ICO fines spam text firm for data protection breach

A tax advisory company has been fined £200,000 after sending out millions of unsolicited marketing text messages.

Tax Returned Limited, based in London, sent 14.8 million marketing text messages without valid consent through a third party service between July 2016 and October 2017, an investigation found.

The Information Commissioner’s Office (ICO) said the spam texts caused over 2,100 people to complain about the firm.

It said Tax Returned should have taken reasonable steps to make sure the data they obtained complied with the Privacy and Electronic Communications Regulation (PECR). This means getting specific, prior consent from recipients of the text messages.

Although some of the consents were received through generic third party consent forms, ICO found that the wording of the policies was “not clear enough” and that Tax Returned “was not listed on most of those privacy policies”.

Tax Returned was fined some £200,000 and served with an enforcement notice, ordering the firm to stop its illegal marketing activity.

Commenting on the investigation, Steve Eckersley, ICO’s Director of Investigations, said: “Firms using third party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third party consent is also not enough and companies will be fined if they break the law.”

As the dates of the breach fell before 25 May 2018, Tax Returned was not subject to stricter penalties under the General Data Protection Regulation (GDPR).

Under GDPR, all organisations must document both a lawful basis for processing personal data and also a condition for processing special categories of data.