Recently, the UK’s Information Commissioner’s Office (ICO) has imposed significant fines totaling in £550,000 against two companies relying on unlawful automated marketing calls, or “robo calls” (read here).

Green Spark Energy Ltd was fined £250,000 for making 9.5 million unsolicited automated calls, while Home Improvement Marketing Ltd faced a £300,000 penalty for making 2.4 million unlawful calls. Both companies were also served with enforcement notices to stop their practices immediately.

A Tale of Two Companies

Between May 2023 and May 2024, Green Spark Energy Ltd was found to have made nearly 9.6 million automated marketing calls without obtaining prior consent from the receivers. The ICO’s investigation uncovered several concerning elements, such as:

  • Misleading scripts, wherein the calls falsely claimed that existing loft insulation could cause health problems, pressuring homeowners into agreeing to surveys or appointments;
  • Implementing Pre-recorded “avatars” by the company with names like “Jo” and “Helen” which gave the impression of live agents, but were actually triggered by offshore call centers; and
  • Targeting of elderly and ill individuals, including a 91-year-old with cancer who was distressed by repeated calls.

The ICO concluded that these practices breached Regulation 19 of the Privacy and Electronic Communications Regulations 2003, which prohibits automated marketing calls without explicit, informed consent, and imposed a £250,000 fine. In addition to the fine, Green Spark Energy Ltd was ordered to cease all unlawful calls.

Separately, from May to August 2023, Home Improvement Marketing Ltd was responsible for 2.4 million unsolicited robo calls promoting solar panels under the names “Energy Hub” and “Energy Saving Team”. The ICO highlighted the following malpractices:

  • There was an overwhelming volume of calls being made, with some people receiving multiple calls a day;
  • Recipients had no way to stop further calls, i.e., no opt-out option; and
  • The company’s director, Mathew Terry, was also linked to Green Spark Energy Ltd until March 2024 and was engaging in deliberate strategies to avoid detection.

The ICO again found a clear breach of Regulation 19 of the Privacy and Electronic Communications Regulations 2003, highlighting the scale, persistence, and lack of lawful consent as aggravating factors. The £300,000 fine was paired with an enforcement notice to prevent further violations.

How is Direct Marketing Regulated in the UK?

Direct marketing is tightly regulated in the UK, primarily under the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK data protection framework (i.e., the UK GDPR and the Data Protection Act 2018). Together, these laws ensure that individuals are not subjected to intrusive or misleading marketing practices, especially through modern communication technologies such as automated calls, emails, or targeted online ads by businesses.

What Counts as Direct Marketing?

The ICO describes direct marketing as any communication of advertising or marketing material directed to specific individuals, regardless of the channel used. It therefore includes not only the commercial promotion of goods and services but also non-commercial objectives such as fundraising, campaigning, or promoting social and corporate initiatives.

Marketing counts as “direct” when it targets identifiable people, for example, personally addressed letters or emails to individuals, or calls made to a specific telephone number, or targeted social media posts or direct messages, or online advertising tailored to a user’s browsing or purchase history.

Importantly, direct marketing extends beyond sending messages. It also covers activities that enable or support marketing, such as profiling individuals, generating leads, or contacting people to request consent for future marketing.

Even service messages (e.g., notifications sent to existing customers) may qualify as direct marketing if they contain any promotional element.

The Legal Framework: PECR and the Data Protection Law

In the UK, unsolicited electronic direct marketing via phone calls, texts, emails, or online tracking, is primarily governed by PECR. When personal data is involved, which realistically is in almost all cases, the UK data protection laws also come into play.

While the UK GDPR and the Data Protection Act 2018 focus on personal data, PECR has a broader reach: it applies even when personal data are not directly involved (e.g., when targeting generic email addresses).

Together, these laws form the UK’s privacy laws for marketing. While PECR sets the communication rules, the data protection law governs how information about people is collected, stored, and used.

What is the Lawful Basis Under Data Protection?

Under the UK GDPR, organizations need a lawful basis before processing other people’s information. According to the ICO, for direct marketing purposes, the two most relevant bases that can be relied upon are:

  • Consent – when PECR or fairness requires an individual’s explicit agreement; or
  • Legitimate interests – may apply where PECR does not require consent (e.g., postal marketing or some live calls), provided the organization’s interest in marketing does not override individuals’ rights.

