25Mar

Debt management lead generator fined by ICO over unsolicited texts

The Information Commissioner’s Office has fined a Manchester-based debt management lead generation company £80,000 after it sent more than 95,000 text messages. These messages were all unsolicited, in that the recipients had not given explicit prior consent to receiving them. Furthermore, all 95,000 messages were sent in the space of just two months, from June to July 2020.

29Dec

ICO fines pension cold caller who harvested data via LinkedIn

The Information Commissioner’s Office has imposed a £45,000 fine on a London-based firm that made 39,722 unsolicited marketing calls between January and October 2019. The data protection watchdog says that it believes the firm “deliberately set out to contravene” the law and “employed deliberate and opaque tactics to obtain the data of individuals to whom they could engage in direct marketing regarding pension schemes, following the implementation of legislation specifically aimed at protecting individuals from these practices.”

The firm’s principal business is the tracing of lost pension plans, and it would call individuals with the aim of introducing them to an independent financial adviser.

The ICO says that staff working for the firm firstly sent invitations to connect with people via LinkedIn. Once these connections had been established, they illegally called the individuals in an attempt to promote the firm’s services.

Pension cold calling is essentially banned in the UK. Firms can only call to talk to people about their occupational or personal pensions if both of the following apply:

  • the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme, and
  • the recipient of the call consents to receiving these calls, or has an existing relationship with the caller

The firm in question is not authorised by the FCA, indeed the issue first came to light when a third party, which was a regulated entity, alleged that this firm had been contacting individuals while passing itself off as the third party.

The ICO also says that the firm was unable to provide any evidence that the individuals whose data was harvested via LinkedIn consented in any way to receiving marketing calls relating to pensions.

The firm had no records to confirm it had carried out any staff training relating to the Privacy and Electronic Communications Regulations and the restrictions these impose on direct marketing activities.

The 39,722 figure is only the number of calls that were connected and where a conversation took place, and the ICO says the firm attempted to make some 289,679 illegal calls during the nine-month period.

The fine will be reduced to £36,000 if the firm pays by January 13 2021 and does not exercise its right of appeal.

Andy Curry, ICO Head of Investigations, said:

“Unwanted pensions calls can cause real distress and can result in people experiencing significant financial harm. The public have every right to expect companies to follow the law and should not feel harassed or pressured into making life-changing decisions on the basis of cold calls or messages received out of the blue.

“Companies shouldn’t call you to discuss your pension, unless you have given your consent, or you’ve previously dealt with the company. If you do receive an unwanted pensions call, it’s important to report it to the ICO. Every report helps us to take action and stop these nuisance calls.”

Scott Robert are compliance consultants delivering solutions to regulated businesses.

27Dec

ICO fines mortgage broker over nuisance texts

The Information Commissioner’s Office has fined a Lincolnshire mortgage brokerage firm £50,000 for breaching the law relating to marketing texts.

The firm sent 174,342 nuisance marketing texts about mortgages between June 2019 and June 2020, most of which highlighted a fall in buy-to-let interest rates and invited the recipient to call to discuss a BTL mortgage.

The firm was apparently operating under the misapprehension that all recipients had consented to receiving the marketing texts when they contacted the firm via their website to obtain a quote. However, the ICO says that the firm was not entitled to use the customer data for marketing purposes as, at that stage, people were not offered the option to opt in or out of receiving marketing material.

The regulator therefore concluded that the firm had breached section 22 of the Privacy and Electronic Communications Regulations.

The General Data Protection Regulation states that consent must be freely given, specific and informed and there must be an indication signifying agreement given ‘by a statement or by a clear affirmative action’. Again, that would appear not to have been the case here, given that the recipients simply enquired about the firm’s services and never explicitly opted in to receiving marketing communications.

An example of one of the firm’s messages was:

“Hi XXX I hope you are well, Its XXX from [trading name of firm], you previously made a Buy to Let Purchase enquiry with us. Since the Pandemic Buy to Let rates have dropped to 1.19% if you are looking to purchase a Buy to Let property then please reply with a time that is convenient for you or alternatively please call us on [phone number of firm] opt 1 and we will be free to speak with you. Kind Regards XXX [trading name of firm]”

The investigation only covered the 12-month period between June 2019 and June 2020, but the firm has admitted using the same marketing approach since 2015, so the actual number of breaches could be significantly higher.

The fine will be reduced to £40,000 if the firm pays by January 4 2021 and does not exercise its right of appeal.

Natasha Longson, ICO Investigations Group Manager said:

“The rules about electronic marketing are simple and clear. Consent must be freely given, and it must not be a condition of receiving a service.

