Sophos Cloud Optix
The UK’s electronic communications watchdog has just clamped down on a company accused of mass spamming.
Intelligent Lending Limited has been fined £130,000 (about $170,000) over the matter of close to 8 million unsolicited SMSes that it sent over a six month period in 2015.
The messages looked like this:
Ocean now offers a credit card powered by XXXXXX. www.oceanXXXXXX.co.uk/XXXX To opt out txt STOP to 81818.
According to the Information Commissioner’s Office (ICO), the spammers claimed that they’d complied with the letter and the spirit of the rules by buying in a list of mobile phone numbers for consumers who had already consented to receive SMS ads.
The ICO disagreed, arguing that consent couldn’t be that vague:
Consent within the meaning of [the relevant regulation] requires that the recipient has notified the sender that he consents to messages being sent by […] the sender.
Indirect, or third-party, consent can be valid but only if it is clear and specific enough.
The onus, said the ICO, is on the sender who buys in a mailing list to determine that the consent given by the people who are on that list is “sufficiently clear and specific” for the purpose at hand.
Just how specific this consent needs to be isn’t explicitly stated, but we’re assuming that if you’ve agreed to receive ads about hiking boots, then a sender who subsequently targets you with special offers for rucksacks or tents would probably be be in acceptable territory.
On the other hand, we’re guessing that a sender who tried to sell you credit – or plumbing services, or property investment opportunities – on the back of your interest in hiking would be overstepping the mark.
At any rate, in this case, the ICO judged that the sender didn’t have consent, and therefore knowingly contravened the UK’s rules about electronic messaging.
What you can do to help
There’s a popular, and understandable, perception that it’s just too hard, and not worthwhile, to try to report spam messages to the authorities, especially SPASMS (which is what we jocularly call spam that arrives via SMS).
However, there’s an easy way to make your voice heard in the UK: you can report SPASMS by simply forwarding them to the phone number 7726. (That short-code number is easy to remember: it spells out SPAM.)
In this case, reports to 7726 made a big difference.
The ICO treated this as a serious contravention because close to 2000 people actively flagged the messages as spam. (1896 used the 7726 short-code; 25 reported the messages directly to the ICO.)
If you’re a business, you can help at the other end of the messaging chain by taking your electronic marketing responsibilities seriously.
When it comes to the concept of “consent,” make as certain as you can that your recipients really have agreed to hear from people like you about the products and services that you’re trying to sell.
As fellow Naked Security writer Mark Stockley wryly put it, “Don’t ask if you can borrow someone’s bicycle and then take their car instead.”
Thanks Duck… Please keep posting these stories of victory–In addition to needing to remain informed, a little good news is great as well.
TGIF 🙂
Details have obviously not been released but as mentioned, it must be very hard for such firms as I believe the sender, in other reports I have read believed they had consent due to assurances by the third party who provided the list which one presumes was also in any written contract between them. If this is the case, is the finance company really at fault?
I suspect most of these issues arise as internet users still do not pay attention to those checkboxes on sites which are used to obtain or refuse consent to marketing and while the law has cracked down on these practices, how many websites in the UK actually practice the proper methods of obtaining consent and how many non uk sites have similar rules to abide by who then sell on contact lists to UK firms? I also suspect that even where firms do properly ask for consent, customers still get confused and check the box thinking they are not consenting when they actually are.
Until details are released I am still unaware as to whether the company in question did their due diligence in making sure that their list supplier was operating within the law rather than taking their word for it or even their written contractual word, who knows?