I had a really interesting spam email judgement in my favour last week, against Liverpool based The Football Pools (TFP).
My claim was essentially twofold – that they didn’t have consent to send marketing under Reg 22 of PECR and that therefore there was no lawful basis under the DPA1998 for the processing of my personal data. I sought damages under Reg. 30 of PECR and Section 13 of the DPA. The claim was for £3,000; my contention was that the marketing had prompted me to gamble and lose money, whilst I also sought compensation for the distress of having my data used in this manner to send unlawful marketing.
TFP were represented through my claim by Shoosmiths, who then instructed a Barrister from King Street chambers for the hearing. Shoosmiths made it clear over the last 11months that they felt the claim had no chance of success and therefore they also claimed they should have a costs award under 27.14 (g) of the CPR (essentially that I acted unreasonably in bringing it). That raised the stakes going into Court, but I was determined not to be intimidated so was content to roll the dice. No quarter was given at any stage of the dispute, with both Shoosmiths and the Barrister arguing almost every aspect of the claim, which I’ve tried to summarise below: –
By way of background, TFP used a company called Monetise (https://www.monetise.co.uk/) to send marketing on their behalf, who then sub contracted with an affiliate network. I received 3 emails from an unidentified sender in May 2018 (pre GDPR). On the matter of whether TFP instigated the email, they claimed they weren’t the instigator, as that role fell to Monetise who instructed the actual sender. I argued we should go to the head of snake, the company whose products and services were being marketed. I quoted the Vanquis Bank ICO penalty and the judge agreed that they had instigated the marketing.
They also argued that I had consented to receive the messages by virtue of visiting a (now defunct) competition website and provided me with an IP address from which my email was allegedly provided. I explained to the judge that I wasn’t in anyway associated with the IP address and that further, even if it was held that it was me, the consent obtained was just a typical generic third party statement that had no mention of TFP.
The judge accepted my initial arguments that Id not entered my details via the stated IP address, so we didn’t really get into the generic point. She seemed to place considerable weight on the fact that I’d raised this several months ago with the TFP and they hadn’t provided any further evidence.
Part of their defence was that by virtue of having a contract with Monetise, which required the latter to comply with all privacy laws, they had taken reasonable care which is a defence under Reg 30 (2).
I was able to highlight Paras 57-58 of the ICO’s enforcement notice against Vanquis as what reasonable care might consist of in terms of due diligence. It felt rather hollow to me to argue that they weren’t the instigator, felt there was valid consent but even if those 2 things weren’t the case had taken all reasonable care. Surely that falls on its own terms given they didn’t even release they were responsible?
They had no evidence of any due diligence or other controls and the Judge therefore found they had not taken all reasonable care. They hadn’t even produced the contract as evidence, relying on a witness on a Witness Statement quoting its existence.
Counsel claimed that any losses for gambling weren’t recoverable as they were a “novus actus interveniens”, ie something I had chosen to do and not directly flowing from the marketing itself.
I shared some stats from the gambling commission about how effective email marketing was and argued that the very intent of the advert was to get people to gamble and therefore quite from being unforeseeable it was the intended outcome of the message.
I’m not sure what the judge made of that point because she found that I’d failed to substantiate my losses to the required standard and therefore dismissed this part of my claim.
The judge stated she’d look at my claim under both pieces of legislation and, having found there was a breach of Regulation 22 of PECR, awarded me £750 damages. She seemed persuaded by my arguments that nobody had ever explained to me who else was in the web of data traders and therefore my distress about being targeted was enduring. She was a little vague about whether the award was under Reg 30 or Section 13 and in this regard I felt it was quite a generous judgement as it’s only really the DPA that should pay for distress.
The judge also made them pay my fixed costs of bringing the claim, the initial issue fee (£105) and hearing fees (£335).
Despite having the judgement partly in my favour, Counsel still tried to argue for costs on the basis of CPR 27 .14 (g), partly on the basis Id been to quick in bringing the case. I didn’t need to make any submissions on this point as the judge quickly dismissed this point.
Overall it was a bit of a rollercoaster of an experience, but one that I hope plays a role in encouraging marketers, especially in toxic industries, to be a bit more considered in their activities.