“Nuisance texts, calls and emails are an unwanted and annoying intrusion into people’s lives, and we will continue to take action against those that do not comply with the law.”

23Dec

Brexit and Data Protection – is your firm prepared?

At 11pm on the 31st December, the United Kingdom will see a substantial shift in the law of data protection.

With Brexit officially coming happening on the 31st December 2020 many firm’s have demonstrated the perplexity of what is in store for the UK at the end of the transition period. For us at Scott Robert, our clients have focused mainly on what happens with financial services who passport their activities to other countries within the European Economic Area, however, many firm’s haven’t been focusing on their data protection arrangements post Brexit.

At Scott Robert we recognise that many firm’s are forgetful to their data protection obligations, we have therefore decided to put together a quick brief below to ensure you are adequately prepared for data protection and Brexit.

What Happens?

On the 31st December, the UK officially leaves the European Union at the end of the transition period. Currently the data protection law is located within the General Data Protection Regulation 2016 (“GDPR”), which is EU law directly applicable to U.K entities, what confuses many firms is that the UK already has in place the Data Protection Act 2018, however, this doesn’t implement the data protection law, it just supplements the areas which it is admitted to do so under the GDPR.

What happens on the 31st December is that through the withdrawal statutory instruments, the GDPR will be directly copied over to UK law and be termed the UK GDPR, of course changes are going to occur with the powers (such as the Commission no longer has the power to make adequacy decisions, this will lay with a secretary of state).

So first things first, all firm’s should be affirmative to the following tick box exercise:

Tick Box Firm Question
  Our firm understands the term “personal data”.
  Our firm understands what type of “personal data” we hold on individuals, including our employees.
  Our firm understands the data protection “Principles”
  Our firm understands the lawful bases for processing.

  • Consent.
  • To perform a contract.
  • To perform a legal obligation.
  • To protect the vital interests.
  • For the performance of a public task.
  • For the purposes of pursuing a legitimate interest.
  Our firm understands the meaning of consent and what is genuine consent.
  Our firm understands that if we rely on legitimate interests as a lawful basis to process personal data we have to have legitimate impact assessments.
  Our firm understands what is “special category” data
  Our firm understands the different requirements which must be fulfilled in order to process special category
  Our firm understands how to correctly identify a data subject access request
  Our firm has processes in place to correctly investigate a data subject access request and respond accordingly
  Our firm has a privacy policy on its website.
  Our firm understands our overall responsibilities as controller.
  Our firm has records of our processing activity.
  Our firm has the correct data protection impact assessments in place.
  Our firm has adequate security for personal data.
  Our firm has documented due diligence on third-party processors.
  Our firm conducts regular audits of our data protection framework.

The above covers the most basic obligations on firm’s right now under the GDPR which will become directly enforceable by the UK GDPR.

The most important thing which firms must be reminded of is the need for documentation of all of the above, without the required documentation how can you demonstrate compliance with the above?

Scott Robert has assisted numerous firms with their data protection compliance, ensuring they have all required documentation to maximise protection of personal data but also ensuring the viability of the firm’s service. Remember, any breaches of the GDPR can amount to substantial fines, so act before you become one of the thousands of firms fined for being neglectful of their data protection obligations.

So what changes?

The biggest change on the 31st December for U.K firms is that we will no longer be a part of the European Economic Area, which means we can no longer freely transfer data to other European Economic Area countries.

The ICO have confirmed that after Brexit the UK will still be free to share data with countries in the EEA, however, what will be changed is EEA countries sending data to the UK, this is because the UK will be regarded as a “third country” as part of the EU GDPR regime. In simple terms, this means:

The EU Commission must make an adequacy decision on the UK data protection framework to determine whether the UK will be adequate, if the Commission makes this decision affirmatively then EEA firm’s can transfer personal data to the UK without the need for any other pre-requisite for transfer. However, if no adequacy decision is made then firms will be required to comply with:

  • Standard Contractual Clauses.
  • Binding Corporate Rules; or
  • Exemptions

Put simply, right now in the UK we do not know whether an adequacy decision will be made by the Commission on the UK, although it is likely this is not guaranteed. Therefore, firm’s must act now to pre-emptively ensure that they are prepared on the 31st December to make sure all data their receive from the EEA will be compliant with the UK GDPR. Firm’s should likely be using standard contractual clauses to ensure data is held safely and a risk assessment undertaken on the contract to ensure the firm is meeting the requirements of a level similar to the GDPR.

Without the above, the firm will likely be acting unlawfully when receiving data from the EEA after the transition period ends.

