The ICO has fined Join the Triboo Limited (Triboo) £130,000 for sending 107 million spam emails to 437,324 people between August 2019 and August 2020. Triboo's conduct breached the Privacy and Electronic Communications Regulations 2003 (PECR) because the marketing consent obtained was not specific and recipients were not informed of the type of marketing they would receive or from whom it was sent.
This fine is particularly notable as no individuals have complained to the ICO about Triboo’s conduct, signalling the ICO’s increasingly tough stance on compliance with PECR.
background
Triboo operates job search websites such as “uk.job-search.online”, “uk.jobinaclick.net”, “uk.jobs4you.website” and “findajob.website”. It is through these websites that Triboo obtained contact information for the email campaigns.
When accessing the registration page, users were given the opportunity to opt-in via a checkbox to (a) receive marketing communications and (b) share their data with third parties, such as Triboo's “Partners.” In some cases, the list of “Partners” was published in Triboo's privacy notice linked to the registration form.
During the one-year period, 459,562 people registered on the website and 253,774 people opted in to receive marketing communications. Triboo sent 108,769,000 emails during this period, of which approximately 107 million were successfully delivered. Triboo also managed 40 email marketing campaigns for third-party partners. In total, these emails reached 437,324 individuals, with an average of 244 emails sent per person during the period.
law
Regulation 22 of the PECR states that businesses must not send unsolicited email marketing to individual subscribers unless:
- You have consented to receiving such emails; or
- They are existing customers who have previously purchased or enquired about a similar product or service from the sender, and they are given a simple opt-out option during the initial data collection and in all subsequent messages (also known as a “soft opt-in”).
Senders must not hide or conceal their identity and must provide a valid contact address to allow individuals to opt-out or unsubscribe.
Violations
The Commissioner acknowledged that no complaints had been identified in relation to email marketing, but said this was not surprising given that this activity was often carried out via third parties and Triboo's involvement was not apparent. Triboo's marketing activities came to the ICO's attention during an investigation into third parties that bought data from Triboo.
The ICO found that the consent obtained by Triboo was not “specific” or “informed” to (a) the type of marketing communications to receive, or (b) the organisations sending it. For example, the consent language on one site simply said “I consent to marketing activities”, while another mentioned receiving emails from “certain companies” or “partners”, but did not specify who these third parties were. This information should have been clearly communicated and not hidden behind privacy notices or small print.
The Commissioner concluded that the breaches were serious enough to merit financial penalties. The Commissioner noted that Triboo knew or should have known about the compliance risks because it has published detailed guidelines, the issue of unsolicited marketing has been widely reported in the media and Triboo is an experienced host marketing and data supplier that has been operating for over 10 years.
Conclusion and Similar Cases
Tribu's fine mirrors the ICO's decision in January to fine HelloFresh £140,000 for sending 79 million emails and 1 million SMS texts over a seven-month period. In that case, the opt-in consent statement was deemed not specific and sufficiently informed; it was found to have unfairly incentivized customers to consent to receiving marketing because it did not mention marketing by SMS text and asked for consent to email marketing in an age verification statement. Customers were also not informed that their data would be used for marketing for up to 24 months after they canceled their subscriptions.
These cases demonstrate the ICO's focus on the requirement that consent be specific and informed, and organizations are encouraged to ensure their consent wording complies. Consent is not valid if an individual is asked to consent to receiving marketing from or on behalf of unspecified organizations. Individuals must also be given an informed choice about the type of marketing they receive.
We would like to thank Matthew Konadu-Yiadom, a current trainee on the team, for helping prepare this briefing.
This publication is a general overview of the law and is not a substitute for legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2024
About the Author
David Morgan
