The Leave.EU campaign and Brexiteer Arron Banks' insurance biz Eldon have been fined a total of £120,000 for dodging direct marketing rules.
In addition to the fines, the ICO will audit the firms' data protection practices, including how they process personal data and what policies and training are in place. The body noted that it is a criminal offence to obstruct such an audit or destroy information covered by it.
Both Leave.EU and Eldon Insurance – trading as GoSkippy Insurance – have been fined £60,000, with Leave.EU's being split between two separate incidents.
The smaller of the two Leave.EU fines, £15,000, was doled out after the biz sent 300,000 political marketing messages using Eldon's customer details. This was due to the firms having closely linked systems that didn't properly separate insurance customers from political subscribers.
The larger fine of £45,000 was for a separate incident, in which Eldon sent more than one million emails that offered discounted GoSkippy services to Leave.EU subscribers. That same incident earned Eldon Insurance a £60,000 fine.
Under direct marketing laws (Privacy and Electronic Communications Regulations), companies must have consent from users in order to send such emails.
However, this policy – which was from a different data controller but that the ICO accepted for the purposes of this investigation would have been understood to apply to Leave.EU – did not say who the third parties were, or what type of marketing they might receive.
The ICO said that neither Leave.EU nor GoSkippy had gained the proper consent, noting that it was up to GoSkippy to ensure it had that consent.
It added that GoSkippy had worked "to ensure its own marketing, from which it, not Leave.EU, would benefit, was to be included in the emails" and said the lack of a formal contract did not go in its favour.
Rather, it is "indicative of a more informal, blurred, arrangement, whereby GoSkippy was able to instigate the inclusion of its own marketing material as it wished".
Although the ICO announced the monetary penalties today, it publicly revealed its plans to fine the companies last November – at which point it said both would be penalised £60,000, meaning Leave.EU has had £15,000 knocked off its bill.
However, both firms' representations – which are allowed after the commissioner announces an intention to fine, but before the final penalty is decided – pointed to the fact they had received no complaints relating to the incident.
Neither does the ICO refer to receiving any complaints itself, something that is usually highlighted in enforcement notices.
It is possible that this could be used by the firms to appeal the decision; as data protection consultant Tim Turner pointed out on Twitter, Xerpla – which was fined £75,000 for a similar breach – won its appeal at tribunal.
Xerpla - it's an ads in emails case and ICO lost it at the Tribunal. It's not identical, but doing this one knowing that they lost that one, especially with no complaints seems oddly political.— Tim Turner (@tim2040) February 1, 2019
Should the firms decide to simply pay up, they will get a 20 per cent discount for paying by 5 March. ®