It is also important to note, that under the UK GDPR, existing rules still apply in relation to third-country transfers which means all transfers are restricted to third countries unless the UK secretary of state makes an adequacy decision on the country. Existing third-country decisions will remain applicable to the UK.

What to remember.

Firms should remember that existing data protection obligations apply (as above).

Firms should be prepared to audit their data protection framework to ensure that they are compliant.

Firms should be reminded that the above is only a summary of the UK GDPR changes and does not cover PECR.

If you are concerned about your data protection practices and whether you can tick all of the checkboxes above please get in touch with one of our team members today or contact your direct adviser.

Scott Robert.

15Dec

MOJ Issues Regulation Bulletin to CMCs

MOJ issues regulation bulletin to CMCs

Fines, fees, advertising standards and Legal Ombudsman procedures are just some of the issues covered in the Ministry of Justice (MoJ)’s December 2014 bulletin on claims management regulation.

Concerns have been raised in the past that claims management companies (CMCs) have been able to avoid enforcement action by cancelling their authorisation before the MoJ has completed its investigations into their alleged misconduct. However, for all alleged breaches of the rules that took place on or after December 9 2014, a CMC that is under investigation will be prevented from cancelling its authorisation unless it obtains the specific consent of the MoJ to do this.

The implementation date for the new fines regime has been confirmed as December 29 2014. From this date, the MoJ will have the power to impose fines of up to 20% of turnover on CMCs who are guilty of misconduct. Guidance on the fines system will be published shortly.

Further information will also be provided in the near future regarding CMCs coming under the jurisdiction of the Legal Ombudsman. This much delayed event is finally set to happen on January 28 2015. From this date, customers of CMCs who are dissatisfied with the company response to their complaints can refer the matter to the Ombudsman, who can order the company to pay up to £30,000 in compensation.

The MoJ has published a consultation paper regarding the fees to be paid by CMCs in the 12 months to March 2016. This consultation ended on December 18 2014. The MoJ is proposing an increase in the standard application fee from £1,400 to £2,000.

The proposed annual regulation fees are as follows:

  • (Annual) turnover of under £5,000 – £200
  • Turnover of £5,000 to £14,999 – £350
  • Turnover of £15,000 to £24,999 – £500
  • Turnover of £25,000 to £74,999 – £650
  • Turnover of £75,000 to £88,889 – £800
  • Turnover of more than £88,889 – either 0.9% of turnover, capped at £100,000; or 0.9% of turnover up to £1 million, 0.8% of turnover between £1million and £5 million and 0.75% of turnover above £5 million, all with no cap

The ‘uplift’ – the additional amount paid by CMCs who handle financial services claims – will remain unchanged at 0.145% of turnover from financial services activities.

Fees for funding the Legal Ombudsman service will be:

  • Turnover of under £5,000 – £75
  • Turnover of £5,000 to £14,999 – £150
  • Turnover of £15,000 to £24,999 – £250
  • Turnover of £25,000 to £74,999 – £340
  • Turnover of £75,000 to £163,636 – £540
  • Turnover of more than £163,636 – 0.33% of turnover up to £1 million, plus 0.22% of turnover between £1 million and £5 million, plus 0.18% of turnover above £5 million, all subject to a cap of £40,000.

All CMCs should expect to be asked in February 2015 for their annual turnover figures for the 12 months to November 30 2014.

Finally, CMCs are reminded of the Advertising Standards Authority (ASA) Codes of Practice. Companies can be held to account by the ASA for breaches of these codes, and the MoJ can also take enforcement action, which from December 29 will include the power to impose fines, as explained above.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.

02Nov

Crackdown on Nuisance Calls and Texts

Crackdown on nuisance calls proposed

In late October 2014, the Government announced plans to make it easier for the Information Commissioner’s Office (ICO) to punish firms who make nuisance calls.

The data protection watchdog currently has the power to impose fines of up to £500,000 for sending unsolicited texts or making unwanted calls, but can only act if there is evidence that the communications have caused ‘substantial damage or substantial distress’. Under the new plans however, fines can be imposed simply because the communications cause ‘annoyance, inconvenience or anxiety’. Email communications and recorded calls are also included in the plans, which involve amending the Privacy and Electronic Communications (EC Directive) Regulations 2003.

This will bring the law on nuisance calls and texts in line with the current powers given to telecommunications watchdog Ofcom regarding silent phone calls. Ofcom currently has the power to act if these calls cause ‘annoyance, inconvenience or anxiety’.

Ofcom research shows that 84% of households receive at least one nuisance call during a four week period. According to a report in the Daily Mail, 58% of Britons how feel uneasy about answering the phone as a result of the problem. There have also been many reports of companies calling people who are registered with the Telephone Preference Service.

