• by Ray Schultz , October 11, 2017

Two UK firms were fined thousands of pounds by the Information Commissioner’s Office (ICO) for allegedly spamming consumers.  

Vanquis Bank Limited, a Bradford-based bank, was fined £75,000, and given a legal notice ordering it to comply with the law. The bank sent 870,849 spam text messages and 620,000 spam emails to promote its credit cards without the consent of the customers, the ICO charges.

In a separate case, the London-based ad and web development agency Xerpla was fined £50,000. The firm sent nearly 1.26 million spam emails on behalf of other firms, for products such as dog food, wine, competitions and boilers, according to the ICO.

The fines seem modest compared to the liabilities specified for violations of the General Data Protection Regulation (GDPR), which takes effect next May and will apply in the UK despite  the UK’s decision to leave the EU. But there are other consequences.

Shares in Vanquis Bank’s parent, Provident Financial, fell by 8% following the announcement, according to City A.M.

Provident Personal Credit Limited, a related firm, was fined for spam texts earlier this year, the ICO continues.

Both of the new spam cases were generated by reports from consumers. 

“People were so exasperated by these messages that they complained to us,” states Steve Eckersley, head of enforcement for the ICO. “That sparked two ICO investigations and enabled us to take action and hold the firms behind this nuisance to account.”

For these campaigns, Vanquis Bank obtained marketing lists from other organizations, and relied on “indirect consent,” instead of verifying permission itself, the ICO contends. 

The bank used non-specific wording such as “trusted parties,” and “carefully selected third parties,” the ICO continues.

Vanquis Bank is no longer working with the third parties, according to Provident Financial. 

Xerpla sent spam emails to people who had subscribed to two websites run by the firm -- www.yousave.co.uk and www.headsyouwin.co.uk. The firm used a generic statement in its privacy policy to say that data would be shared with other firms.

In general, European privacy regulations are tougher than those in the U.S. However, American companies may draw insights from these cases on how to describe permission-based lists and sharing of data with third parties.

“People need to be properly informed about what they are consenting to,” Eckersley says. “Telling them their details could be passed to ‘similar organisations’ or ‘selected third parties’ cannot be relied upon as specific consent.”

Eckersley continues that the rules protect people “from the irritation, and in some cases anxiety and distress spam texts and emails cause.” 

According to City A.M., Provident Financial issued this statement:

“The contravention involved sending SMS text messages and emails to customers advertising the company’s product between April 2015 and September 2016 without the necessary permission to do so. Vanquis Bank is sorry for any irritation this has caused to the individuals concerned.”

The statement continues: “Although ICO found that Vanquis Bank did not deliberately contravene the regulation, Vanquis Bank takes this contravention extremely seriously. The Bank has reviewed its marketing processes and put in place steps to ensure that contraventions of this nature do not occur again, including no longer working with the third parties concerned.”