A new law came into force on the 17th December 2018 which enables the Information Commissioner’s Office to hold company directors personally liable for nuisance calls made by their businesses, following a government consultation earlier this year.
The new Privacy and Electronic Communications (Amendment) Regulations gives the ICO the power to fine company directors up to £500,000 for breaches of the Privacy and Electronic Communications Regulations. The ICO can fine the company, its directors, or both. The updated law also allows the ICO to hold individual directors to account in the event that a company fails to pay any fine imposed by the ICO under the Regulations or is placed into liquidation, and where the individual is no longer in a senior position, for example through resignation.
What are the Privacy and Electronic Communications Regulations?
There has been no getting away from the General Data Protection Regulation (GDPR) in the last few months but it is important that businesses do not forget that they also need to comply with the Privacy and Electronic Communications Regulations (PECR) which sits alongside GDPR and the UK Data Protection Act.
Amongst other things the Privacy and Electronic Communications (EC Directive) Regulations 2003 contain restrictions on the ability for businesses to make unsolicited marketing calls, emails, texts and faxes even if this is to other businesses. Many businesses wrongly believe that if they are not contacting individuals and are only doing business-to-business (B2B) marketing then they don’t need to worry but this is not the case. The rules also apply even if you cannot identify the person you are contacting. For example did you know that it is against the law to make marketing calls to numbers that have been registered with the Telephone Preference Service (TPS) or he Corporate TPS (CTPS) without consent?
This is a complex area of law and this article cannot cover all the provisions under the Regulations in detail but it is important to flag that if you carry out these types of marketing activities then you need to familiarize yourself with the Regulations and your obligations under them.
What if I buy marketing lists?
If you buy marketing lists from third parties you still need to be very careful not to fall foul of the Regulations – the fact that you purchased the list from a third-party will not exonerate you from your obligations under the Regulations as the recent enforcement action from the ICO shows (see below “What if I get it wrong”).
You should screen lists against the CTPS, TPS and your own ‘do-not-call’ list of people who have previously objected to or opted out of your calls. The ICO guidance also indicates that you can only use marketing lists if all the people on the list specifically consented to receive that type of message from you and that generic consent covering any third-party will not be enough.
But what about GDPR?
GDPR does not replace PECR and sits alongside it although it has changed the underlying definition of consent. The existing PECR rules continue to apply but the new higher GDPR standard of consent should be used.
This means that if you send electronic marketing or use cookies or similar technologies you must comply with both PECR and the GDPR.
What if I get it wrong?
In the last few months the ICO have taken enforcement action against several businesses under the PECR in relation to nuisance calls. Most recently in October a company called Secure Home Systems (SHS) was fined £80,000 for making calls to numbers registered with the TPS using call lists bought from third parties without screening them to check whether the names were on the TPS list. The ICO is ramping up its enforcement in this area and the ability to hold directors personally liable is an interesting development.
This is a complex area of law and we would advise those who may be affected to seek specialist legal advice to ensure they are fully aware of their obligations under the Regulations.