Four Advertising Standards Authority Complaints had been upheld against Easylife in 2020 and the ICO and Telephone Preference Service (TPS) had also received a number of complaints about Easylife’s marketing calls, putting the company well and truly on the regulator’s radar.
Although Easylife offered undertakings to the ICO to stop the profiling, implement new systems, update its consent wording and start screening against the TPS at the conclusion of the investigation, the ICO went ahead with the fine and also issued an enforcement notice preventing Easylife from making unsolicited marketing calls to individuals registered with the TPS. The ICO was concerned about Easylife’s reactive approach to compliance, in which it was only prepared to make changes to its practices when changes were required by a regulator.
Breaches of UK GDPR
Easylife was found to have breached the requirement in Art 5(1)(a) UK GDPR to process personal data lawfully, fairly and in a transparent manner, by failing to comply with the transparency requirements in Art 13(1)(c) UK GDPR and with Art 9 GDPR which prohibits the processing of special category data, unless certain conditions are met. Easylife was fined £1,350,000 for these contraventions.
When an individual purchased one of 122 ‘trigger products’ Easylife would infer that the individual suffered from certain health conditions. Its third-party processor would then make marketing calls to try and sell them health supplements which were alleged to help with the inferred conditions. For example, if an individual bought a jar opener, Easylife would infer they had arthritis, and a call would be made to the individual to sell them glucosamine supplements. The ICO concluded that Easylife had profiled 145,400 individuals based on special category data. The processing was invisible to the individuals concerned who were not informed in the privacy notice or elsewhere that profiling was taking place.
The ICO also discovered that Easylife had not met other requirements of the GDPR, namely completing an appropriate Legitimate Interest Assessment and a Data Impact Assessment.
The ICO’s monetary penalty notice on UK GDPR can be read in full here
Easylife was fined £130,000 for making marketing calls to individuals registered with TPS. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) prohibit marketing calls to a number registered with the TPS unless the individual has informed the organisation making the call that they do not object. The ICO concluded that Easylife had made over 1.3 million such calls in contravention of PECR. Easylife had not collected notifications from TPS registered individuals that they were willing to receive marketing calls and did not screen its marketing lists against the TPS before making calls.
When reaching its decision, the ICO considered the adverse effect of Easylife’s calls to vulnerable individuals, who were often elderly. Some individuals were bombarded with aggressive marketing calls, others were pressured to subscribe to products for which they had no use and did not understand. They needed the help of family and friends to cancel their unwanted subscriptions.
The ICO’s monetary penalty notice on marketing calls can be read in full here
The ICO’s enforcement notice can be read in full here.