Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue. For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.
1. £1.35 million fine for using purchase history to target customers
In its monetary penalty notice, the ICO held that because Easylife did not inform its customers that such profiling would occur this constituted “unlawful and invisible” processing of special category data in contravention of Article 5(1)(a) of the General Data Protection Regulation 2016 (“GDPR”). In reaching this conclusion, the ICO also cited a recent judgment from the Court of Justice of the European Union in OT v Vyriausioji tarnybines etikos komisija (Case C-184/20, 1 August 2022), which confirmed that the processing of any personal data “liable indirectly to reveal sensitive information concerning a natural person” constitutes the processing of special category data (see our blog post for more information).
In calculating the fine, the ICO noted that it was not possible to quantify the level of damage caused due to the “invisible” nature of the processing, but that the harassment and targeting of potentially vulnerable individuals – most of whom were older people with long-term health conditions – could be wide-ranging. The ICO also took into account the fact that Easylife had failed to implement measures – such as a data protection impact assessment – that could have prevented the contravention, and its poor track record of regulatory compliance.
2. £130,000 fine for unsolicited direct marketing calls
Following a separate investigation, the ICO fined Easylife £130,000 for making over 1.3 million direct marketing calls between August 2019 and August 2020 to customers who had registered with the Telephone Preference Service (“TPS”), in contravention of regulation 21 the Privacy and Electronic Communications Regulations (“PECR”). Regulation 21 of the PECR prohibits a person from making unsolicited direct marketing calls to anyone who has registered their numbers on the TPS, unless they have notified the person that they are willing to receive such calls.
While the ICO did not consider Easylife’s contravention of the PECR to be deliberate, it did consider it to be “negligence of the highest order” as Easylife knew or ought reasonably to have known of its obligations under PECR and failed to take reasonable steps to prevent the contravention.
In its monetary penalty notice, the ICO set out the aggravating and mitigating factors it considered when imposing the fine:
- As aggravating factors, it highlighted that Easylife’s marketing was “aggressive”, and that Easylife attended a compliance meeting with the ICO in June 2019, following which it would have been reasonable for Easylife to seek advice on compliance with the PECR.
- As mitigating factors, it took into account the significant penalty proposed in the concurrent investigation into GDPR violations described above, and the remedial measures Easylife had introduced, e.g., TPS screening, appointment of a new telemarketing partner, and introduction of a new data management system.
Easylife has indicated that it intends to appeal the ICO’s decisions, both with respect to liability and the penalty amounts. Any such appeal will need to be filed with the First-Tier Tribunal by 1 November 2022. The Covington team continues to monitor the ICO’s enforcement activity. Please reach out to a member of the team if you have any questions.
Update: Easylife filed its appeal with the First-Tier Tribunal on 31 October 2022.