMS or email from "all" or individual companies. It is not clear how a user can opt out.
57. The privacy policy takes up 30 pages of the bundle. The Appellant is listed as one of over 200 companies said to be a "selection of our partners" that begins on the 16th page of the privacy policy and runs for 7½ pages. The Appellant is one of the companies for which it is possible to click through to a website to find out more about that company. The Tribunal finds that even if a user had made its way to the Privacy Policy and then down to the list, it is unlikely that they would have the time or inclination to click through to this number of websites to find out what type of companies would be sending them direct marketing.
58. On the 24th page of the privacy policy, information is provided about how to opt out. The information is not however clear about what a user in fact needs to do to opt out of marketing communications.
OML
59. The Appellant confirmed that the personal data of 39,483 of the complainants were sourced from this site. OML asked users for data to enter prize draws for cash and shop vouchers. To enter a competition, site users were required to enter personal data including their telephone number and to accept the site's terms and conditions. There was an additional checkbox, which, by ticking, users consented to be contacted by OML's "partners" by "email, phone, SMS or post with more interesting offers and marketing communications or important information".
60. The video user journey shows that its it not in fact possible to click the "submit rewards" button to enter the competition without ticking the consent box. Underneath the "submit rewards" box, the text reads "by pressing SUBMIT you are confirming that you are happy to receive marketing E-mail/SMS/Calls from the following sponsored firms" of which the Appellant is one. There is an email provided by which users can opt out.
61. There is no "fine tune" option on the OML site. The Tribunal believes that the Appellant was mistaken when he referred to this, confusing it with the fine tune option on the WRM site.
62. OML's privacy policy confirms that they will share personal data with Marketing Service Providers, of which the Appellant is said to be one. It is said that they will "use it for a variety of direct marketing purposes". Users are required to click through to the companies' websites to opt out.
63. To find out how those companies will use the personal data, users are referred to Section 9 of the privacy policy. However, the privacy policy is not separated into numbered sections. The Tribunal could not easily locate which section of the privacy policy details how third parties will use the personal data and finds as a fact that it would be difficult for a user to do so. There is reference to consent being used as the legal basis for SMS and email marketing, but it is not made clear that users are in fact consenting to be contacted by SMS by the named companies.
HCG
64. The Appellant confirmed that the personal data of 9,565 of the complainants were sourced from this site. HCG invited users to enter personal data to receive a call to compare insurance quotes.
65. The background to the form is a picture of what appears to be a dark pink metallic object. It makes it difficult to read the grey and pink text that appears between the two "click here" buttons. If a user is able to read that text, they would see links to the site's terms and conditions and privacy policy to see how their personal data would be used.
66. That privacy policy is presented with grey text on a black background that is again difficult to read. If a user is able to read down to Section 6, they would see that HCG say that they may use personal data to send direct marketing about their products but suggest that "you will not be sent any unlawful marketing or spam". The privacy policy also promises that "We OR I will always obtain your express opt-in consent before sharing your personal data with third parties for marketing purposes and you will be able to opt-out at any time". Users had not provided express opt in consent to share personal data with third parties - they had provided consent for personal data to be used to receive a telephone call from HCG. As will be seen below, they were not provided with an opt out.
67. Section 9 of HCG's privacy policy is about sharing personal data. Various scenarios are presented but it is not suggested that data will be shared with third parties so that they can send direct marketing.
68. At the very bottom of the privacy policy, it reads "also you are giving your permission for us to share your information with third parties such as but not limited to" followed by a list of 58 companies of which the Appellant is one. The Appellant is described as being in the category "marketing" and sub category "marketing companies". No url is provided for the Appellant for users to click to find out more.
Opt-outs
69. Document CE35 is a spreadsheet showing 65,942 SMS messages sent by the Appellant, none of which contain an opt out. Sheet 2 of CE35 shows instances where the same number has received more than one message containing no opt out. There are 102 messages, each of which has been sent to the same number twice. There is therefore evidence that 51 recipients received messages with no opt out more than once.
Mitigation
70. There was no evidence to support the Appellant's assertion that it had implemented training, stronger supplier vetting or automatic opt outs.
Conclusions
71. We undertake a full merits review, although we accord due respect to the ICO as regulator. The burden of proof does lie with the Appellant for the same reasons as it lay with the Appellant in Doorstep Dispensaree Limited v Information Commissioner, but we have not had to resort to the burden of proof when making the findings set out above: the evidence is clear.
72. The Appellant breached Reg 22 PECR because it sent unsolicited direct marketing by electronic mail without obtaining the consent of the recipients.
