£200,000 fine for data breach

The ICO’s investigation found that, between July 2016 and October 2017, the company broke the law by sending 14.8 million marketing text messages without valid consent through a third party service provider.

As the instigator of the campaign, Tax Returned should have taken reasonable steps to make sure the data they obtained complied with the Privacy and Electronic Communications Regulation (PECR), which includes getting specific, prior consent from people receiving the messages.

The firm also claimed that some of the consents were received through generic third party consent found on privacy policies of certain websites.

However, the ICO found that the wording of the policies was not clear enough and that neither Tax Returned nor the third party service provider were listed on most of those privacy policies.

The ICO has also served an enforcement notice on Tax Returned, ordering the firm to stop its illegal marketing activity.

ICO director of investigations Steve Eckersley said: “Spam texts are a real nuisance to people across the country and this firm’s failure to follow the rules drove over 2,100 people to complain.

“Firms using third party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third party consent is also not enough and companies will be fined if they break the law.”