Privacy & Information Security Law Blog

On March 2, 2020, the UK Information Commissioner’s Office (“ICO”) fined CRDNN Limited, a lead generation company, £500,000—the maximum amount available for a breach of the Electronic Communications Regulations (“PECR”). The fine was imposed after CRDNN carried out over 193 million unsolicited automated direct marketing calls relating to window scrappage, window and conservatory sales, boiler sales, and debt management between June and October 2018.

The ICO determined that the CRDNN had committed a “serious contravention” of PECR by making the calls. The contravention was deemed serious due to the volume of calls that were made in a short time. In addition to the fine, the ICO issued an enforcement notice requiring the company to comply with PECR within 35 days.

Specifically, CRDNN had contravened regulations 19 and 24 of PECR—it was not possible for call recipients to identify who was making them because the calls were conducted from “spoofed” numbers, there was no evidence that consent had been obtained from recipients, and in addition, there was no valid opportunity provided for recipients to opt out of calls. If recipients indicated that they would like to receive future calls about the relevant service or product, their details would be sold as “leads” to other businesses.

The company’s premises in Scotland were raided by the ICO in March 2018, after more than 3,000 complaints were made by consumers to the ICO relating to calls from the company.

The ICO noted in its monetary penalty notice that CRDNN’s directors had not been forthcoming during its investigation and had taken measures to evade detection and continue automated calls, such as by transferring its service provision from the UK to Hong Kong to avoid the ICO’s jurisdiction. CRDNN also failed to respond to the ICO’s Notice of Intent and Preliminary Enforcement Notice. The ICO commented in its Monetary Penalty Notice that there were no mitigating factors to take into account.

Andy Curry, Head of Investigations at the ICO, stated: “The directors of CRDNN knowingly operated their business with a complete disregard for the law. They did all they could to evade detection, from changing and not updating address details, to transferring their operation abroad and attempting to go into liquidation. That’s why their conduct called for the maximum fine possible under the law.”

CRDNN is required to pay the fine by March 30, 2020.