73. 17,963 recipients could not have provided consent because they had pressed a "Register Now" box on WRM's website before the Appellant was incorporated.
74. Of the remaining 1,209 recipients whose data was purchased from WRM, that consent was not freely given, specific, informed and unambiguous.
75. Consent was not freely given because users needed to provide consent if they wanted to enter the competition via the website. Whilst it was possible to enter the competition by email, this could not easily be understood given the poor quality text that was difficult to read. Further, entering a competition by email requires more effort than clicking a "Register Now" button. Whilst the website suggested that users could "fine tune" their options, and privacy policy suggested that users could "opt out" of marketing, in reality it was difficult to understand how users could opt out of marketing either from all or a selection of the "partners" referenced.
76. Consent was not specific or informed because information provided was neither intelligible nor easily accessible. Users were told that they were consenting to be contacted by "partners". Who those partners were was only apparent by reading a lengthy privacy policy and what they did was only apparent by clicking through to their websites. Users were not easily able to determine the consequences of giving their consent.
77. The consent was not provided by a clear affirmative act but only by clicking the button to enter the competition. Fonts and colours made it difficult to see that it was possible to enter the competition by email without providing consent.
78. The 39,483 recipients whose data was obtained from OML did not freely give consent because they could not enter the competitions without ticking the consent box.
79. Consent was not specific, informed and unambiguous - it is said that third parties will use data "for a variety of direct marketing purposes". Users cannot know what form that direct marketing will take. They were therefore not easily able to determine the consequences of giving their consent.
80. Consent was not informed because the privacy policy is impenetrable. The information provided was not intelligible or easily accessible.
81. The 9,565 recipients who entered their data on the HCG website did not freely give consent to receive marketing from the Appellant. They entered their personal data to discuss their insurance needs, not to have that data sold to a company that would seek to obtain a PPI tax refund.
82. Their consent was not specific, informed and unambiguous. Users were not easily able to determine the consequences of giving their consent. The information was not provided in an intelligible or easily accessible form.
83. Users would only discover that their data would be shared with the Appellant by reading to the bottom of the privacy policy, after that policy had previously suggested that they would not receive any spam and would have to provide express opt in consent before their data would be shared.
84. The grey text and pink/black background makes the links to the privacy policy difficult to read. The use of grey text on black background makes the policy wording even more difficult to read.
85. Further, no information is provided about the Appellant, save that it is a "marketing" company. Users cannot know that it seeks to sells its services to obtain PPI tax refunds.
86. Whilst we only know about the 66,793 messages that were reported, the Tribunal considers that it is safe to extrapolate that data to find that all 7,863,547 messages were sent in breach of Reg 22 PECR because recipients had not provided freely given, specific, informed and unambiguous consent.
87. The Appellant breached Reg 23 PECR because it sent 65,942 messages without including a mechanism to opt out of further messages. It does not matter whether or not recipients did or did not receive a further message: Reg 23 requires the message to provide an address to request that there be no further such communications. In any event, at least 50 recipients did receive further communications. Again, the Tribunal is satisfied that it is safe to extrapolate this data to find that a very high proportion of the 7,863,547 messages were sent without a mechanism to opt out and that a significant number of recipients would have received more than one such message.
88. The breaches were not deliberate, but they were negligent. The Appellant did not do enough to educate Mr Omar about what was needed to ensure that it had valid consent to send the messages and to include a mechanism to opt out of further messages. The one-hour GDPR course Mr Omar took was clearly insufficient. The Appellant did not carry out sufficient due diligence on the consents obtained by its third party providers - WRM, OML and HCG - to ensure that they were freely given, specific, informed and unambiguous. If it had carried out this due diligence appropriately, it would have identified that no such consent had been obtained.
89. The Appellant did not provide any evidence to support its assertion that it had implemented further training. Indeed, the submissions made to the Tribunal suggest that it is still ignorant of the requirements of PECR to ensure that consent is freely given, specific, informed and unambiguous and to provide a mechanism for opt out in every message.
90. The Enforcement Notice requires nothing more than for the Appellant to comply with PECR by not transmitting messages in breach of Reg 22 or Reg 23. Given that the Appellant has previously sent 7,863,547 messages in breach of Reg 22 PECR of which a very high proportion were also in breach of Reg 23, and that the Appellant (correctly) accepts that these messages would have caused damage or distress, the Tribunal considers that the Respondent correctly exercised its discretion in issuing this Enforcement Notice. The very large number of messages sent in breach of PECR is a serious matter to which the Enforcement Notice was an appropriate response.
Signed Date: 22 April 2025
Judge Taft