The ICO fined Grove £40,000, which was reduced to £32,000 for prompt payment. The fine was because they said we had sent marketing emails without the correct consent from the consumer.
We had received professional advice that our consent was acceptable.
We felt the ICO’s judgement was harsh and did not agree with it, however, the ICO gave us the impression that the chances of a successful appeal were unlikely, couple this with the discount for prompt payment and the potential substantial legal costs for making an appeal, we felt a quick settlement was the most pragmatic approach.
Here is part of a statement Grove released at the time:
We’ve always managed to keep abreast of the regulations and requirements of the FCA, this approach has been mirrored with other regulations relating to our business, which is why it’s such a shame and a surprise that we’ve fallen foul of the ICO; although upon checking the ICO website and looking at their Enforcement Action over the last year, it’s clear to see that there are a high number of reputable companies which are receiving enforcement action and fines at the moment, including:
Crown Prosecution Service, Royal Mail, Royal Bank of Scotland, Metropolitan Police, British Telecom, Vote Leave, Uber, Heathrow Airport, Bupa, London Borough of Lewisham, Independent Enquiry into Child Sexual Abuse, Yahoo, and many, many more.
So, whilst this has nothing to do with the advice we give or our compliance with the FCA, here are some details as to what and why this has happened.
The action taken by the ICO has arisen as a result of advice we received in relation to an email marketing campaign we conducted between October 2016 and October 2017. Grove employed the services of a marketing company to send out emails promoting our service, to individuals aged 55-64, who had opted in to receive third party marketing via email. The companies we used were all registered with the ICO.
Before we conducted this activity, we paid for specific professional advice to check it was compliant, as we usually do prior to any process we undertake across all regulated elements of our business.
The advice was provided by a recognised data protection firm with close links to the Direct Marketing Association – this advice was provided to us in writing, confirming the email campaign was compliant, and what due diligence we should undertake to check specific suppliers.
We subsequently had this advice checked by a separate lawyer, who instructed us regarding the additional contractual obligations we should put in place for email marketing.
The specific advice we received was that the campaigns were compliant, on the basis that the email providers had gained a positive opt-in (by ticking a box) from the data subjects (consumers) and that they consented to receive marketing from third parties. An additional condition was that we did not receive the data, instead ensuring that the emails were sent directly from the list owner to whom they had opted into.
We provided the ICO with this information as part of our due diligence submission, along with a copy of the written advice we had received from the compliance firm. It was not disputed by the ICO that we had followed the process outlined in the advice, or that the recipients had opted-in to receive marketing via emails from third parties.
The ICO’s findings, and decision to fine was on the basis that the advice we received was wrong, on a technical point relating to opt-in. Specifically, that we should have gained a specific opt-in to Grove, rather than to third party marketing. Whilst we are extremely disappointed, we have made the decision to accept their findings and have paid the fine.
In the judgement, the ICO have confirmed that certain mitigating factors have allowed the commission to impose a lower fine than usual and:
- The commission have accepted that Grove engaged in extensive consultation, with a recognised data protection consultancy, demonstrating a generally positive and pro-active approach to data protection.
- There is no evidence to suggest that Grove has engaged in unlawful direct marketing beyond the period set out in this notice.
- Only 2 complaints were received.
- Grove have co-operated fully with the investigation throughout.
The theme of the ICO judgement is that we have received misleading advice, they have acknowledged this in the statement on their website, but that ultimately it is our responsibility.
Where we do disagree with their statement, is that they have said that if we had called them up, we could have checked the user journey with them, and we would have avoided the fine. Our experience has not been as they suggest, and we have sought help from them in the past, with limited success. Trade bodies are not proactive with specific advice, so it is unlikely we would have received anything that we could have later relied on. We also had legal advice saying that the ICO’s guidelines did not make this sufficiently clear.
What have we done to prevent this happening in the future?
We have conducted extensive research to ensure we get the right legal advice moving forward, this has resulted in us engaging the services of leading data protection barrister. He has acted both for, and against the ICO in high profile cases, and has an extensive knowledge and experience in data protection issues arising in the context of criminal and investigative proceedings.
He has carried out an exhaustive audit of our marketing channels, and has confirmed, in writing, that what he has seen is compliant – advice that he will stand by. As a result of this audit, we are now confident that this issue will not arise again.