The Information Commissioners Office has issued a fine of £130,000 to recruitment firm, Join The Triboo Limited.
In a press release issued on 14 April 2023, the ICO stated that the recruitment firm sent over 107 million spam emails to 437,324 people between August 2019 and August 2020 – meaning each individual would have received an average of 244 emails from the company during that year alone.
Join The Triboo Limited had not obtained the individuals’ consent before sending these emails.
It is illegal to send direct marketing to anyone without their consent, as stipulated in the Privacy and Electronic Communications Regulations 2003.
Senior data protection and privacy expert, Becky White, says:
This decision highlights the importance that the ICO places on ensuring that where an organisation is relying on ‘consent’ as a lawful basis to send direct marketing messages, consent statements must meet the requirements of GDPR and PECR i.e., they must be freely given, specific, informed and contain an unambiguous indication from the individual via an affirmative action.
The ICO also clarified that organisations should always use clear and intelligible language to explain to individuals what they are consenting to, and consent will also not be valid where individuals are asked to agree to receive marketing from broad, generalized categories of third parties. Organisations should therefore take this opportunity to review what mechanisms they are relying on to gather personal data from individuals for direct marketing purposes or risk the wrath of the ICO.
It also interesting to note that in this case the organisation in question engaged the services of a law firm to carry out a privacy assessment after the investigation concluded, but in this instance the follow up remediation was not far reaching enough to be considered a ‘mitigating feature’ by the ICO. In theory however, this suggests that the ICO’s is open to incentivizing organisations to take steps to remedy compliance failures at any time prior to the levying of the monetary penalty notice.
If you have been contacted by the Information Commissioners Office, it could be worth considering carrying out your own legally privileged audit of your data protection practices with our Data Protection Health Check, a quick and easy way to address your GDPR compliance needs. You can also contact one of our Data Protection Solicitors, who are ready and waiting to support your business.