The Information Commissioner’s Office (ICO) have fined a self-employed lead generator £200,000 for sending unsolicited text messages regarding debt reduction schemes and energy saving grants.

The lead generator had previously come to the ICO’s attention during two investigations in 2014 and 2018 into text messages relating to accident claims. The ICO found that, between December 2023 and July 2024, he had transmitted or instigated the transmission of 966,449 unsolicited text messages for the purposes of direct marketing, contrary to Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The ICO identified 19,138 complaints in respect of the messages.

He had used data that had been sourced from third parties. He had showed no effort to ensure that consent had been properly obtained and there was no evidence that he had gained consent for the direct marketing that had taken place. The ICO concluded that he had knowingly and deliberately used data for which valid consent had not been provided for the use of unsolicited direct marketing. It was also satisfied that he had contravened Regulation 23 of the PECR by taking steps to conceal the identity of the sender of the messages.

The ICO found that the contravention was serious, noting that the 966,449 messages confirmed to have been sent over the period were likely to represent only a small fraction of the actual contravention volume. It was also satisfied that the contravention was deliberate. The lead generator had been working in direct marketing since 2010 and had been aware of the ICO and the requirements of the PECR for at least a decade. He had obtained data from various sources and had made no attempt to ensure that it was up to date or that the data subjects had consented to receiving unsolicited direct marketing text messages.

The ICO took into account a number of aggravating features, including the lead generator’s unlawful conduct over a considerable number of years, his blatant disregard for regulations and the potential harm to individuals who might be vulnerable.

In the circumstances of the case, the ICO decided that a monetary penalty of £200,000 was reasonable and proportionate.