Where the PECR already demands consent, that consent will also satisfy the UK GDPR requirement and organizations do not need to rely on additional legal bases.

The Consent Requirement:

For most unsolicited electronic marketing, consent is required under the PECR. This means a clear, specific, and freely given agreement, not merely a pre-ticked box or silence. The consent must cover both, the particular organisation and the type of communication the organisation wants to use.

Organizations must also explain exactly what kind of marketing they intend to send (for example, emails, texts, or automated calls) and obtain separate consent for each channel. Consent for one type of communication, for e.g., live calls, does not cover another for e.g., automated calls.

The ICO recommends asking the customer to tick an opt-in box confirming they are happy to receive marketing calls, faxes, texts or emails, as one of the clearest ways of obtaining consent.

Consent must also be refreshed periodically; it does not last indefinitely.

A Brief Overview of the Different Methods of Direct Marketing:

a. Electronic Mail (Emails and Texts)

For individual subscribers (including sole traders), marketing by electronic mail requires consent, unless the soft opt-in exception applies.

The soft opt-in exception applies for existing customer relationships when:

  1. The contact details were obtained directly from the individual.
  2. The person was a customer or had actively negotiated a sale.
  3. The marketing relates to similar products or services.
  4. The person was given a clear chance to opt out when the details were collected.
  5. Every subsequent message includes a simple, free opt-out option.

The soft opt-in does not apply to charitable, political, or fundraising messages which require full consent.

b. Live Calls

  • Live marketing calls involving human employees speaking to the individuals are allowed only if:
    • the person has not objected to such calls, and
    • their number is not listed on the (i) Telephone Preference Service, which is the central register of individuals who have opted out of receiving live marketing calls or (ii) Corporate TPS which is the central register of opt out for companies and other corporate bodies.
  • Special rules apply to certain sectors:
    • For claims management services, consent is always required.
    • In case of pension marketing, only trustees or authorized firms may call, and only with consent or under limited, defined relationships.

c. Automated Calls

Automated calls use recorded messages triggered by dialing systems. These are strictly prohibited without prior consent, even if the recipient’s number is not on the TPS. The ICO makes it clear that general consent for “marketing” or for live calls does not suffice and that the consent must specifically cover automated marketing calls.

d. Postal Marketing

Postal mail is not covered by PECR, but if personal information is used, the UK GDPR still applies and any processing much be in line with the GDPR.

e. Online Advertising and Cookies

Most online advertising uses cookies, tracking pixels, or similar technologies. Under PECR, consent is required to store or access information on a user’s device for advertising purposes, regardless of whether the cookie belongs to the organization or a third party.

What are the Transparency Obligations for Businesses?

When sending direct marketing, businesses must always identify themselves, provide clear and comprehensive privacy information (including use of the data for marketing) at the time of collecting the information in line with the requirements of the UK GDPR and provide a way for people to opt out. In addition, organizations are required to:

  • For Calls (Live or Automated):
    • State who is calling.
    • Display a valid phone number.
    • Provide contact details or a phone number on request.
  • For Electronic Mail:
    • Not disguise their identity.
    • Include a valid ‘unsubscribe’ address or link.
  • For Online Advertising:
    • Give clear, upfront information about cookies or tracking.

When data is obtained from third parties, organizations have a duty to contact individuals within one month to provide their privacy information, unless an exception applies.

The ICO cautions against “data matching” or appending additional contact details from brokers or external sources without consent. Even if the organizations’ privacy notice mentions it, acquiring new contact information without choice is likely to be unfair and unlawful.

Conclusion

The ICO’s enforcement against Green Spark Energy Ltd and Home Improvement Marketing Ltd illustrates how the regulator is reinforcing that direct marketing, when carried out lawfully, can coexist with the fundamental right to privacy.

The message is clear: consent must be genuine, scope-specific, and capable of withdrawal at any time. Businesses must identify themselves transparently, provide clear privacy information, and honor individuals’ right to object.

For marketers, these cases are a cautionary tale and an opportunity: compliance with the law is not only a legal duty but a foundation for consumer trust.

| | , | , , , , , , , , , ,