Provident Personal Credit Limited fined £80,000 for sending a million nuisance texts over six month period

The Information Commissioner’s Office (ICO) has concluded investigations into a Bradford-based credit loan company after 285 complaints were made over unwarranted ‘nuisance’ text messages.

Provident Personal Credit Ltd reportedly employed third party vendors to send 999,057 text messages to promote their services. The text messages were unwarranted as the recipients had not agreed to receive such correspondence for marketing purposes.

The rules

Unless an organisation obtains clear and direct consent from a recipient they are, by law, not permitted to “transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail”.

The text messages were sent with the intention of promoting the company’s brand, Satsuma Loans. However, in doing so, Provident breached Data Protection (DPA) and Privacy and Electronic Communications Regulations (PECR).

The ICO’s monetary penalty notice provides that consent must be “freely given, specific and informed indication signifying the individual’s agreement.” This was reportedly not obtained by Provident, and in the ICO’s investigations, the company could not prove they had any evidence of prior consent.

The complaints

The 285 complaints were made over a 6-month period. Individuals received texts like the below:

Provident did not send these texts themselves; they paid a third-party vendor to do it for them, who then instructed their own third party vendors to send some of the texts.

During the six-month period, Money Gap Group Ltd reportedly sent 868,393 of these texts, and Sandhurst Associates Ltd sent the remaining 130,664. The texts promoted Provident’s services and provided a web link to direct them to Provident’s credit loan agreement website.

Breach of the regulations

The ICO concluded their investigations and found that Provident had breached regulation 22 of PECR and were responsible for the 999,057 unsolicited communications. Although the company did not send these texts themselves, the ICO found that Provident paid third parties to send them, with the aim of promoting Provident, and to direct people to its website in order to obtain more customers.

The ICO therefore believes Provident is the sufficient instigator of the unsolicited messages.

As the instigator of these promotional text messages, it’s Provident’s responsibility to obtain consent. The ICO recognises that such consent was never obtained and the company knew, or ought to have reasonably known, that in instructing the third parties to send the mass messages they would be breaching PECR and DPA regulations.

Provident cannot shift responsibility to the third party and must undertake proper due diligence.

£80,000 fine

The £80,000 fine was issued to encourage both Provident and others to comply with PECR regulations in seeking consent before sending out mass electronic correspondence. Methods of direct marketing must not be abused as no-one wants to constantly receive an abundance of adverts and promotions by text or email.

Steve Eckersley, heard of ICO’s enforcement department, thinks the warning is clear:

“The law is clear. You can’t send marketing texts to people who have not signed up to receive them. Being bombarded with texts you didn’t ask for and don’t want is an intrusion into people’s privacy, an irritation and, in the worst cases can be upsetting.”

Eckersley has little tolerance of companies who abuse their position as a data controller by “sending nuisance texts, whether they do it themselves or employ someone else to do it for them.”

HBO files stolen in colossal cyberattack

Two recent infamous data breaches: Yahoo and WannaCry