The Information Commissioner’s Office (ICO) has fined Easylife Ltd £1,350,000 for using the personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The company was also fined £130,000 for making 1,345,732 predatory direct marketing calls.
Easylife is a catalogue retailer that sells household items, as well as services and products under its Health, Motor, Supercard and Gardening Clubs.
The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.
Out of 122 products in Easylife’s Health Club catalogue, 80 items were considered to be ‘trigger products’. Once these products were purchased, Easylife would profile the customer to target them with a health-related item. The ICO found that significant profiling of customers and ‘invisible’ processing of health data took place. It is ‘invisible’ because people were unaware the company was collecting and using their personal data for that purpose. This is against data protection law.
Data controllers exercise overall control over the purposes and means of processing personal data. They have the highest level of compliance responsibility and must comply with all data protection principles as well as other GDPR requirements. They are also responsible for the compliance of their processors. Supervisory authorities (such as the ICO) and individuals can take action against a controller regarding a breach of its obligations.
You will be a controller of data if you:
- Collect or process personal data for your own business reasons.
- Determine the purpose or outcome of the processing.
- Decide what personal data to collect.
- Obtain commercial gain or other benefit from the processing (except for any payment for services from another controller).
- Process personal data as a result of a contract between yourself and the data subject.
- Have a direct relationship with the data subjects.
- Appoint processors to process personal data on your behalf.
The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. It has the power to impose a civil monetary penalty (CMP) on a data controller of up to up to £17.5 million, or 4% of total global annual turnover, whichever is higher.
John Edwards, UK Information Commissioner, said:
“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed. The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.
“Easylife was not only found guilty of breaching data protection law, but our investigation also discovered that they made thousands of predatory marketing calls to people who clearly did not want to receive them. It is clear from the complaints we received that people felt threatened and distressed by the company’s aggressive tactics. This is unacceptable. Companies making similar nuisance calls and causing harm to people can expect a strong response from my office.”