Skip to content

Join the Triboo: PECR fine sheds light on the consent requirement for marketing communications

Insight

blue abstract marble

The ICO has fined Join the Triboo Limited (Triboo) £130,000 for sending 107 million spam emails to 437,324 individuals between August 2019 and August 2020. Triboo’s actions violated the Privacy and Electronic Communications Regulations 2003 (PECR) as the marketing consent obtained was not specific or informed as to the type of marketing the recipient would receive or from whom it would be sent.

This monetary penalty is particularly noteworthy as no individual ever complained to the ICO about Triboo’s actions, indicating that the ICO is taking an increasingly hard line on PECR compliance.

Background

Triboo operates job search websites including “uk.job-search.online,” “uk.jobinaclick.net,” “uk.jobs4you.website,” and “findajob.website”. Triboo sourced contact details for their email campaigns through these websites.

Upon landing on the registration page, users were given the opportunity to opt-in via a checkbox to: (a) receive marketing communications, and (b) for their data to be shared with third parties, such as Triboo’s “partners”. In some cases a list of “partners” was made available in Triboo’s privacy notice which was linked on the registration form.

During the one year period, 459,562 people registered on the websites, with 253,774 opting in to receive marketing communications. Triboo sent 108,769,000 emails during this time, of which about 107 million were successfully delivered. Triboo also managed 40 email marketing campaigns for third-party partners. In total these emails reached 437,324 unique individuals, averaging 244 emails per person during the period.

The law

PECR Regulation 22 states that businesses must not send unsolicited electronic mail marketing to individual subscribers, unless:

  • they have consented to receiving such electronic mail; or
  • they are an existing customer who previously purchased or enquired about a similar product or service from the sender, and it has provided them with a straightforward opt-out option during initial data collection and in every subsequent message (also known as the “soft opt-in”).

The sender must not mask or conceal its identity, and it must provide a valid contact address so individuals can opt-out or unsubscribe.

Contravention

The Commissioner acknowledged that no complaints were identified in relation to the email marketing, but was unsurprised by this given that the activity was often conducted via a third party and Triboo’s involvement would not have been apparent. Triboo’s marketing activities came to the attention of the ICO during an investigation into a third party which had purchased data from Triboo.

The ICO found that the consent obtained by Triboo was not “specific” or “informed” to: (a) the type of marketing communication to be received, or (b) the organisation that would be sending it. For example, the consent wording on one site simply stated “I agree with Marketing Activity” while another statement mentioned receiving emails from “selected companies” or “partners” but did not identify who these third parties were. This information must be communicated clearly and not hidden away in a privacy notice or small print.

The Commissioner concluded that the breach was serious enough to warrant a monetary penalty. It noted that Triboo knew or ought to have known of the compliance risk because the Commissioner had published detailed guidance, the problem of unsolicited marketing had been widely publicised by the media, and Triboo was an experienced host marketer and data supplier which had been operating in excess of 10 years.

Conclusion and similar cases

Triboo’s fine echoes the ICO’s decision in January to fine HelloFresh £140,000 for sending 79 million emails and 1 million SMS texts over seven months. In this case the opt-in consent statement was judged not to be specific and informed as it did not mention marketing via SMS text and requested consent for email marketing in an age confirmation statement which was held to have unfairly incentivised customers to agree to receive marketing. Customers were also not informed their data would be used for marketing for up to 24 months after cancelling their subscription.

These cases demonstrate that the ICO is focusing on the requirements for consent to be specific and informed, and organisations are encouraged to review their consent wording to ensure it is compliant. Consent will not be valid if individuals are asked to agree to receive marketing from or on behalf of unspecified organisations. Individuals must also be given an informed choice as to what type of marketing they will receive.

With thanks to Matthew Konadu-Yiadom, current trainee in the team, for their help in preparing this briefing.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, July 2024

Want to know more?

Contact us

About the authors

David headshot

David Morgan

Senior Associate

David provides clear, practical advice on commercial matters in the areas of data protection, intellectual property and contracts. He works with private and public sector clients across a variety of industries including technology, media, sport, financial services, culture and not-for-profit.

David provides clear, practical advice on commercial matters in the areas of data protection, intellectual property and contracts. He works with private and public sector clients across a variety of industries including technology, media, sport, financial services, culture and not-for-profit.

Email David +44 (0)20 3375 7166
Back to top