UK data watchdog fines 'pandemic partner' biz £8k: It sent 84,000 marketing emails to people who'd given info for track and trace

The UK's data watchdog has fined a company £8,000 for sending 84,000 direct marketing emails without consent to people who had provided their personal data for contact tracing purposes.

The Reg readership will have no problem in calculating this in their heads but for anyone feeling a bit slow today, that's just over 9.5 pence charged by the Information Commissioner's Office (ICO) for each email that reached its target.

The ICO hit Tested.me Ltd (TML) of St Albans with the penalty under section 55A of the Data Protection Act 1998, for a serious contravention of the Privacy and Electronic Communications Regulations (PECR) 2003. The maximum fine under the legislation is £500,000.

Incorporated in June 2020 according to Companies House (reg: 12699464), TML provides digital "track-and-trace" services to other businesses, issuing individuals with a QR code that they then scan on arrival at a business premises, thereby providing their contact-tracing details. It markets itself as a "your digital partner in the pandemic"

The business came to the attention of the ICO in November last year when a member of the public complained of an email sent by TML concerning a digital health passport. The mail thanked the individual for scanning into a business using TML's QR code and promoted a related app. The person who received the email said they had not provided consent to be sent it.

"The commissioner asked this complainant to provide further details of any complaint that they had made to TML directly. This correspondence revealed that the individual would have signed up to marketing communications on the online 'Visitor Registration Form' into which they entered their track-and-trace details."

The consent wording was: "Tick here if you agree for this venue, its alliance and tested.me to send you marketing materials in future. To comply with Government Guidance during the COVID-19 pandemic, we are collecting your name and contact details. We will store these for 21 days only before deleting them in line with GDPR regulations. Your details will not be shared with any other company or organisation."

There was no link to a privacy notice and no further information was provided, the ICO said. "The only indication an individual had as to who operated the page was a small 'tested.me' logo at the bottom of it."

Consent obtained on this basis was inadequate, said the ICO and it sent a bunch of questions to the company in November last year.

TML had sent four different emails to customers, and having scanned the contents of those the ICO decided two did not contravene PECR.

Consent was not freely given: ICO

The company claimed it had faced technical difficulties because some that opted out of receiving marketing comms had then filled out the Visitor Registration Form for a second time and ticked the marketing consent box. And TML added that it had misunderstood requests from people to no longer receive marketing comms as requests to delete personal data.

Consent provided by individuals who had filled in the Visitor Registration Form was invalid because "inadequate information was provided about the identity of TML and the venue in question's 'alliance'. Beyond a small texted.m logo at the bottom of the Visitor Registration Form, no information was provided about who TML is and what activities it engages in. It is also unclear which specific entities are part of a venue's alliance," the ICO ruled.

The watchdog said consent was not informed as the Visitor Registration Form contained no link to TML's privacy notice; consent was not freely given or specific as it was insufficiently granular; and the Visitor Registration Form made only references to marketing materials rather than permitting individuals to consent to marketing comms.

The ICO said it did not believe TML deliberately intended to break PECR rules but should have been aware of its responsibilities and should have taken reasonable steps to avoid the contravention.

"Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £8,000 is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty," the ICO concluded. ®