Maintaining control of my personal data is important, and companies who spam me usually end up on the receiving end of a nasty email exercising my rights under GDPR to find out what data they have about me, where they got it and to demand that they stop using it.
Back at the start of 2021, several companies who were spamming me all said that they had contracted another company to do their marketing, and all of them pointed at the same company. I sent an email to the spam company consisting of:
- A "Notice Before Action" demanding that they pay damages for the misuse of my personal data.
- A "Subject Access Request" to find out what data they held and where they got it.
- A request to cease spamming me.
- A proposed contract, under which they would be allowed to send me further spam emails in exchange for a £30 charge per email.
They admitted fault and (after some more prodding) agreed to pay a £200 settlement.
Although I don't think that sending spam emails is an ethical business plan, I'm not going to name the spamming company because they have been pretty reasonable under the circumstances.
The email address that the spam was directed to was a business address. However, I operate that business as a sole trader, so under the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR), that makes it the address of an "individual subscriber", no different from a personal email address. It is unlawful to send any unsolicited marketing email to an "individual subscriber" except in some very specific circumstances.
The spam company said that their systems had misidentified me as a limited company. According to the Information Commissioner's Office, email addresses belonging to incorporated bodies such as limited companies are not those of "individual subscribers" and therefore out of the scope of PECR, so there is no prohibition on sending them spam.
The legislation is not quite so clear, and whether or not an address is that of an "individual subscriber" depends on things which are not discoverable by the sender. Sending unsolicited email to anyone is a risk, since the sender can't know whether or not doing so would break the law.
I was assured that the problem had been fixed and would not reccur.
More recently, I've been receiving some spam from a number of different businesses, all sharing a few similarities:
- The from addresses of the emails were all from domains which started with "ins." - for example, firstname.lastname@example.org.
- They all shared a number of identical non-standard email headers.
Many of the emails were really scammy looking - things like emails promoting Amazon Business coming from a variety of email addresses that don't appear to be associated with Amazon.
After some investigation, it became clear that these were from the same spam company - the one that, a year earlier, had admitted fault, paid me £200 and assured me it wouldn't happen again.
I identified 31 spam emails that they had sent, I'd already sent them a contract, and since 31 emails × £30 = £930, I invoiced them, fully expecting to end up in court. The only thing that would make the emails they sent lawful was the contract, so I could conclude that they had accepted it.
What happened next really surprised me. I quickly received an email from them admitting fault, pointing out that I had missed 5 emails and asking me to reissue the invoice for 36 emails × £30 = £1080. So I did and they paid up immediately.
According to the spam company, they migrated to a new system, which introduced the error. I can only assume that they never actually fixed the original problem of individuals being misidentified as limited companies and instead just added my address to a suppression list. When they transferred to a new system, they presumably didn't transfer over their suppression list.