We Buy Any Car Ltd, a car valuation company, was fined by the UK DPA for sending unsolicited marketing emails and SMS, with complainants unable to unsubscribe from them.
Excerpt
Our analysis
We Buy Any Car Ltd, a car valuation and purchasing company, was fined by the UK DPA for violating Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) by sending unsolicited marketing emails and SMS. The ICO investigated complaints from individuals who received these unsolicited messages and found that WBAC had sent 205.5 million email messages and 16.3 million SMS between April 2019 and April 2020. Only 14.1 million of these messages were considered solicited by the ICO, while 191.4 million were deemed to be unsolicited marketing emails. WBAC claimed that they only contacted individuals who requested a vehicle valuation or on the basis of the "soft opt-in," but the ICO disagreed, stating that the messages did not meet the definition of a service message under its Direct Marketing Code of Practice.
The company used hard to cancel approach by making it difficult for individuals to unsubscribe from their marketing messages. Even when individuals attempted to unsubscribe, they were unsuccessful in doing so, which is a common use in the hard to cancel technique. Additionally, the company used a nagging process by sending multiple marketing messages to individuals who had not specifically requested them, which is considered unsolicited marketing. This nagging process is a common pattern used to pressure individuals into taking action, such as purchasing a product or service. However, in this case, the nagging process was used to encourage individuals to get a vehicle valuation and to continue using WBAC's services, which violated the regulations related to direct marketing. The ICO also found that complainants were unable to unsubscribe from emails and SMS, indicating that WBAC had used deceptive patterns like the hard to cancel and nagging. WBAC was fined around €234,000, and the ICO considered this to be a serious contravention of the regulation, given the large number of messages sent over the one-year period investigated. The ICO also concluded that WBAC knew or ought reasonably to have known that there was a risk that this contravention would occur and therefore considered this contravention to be negligent.
Outcome
We Buy Any Car Ltd was fined approximately €234,000 by the UK DPA for violating Regulation 22 of PECR by sending unsolicited marketing emails and SMS, which the ICO deemed a serious contravention due to the large number of messages sent over a one-year period, and considered WBAC's actions negligent as they knew or ought reasonably to have known that there was a risk that this contravention would occur.
Parties
We Buy Any Car Limited and ICO
Case number
Monetary Penalty Notice - 4018348
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Nagging is a form of adversarial resource depletion. Every time an app or a website interrupts the user with a request to do something, this depletes the user's time and attention. This is like a tax that the provider imposes on users who do not want to comply with the provider's wishes. Although the cost is non-financial, it adds up and eventually becomes non-trivial. At this point the user may decide that it’s more cost effective to just give in and agree to whatever the provider is asking for, even if it is against their best interests.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Regulates the use of electronic communications for direct marketing purposes, including requirements for consent, opt-out options, and cookie disclosure.