A fine imposed by the ICO on a company accused of sending millions of unsolicited emails was overturned last month by the Appeal Tribunal[1].
The ICO had initially issued the fine against Xerpla Ltd, for a breach of regulation 22 of the Privacy and Electronic Communications Regulations (PECR) against unsolicited communications. In brief, this regulation states that a person may not transmit unsolicited emails unless the recipient has previously given their consent to such communications. The central issue to this case was whether Xerpla had obtained the consent of its subscribers to the standard required by PECR.
The facts were as follows:
The ICO found that email recipients had not given sufficiently informed consent. The ICO deemed the contravention of PECR negligent, on the basis it should have known there was a risk the contravention would occur. An ICO investigation found that four individuals had unsuccessfully attempted to opt out of future direct marketing emails.
The appeal tribunal disagreed, deciding that there was no suggestion that Xerpla’s subscribers did not freely give their consent to receiving direct marketing, and that it was obvious what Xerpla’s subscribers were consenting to. It was obvious because of the service Xerpla was offering; the nature of Xerpla’s deals website was that subscribers could be sent third party offers about any products and services. This satisfied the fact that consent must be freely given, specific (in that individuals had signed up for specific email offers) and informed under PECR.
The tribunal therefore found that consent had been given under regulation 22 of PECR, and therefore there had been no breach.
This case is interesting for a number of reasons:
[1] Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017 0262 (GRC)