ICO penalty for spam overturned

A fine imposed by the ICO on a company accused of sending millions of unsolicited emails was overturned last month by the Appeal Tribunal[1].

The ICO had initially issued the fine against Xerpla Ltd, for a breach of regulation 22 of the Privacy and Electronic Communications Regulations (PECR) against unsolicited communications. In brief, this regulation states that a person may not transmit unsolicited emails unless the recipient has previously given their consent to such communications. The central issue to this case was whether Xerpla had obtained the consent of its subscribers to the standard required by PECR.

The facts were as follows:

• Between 6 April 2015 and 20 January 2017, Xerpla transmitted 1,257,580 direct marketing emails, promoting the products and services of third parties.
• The emails consisted of marketing material from a variety of organisations.
• They were sent to individuals who had subscribed to two websites operated by Xerpla.
• Individuals were informed when they visited these websites that when they submitted their details they consented to receiving Xerpla’s email newsletters and offers from and on behalf of Xerpla’s partners.

The ICO found that email recipients had not given sufficiently informed consent. The ICO deemed the contravention of PECR negligent, on the basis it should have known there was a risk the contravention would occur. An ICO investigation found that four individuals had unsuccessfully attempted to opt out of future direct marketing emails.

The appeal tribunal disagreed, deciding that there was no suggestion that Xerpla’s subscribers did not freely give their consent to receiving direct marketing, and that it was obvious what Xerpla’s subscribers were consenting to. It was obvious because of the service Xerpla was offering; the nature of Xerpla’s deals website was that subscribers could be sent third party offers about any products and services. This satisfied the fact that consent must be freely given, specific (in that individuals had signed up for specific email offers) and informed under PECR.

The tribunal therefore found that consent had been given under regulation 22 of PECR, and therefore there had been no breach.

This case is interesting for a number of reasons:

1. The tribunal found that the very nature of the business could mean it was obvious to an individual why their data was being processed.
2. The tribunal found there had been no breach of third party marketing. Although the emails contained products from third parties all marketing emails were sent by Xerpla.
3. The tribunal stated that because they had received such a small number of complaints, this was deemed as evidence that individuals knew what they were signing up for.
4. The tribunal stated that the number of complaints the ICO received may be low generally due to the burdensome nature of making a complaint (and the fact most individuals will simply delete an unwanted message). However, if the number of complaints was abnormally low this could be evidence that individuals were well informed about what they were giving consent for.
5. It is important to note that this case was decided on pre-GDPR law, and the position regarding consent under GDPR is more restrictive than under PECR. The GDPR imposes a number of new regulations relating to informed consent, and the standard expected of Xerpla in this case would likely not have satisfied GDPR.

[1] Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017 0262 (GRC)