How did a trade union fall foul of the marketing rules?
Unite the Union has been fined £45K over its telemarketing practices
The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’).
This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer.
Unite believed these calls did not fall within the scope of the direct marketing rules.
What is the Telephone Preference Service?
The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls.
There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS).
What does PECR require?
Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS).
Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements.
The ICO’s findings
The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too.
In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.”
The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR.
In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS.
Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer.
The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints.
The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention.
The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic.
What can we learn from this?
Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS.
I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA).
Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals.
Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied.
If you would like help to ensure your marketing is compliance, please Contact Us.