Previously, the ICO has been prevented from taking action against companies because of the need to prove damage or distress. The ICO for example lost an appeal to the First-tier Information Rights Tribunal, brought by the owner of Tetrus Telecoms after his company had originally been fined £300,000 by the ICO. The Tribunal disagreed with the ICO’s claim that the cumulative effect of sending lots of nuisance texts had resulted in ‘damage and distress’.

According to the ICO, had this proposed change been in force between April 1 2012 and November 30 2012, then a further 50 companies could have been subject to enforcement action.

Explaining the rationale behind the proposed change, Culture Secretary Sajid Javid MP said:

“Being called day after day may not be ‘substantially distressing’, but that doesn’t make it acceptable. I want to make it easier for companies to face the consequences of ignoring the law and subjecting us to calls or texts we have said we don’t want.”

Information Commissioner Christopher Graham said: ‘The public clearly want to see a stop to nuisance calls and texts. We welcome this proposed change in the law which will enable the ICO to make more fines stick, sending a clear message to the spammers and scammers that the rules around cold calls and spam texts must be followed.

“The majority of rogue marketing firms make hundreds, rather than thousands, of calls and the nuisance is no less a nuisance for falling short of the ‘substantial’ threshold. This change means we could now target those many companies sending unwanted messages – and we think consumers would see a definite drop off in the total number of spam calls and texts.”

The consultation on the proposals closes on December 7 – replies should be sent to the Department of Culture, Media and Sport at the address in the consultation document, and the plans could become law as early as March 2015.

Financial firms who are regulated by the Financial Conduct Authority are already subject to tighter rules on sending unsolicited marketing communications, but the proposals could have an impact on claims management companies, or on any other company that currently sends unsolicited texts or makes unsolicited calls. The Claims Management Regulator at the Ministry of Justice said in September 2014 that it had warned seven companies over this practice, and was investigating another six companies.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.

11Aug

FCA issues guidance on social media financial promotions

In August 2014, the Financial Conduct Authority (FCA) announced guidance on social media marketing for firms it regulates.

Many firms are understandably keen to use social media for promotional purposes, as so many potential customers now use Facebook, Twitter, LinkedIn, YouTube and the like. However, the message from the FCA’s guidance is clear, in that the limitations of any particular form of social media cannot be used as an excuse for failing to follow the FCA’s financial promotions rules. Throughout the guidance, its rules are described as being ‘media neutral’, so Principle 7 about communications being ‘clear, fair and not misleading’ still apply, as do the detailed promotions rules in the COBS, MCOBS, ICOBS and CONC sourcebooks.

One of the main limitations of social media is that the size and length of messages are often limited, for example Twitter posts are restricted to 140 characters. This means that social media may be inappropriate for conveying detailed or complex information. The FCA says that firms are permitted to add images into their social media posts in order to ensure that all required information is given, but adds that any required risk warnings must appear in the body of the message and not in the image.

Adding a web link to a social media message may also not solve the problem. The FCA says that the message must be compliant with the promotions rules in its own right, regardless of the level of information provided on the signposted webpage.

The requirement for financial promotions to be clearly identifiable as such applies as much to social media as to other communication methods.

Firms are advised that the fact that a customer has chosen to follow a firm on social media, or has indicated their approval of a communication – such as ‘liking’ a Facebook post or ‘favouriting’ a tweet – does not indicate explicit consent to receive unsolicited marketing communications.

Social media promotions are likely to meet the FCA’s definition of a non-real-time promotion rather than a real-time promotion, as the extent of the interaction between the firm and the recipients is limited.

Finally, the guidance mentions two important issues regarding forwarding of social media communications, such as via re-tweeting. Firstly, if a recipient forwards a communication, the firm remains responsible for the compliance of the original communication. Secondly, before forwarding any communication received from a customer, a firm must consider whether it would fall under the financial promotions rules and thus make them responsible for its content.

Firms are thus advised to think carefully before using social media promotions. Is the medium being considered appropriate for the message that needs to be conveyed?

However, firms are reminded that the FCA defines a promotion as: ‘an invitation or inducement to engage in investment activity that is communicated in the course of business’. This means that any communication via social media which does not provide an invitation or an inducement does not need to comply with the FCA’s rules, and firms’ non-business communications via social media are also likely to be excluded.

Clive Adamson, Director of Supervision at the FCA said of the issue:

“The FCA sees positive benefits from using social media but there has to be an element of compliance. Primarily, what firms do on social media must ensure customers are at the heart of their business. Our overall approach is that financial promotions, whether on social media or traditional media, should be fair, clear and not misleading.”