It is unlawful for an organisation to send unsolicited marketing email / SMS messages to personal email addresses / telephone numbers, except in some specific circumstances:
- If you have been a customer of the organisation that sent the marketing (or have negotiated business with them, even if you never actually bought anything in the end);
- If you were given a clear opportunity to opt out of marketing communications at the time your details were originally collected; and
- If you were given a clear opportunity to opt out of marketing communications in every such communication.
If all of the above is true, they're allowed to send you unsolicited marketing, otherwise they aren't. The rules are different for business addresses, and I won't get into that here - this post is specifically about spam to personal addresses. The legislation for this is Regulation 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and despite having "EC Directive" in the title, these regulations still apply post-Brexit. Ignoring the regulations is probably also considered a misuse of personal data under the General Data Protection Regulation (GDPR)
Whenever I hand over personal data, I always make sure I opt out of marketing if there is the option, so in theory I shouldn't ever get any spam. Of course, I still get quite a bit, because no one actually bothers to comply with the regulations. And why should they? About the worst thing that will happen to an organisation that ignores the regulations is a sternly worded letter from the Information Commissioner's Office.
Luckily, Regulation 30 of PECR and Article 79 of GDPR both allow civil action, so I've been sending legal notices to spammers, off and on, for a few years. Usually this gets settled out of court, occasionally it goes as far as me filing proceedings with the small claims court (whereupon the spammer usually figures out that I'm serious and settles).
This is the first time that a spammer has completely ignored legal paperwork. It was a bit of a learning curve for me, so I thought I'd document the process.
This all started when I made a purchase from bulkpowders.co.uk and they subsequently started sending me regular spam SMS messages. I've got a standard email that I use in these situations, which I sent to their data protection officer. Broadly, the email contains 3 parts:
- A "Notice Before Action", which outlines how they have broken the law, why I think I'm entitled to damages and how much I'm asking for. I invite their comments and any offer of settlement. They have 14 days to respond to this.
- A "Subject Access Request" under Article 15 of GDPR. This is to find out what information they have about me and I specifically ask for information about which third parties they have shared my data with. They have one month to respond to this part.
- A request to opt out of further communications, together with a contract. The contract says that I'll charge for any subsequent communications and that sending any will be deemed as acceptance of the contract terms.
In this case, I did get a reply from Bulk Powders' DPO basically saying they were innocent because they had given me an opportunity to opt out. I replied pointing out that the only way to opt out was to read down to the 1742nd word of their privacy policy which explains how to opt out, which certainly doesn't meet the requirements of a "simple" opt out. They also responded to the Subject Access Request. They did, however, continue to send spam SMS messages.
For both responses, they left it until the last possible day allowed by the deadlines before responding. I queried whether they intended to settle damages and they said they did not, so that was that and I filed proceedings with the small claims court via Money Claim Online. From what I could tell, Bulk Powders is a trading name of Sports Supplements Limited, so that's who I filed against.
Money Claim Online is a government website that makes it very simple to file small claims proceedings. It costs £25, which you add onto the claim so that the defendant pays it if you win.
First of all you fill in a claim with your details, the defendant's details, an explanation of the claim and the total amount being claimed (including the £25 fee). In my case, the total included the damages, plus the cost of each subsequent SMS message that I had set out in my original email to Bulk Powders:
The court sends a notice to the defendant and the defendant is supposed to either pay up or file a defence within 2 weeks. Sports Supplements did neither - they completely ignored the paperwork that the court had sent them, so this was never going to end well for them. So since they hadn't disputed the claim, I could ask the court to enter a default judgement in my favour. This is a bit confusing because, from the claimant's perspective, the paperwork just says it is a "request for judgement" rather than saying that it is actually the judgement itself, but its all done through the Money Claim Online web site:
So now, they should just pay up, right? Except they didn't - they again ignored the court. So how to collect the money that I'm owed? For larger amounts, you can employ the High Court Enforcement Officers, but for smaller amounts like I'm claiming you use bailiffs. I was pretty unsure how to do this, and some Googling turned up lots of people saying that the bailiffs were usually slow and useless. But it actually turned out to be dead easy and quite quick .
To send the bailiffs, I again went to the claim on the Money Claim Online web site and used the "Request Warrant" link. This costs £77, which again gets added to the claim. So if you manage to get paid, you don't have to pay (if the bailiffs can't extract money from the defendant, you're now £25 + £77 = £102 out of pocket). A week later I received a letter from the court saying they had received a cheque and that it would be forwarded to me after it cleared. It took another couple of weeks before I had a cheque from the court:
I still have serious concerns regarding Bulk Powders' handling of personal data, and I have made a complaint to the ICO (but they usually take 4-5 months to respond to complaints). Not only did they send unlawful marketing emails, but I know that they have passed my details onto another company, who has also used them for marketing purposes. Bulk Powders' privacy policy explicitly says they won't do that. (I'm taking action against the other company at the moment, so can't really comment on that until it is resolved one way or the other).