Data and Privacy Breaches in 2022: ICO Clamp Down on Direct Marketing

Monday 24th October 2022

The Information Commissioner’s Office who regulate data protection compliance in the UK (ICO) has ramped up its enforcement action in 2022 on businesses who haven’t complied with data protection and direct marketing rules.

Much of this enforcement concerns penalties for sending unsolicited marketing messages to individuals who haven’t given proper consent.

What are direct marketing rules?

Direct marketing rules are primarily governed by the Privacy and Electronic Communications Regulations 2003 (PECR). In summary, best practice is that businesses need to obtain positive consent from individuals before they can start marketing their products or services to them. The standard of consent under data protection laws is a high threshold to meet. However, businesses may also, under certain circumstances, be able to market to existing customers without their consent (sometimes called ‘soft opt in’) where:

  • they have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to an individual;
  • they are only marketing their own similar products or services; and
  • they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.

Even though the above ‘soft-opt in’ criteria looks simple, businesses need to take care before going down this route especially because the penalties for breaching PECR rules can be up to £500,000. Under data reform proposals the UK Government plans to bring the maximum fines into line with UK GDPR breaches which is £17.5m or 4% of annual global turnover, whichever is greater.

What actions have the ICO taken?

Some action the ICO has taken this year includes:

  • In March, Seaview Brokers Limited was fined £15,000 for making 4,737 unsolicited calls which were registered with the Telephone Preference Service for direct marketing purposes. It was found that no suppression list was in operation and individuals were not able to fine tune their marketing preferences.


  • In April, Finance Giant Limited was fined £60,000 for sending 505k unsolicited marketing emails and texts to 72k customers. The ICO found the company did not gain positive consent and no opt-out box was included in the body of the messages.


  • In October, Green Logic UK Ltd, a home improvement company, was fined £40,000 for making nearly 3 million marketing calls (around 384k had connected) to individuals without proper consent. The ICO could only establish around 11k of these had been made to people on the Telephone Preference Service. The lack of training , no clear policies and lack of due diligence contributed to the seriousness of the contravention.

What are the consequences?

Breaching data protection law may also amount to a criminal offence. One such example includes a former Health Advisor being prosecuted in the Magistrates Court for obtaining the personal data of service users. He pleaded guilty to six counts of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to each data subject, totalling £3,000.

If your business wants to send marketing messages to existing and/or prospective customers, our Data and Privacy Law experts can advise you on your journey to compliance so you don’t fall foul of the rules.

Contact our experts Harvey Blake ( and  Lauren Wills-Dixon ( with any queries on direct marketing or Privacy and Data Protection compliance.