£120,000 ICO fine allegedly based on inaccurate information

ICO logo

A Payment Protection Insurance (PPI) compensation company based in Manchester has been fined 120,000 by the ICO for sending more than four million unsolicited direct marketing text messages, but the company claimes the watchdog's report was based on inaccuracies.

The ICO's enforcement notice claims Hall and Hanley used a third-party company to send 4,883,167 text messages between 1 January 2018 and 26 June 2018.

The total amount of messages actually received was 3,560,211 and these were enough to spark well-over a thousand complaints issued to the data protection watchdog.

One complaint read: "I have not given this company any of my personal information. I have never had any contact with this company. Receiving text messages like this is very concerning as I don't know what other information they have on me, or where they got this information".

The text message recipients' data that was used by the third-party direct marketing distributor was taken from four websites: getyaoffers.co.uk, petesdeals.co.uk, prizereactor.co.uk, and myloanoffers.co.uk.

The ICO then reviewed the privacy policies of these websites to determine whether Hall and Hanley was listed as a third-party recipient of the sites' user details - this is where the disagreement lies.

The ICO claims that out of the four companies, Hall and Hanley was named as a third party in just two of the privacy policies and in those, subscribers had no option to select which third-party received their details.

"It does not appear that potential subscribers were provided with an option to select which of the many listed third parties they may wish to receive marketing about, or the method by which they would wish to receive any marketing," read the ICO enforcement notice. "It also appears to be the case that consent to third-party marketing was a necessary condition of subscribing to the services offered by these sites."

Since issuing the report, Hall and Hanley has told IT Pro that the aforementioned information in the enforcement notice is incorrect and that the company was in fact, listed in all four policies but later removed because of changes made to the websites' policies following GDPR's implementation.

"We have provided the ICO evidence of this, and also a letter personally written from the owners of the other 2 websites proving this," said Peter Carpenter, compliance at Hall and Hanley. "They have completely ignored our representations and facts on these matters."

Carpenter added: "We are appealing this and are confident this will be overturned."

After contacting the ICO about the claims made by Hall and Hanley, questioning the alleged inaccuracies in the enforcement notice, IT Pro was issued with a response that glossed over the question and re-iterated the sections of the enforcement notice that have been questioned by the PPI compensation company.

We have since pressed the ICO for a more succinct response in relation to the claims made by Hall and Hanley, but declined to comment further.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.