The government's website provides guidance for landlords on changes contained in the Renters'...
The Information Commissioner’s Office (ICO) has fined a self-employed lead generator £200,000 for sending hundreds of thousands of unsolicited marketing text messages, in breach of UK privacy and electronic communications law.
The enforcement action serves as a strong warning to marketers, data brokers and businesses that use third-party data for direct marketing without ensuring valid consent.
Background to the ICO Investigation
The lead generator had previously been investigated by the ICO in 2014 and 2018 in relation to unsolicited text messages promoting accident claims. Despite this history, the ICO found that between December 2023 and July 2024 he had:
- transmitted or instigated the transmission of 966,449 unsolicited text messages;
- promoted debt reduction schemes and energy-saving grants; and
- generated 19,138 complaints from recipients.
The ICO concluded that the messages constituted unlawful direct marketing, contrary to Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Lack of Consent and Use of Third-Party Data
The investigation revealed that the lead generator had sourced personal data from third parties and made no meaningful effort to ensure that:
- the data was accurate or up to date; or
- individuals had given valid consent to receive marketing text messages.
There was no evidence that the recipients had consented to the marketing. The ICO found that the lead generator had knowingly and deliberately used data without valid consent.
Concealment of Sender Identity
In addition to breaching Regulation 22, the ICO found that the lead generator had contravened Regulation 23 of PECR by taking steps to conceal his identity as the sender of the messages.
This was treated as a serious aggravating factor.
Serious and Deliberate Breach
The ICO described the contraventions as both serious and deliberate, noting that:
- the confirmed 966,449 messages were likely to represent only a fraction of the total volume sent;
- the lead generator had worked in direct marketing since 2010;
- he had been aware of the ICO and PECR requirements for over a decade; and
- he had shown a blatant disregard for regulatory compliance.
The ICO also highlighted the potential harm to vulnerable individuals, particularly those targeted with debt-related marketing.
Taking all factors into account, the ICO concluded that a £200,000 monetary penalty was reasonable, proportionate and justified.
Q&A: Unsolicited Marketing and PECR Explained
What is PECR?
The Privacy and Electronic Communications Regulations govern electronic marketing, including calls, emails and text messages. They sit alongside UK GDPR and impose specific consent requirements.
When can businesses send marketing text messages?
Generally, marketing texts can only be sent where the recipient has given clear, prior consent, unless a very limited “soft opt-in” applies.
Is using third-party data lawful?
Only if valid consent has been obtained for the specific type of marketing. Businesses remain responsible for compliance even when data is sourced from others.
What are the risks of non-compliance?
Penalties can include substantial ICO fines, reputational damage, enforcement notices and potential civil claims.
Does concealment of sender identity increase penalties?
Yes. Deliberately hiding the sender’s identity is a separate breach and is treated as an aggravating factor by the ICO.