AFK Letters, a company who writes letters on behalf of customers seeking compensation or refunds for products and services, has been fined £90,000 by the ICO following an investigation which found they had made over 95,000 marketing calls without being able to demonstrate consent from the individuals contacted.

Over a 9-month period, AFK Letters used data which it has collected through its website and a third-party telephone survey company, to make 92,277 marketing calls to individuals, even though they were unable to demonstrate either valid or specific consent. This came after multiple complaints from individuals who claimed that even though they had not consented to this marketing activity, they had still been contacted.

When challenged by the ICO on this, AFK Letters claimed that they were unable to provide evidence that consent had been given as they had deleted all customer data after three months. When challenged further, they were also unable to provide evidence of consent for several calls made in the previous 3 months.

In addition to this, it was found that AFK Letters’ third-party data supplier was utilising consent statements that didn’t explicitly name AFK Letters when asking for consent to be contacted over the phone. To make matters worse, AFK Letters’ own privacy policy had no mention of contact over the phone, only by email.

This is a clear breach of Regulation 21 of the Privacy and Electronic Communications Regulations (PECR), which states that organisations must have clear and explicit consent from the data subject before making unsolicited marketing calls.

Following the investigation, ICO Interim Director of Enforcement and Investigations Andy Curry said that this enforcement action “should serve as a clear warning to and learning for other organisations: if you cannot demonstrate valid consent for people on the Telephone Preference Service, you should not be contacting people. If people are being asked for consent to be contacted, it should be absolutely clear what this is for.”

What can be learnt from this:

Incidents like this are very commonplace, with many organisations failing to take the necessary steps to ensure that their marketing activities are lawful. Below are a few things you can do to make sure that the marketing activities your business conduct are lawful:

1. Make sure that you have obtained valid, explicit consent: Consent must be freely given by the data subject and there should be no ambiguity on the purpose of the activity. One of the most significant failings from AFK Letters was them not clearly being named when their third-party supplier requested consent. It’s also important to have measures and procedures in place for when consent is withdrawn.
2. Maintain accurate and up-to-date consent records: Keeping detailed records on when, how and who consent was obtained from is a good practice that will help ensure that no unlawful activities take place. These records should contain the date the consent was obtained, how the consent was obtained and the wording used to show consent to the individual. You should keep this data for as long as it is relevant for the marketing purpose.
3. Check the Telephone Preference Service (TPS): The TPS is a “Do not call” register for phone numbers that allows businesses to opt-out of unsolicited live sales and marketing calls. Before making any calls, screen all numbers against the TPS register and do not call these numbers unless valid consent has been given.
4. Conduct a risk assessment before going ahead with marketing activity: Before launching a marketing campaign, it’s very likely that you need to conduct either a Data Protection Impact Assessment and/or Legitimate Interest Assessment to ensure that your marketing activity is lawful and any risks have been identified, assessed and mitigated.
5. Implement internal awareness schemes and staff training: Training relevant staff on PECR requirements and keeping them up to date on marketing activities and processes will help keep activities lawful. It’s important for staff to understand the processes for keeping consent records, and suppressing contact details when consent is withdrawn.