In the first six months of 2023, the Information Commissioner’s Office ordered eight businesses to pay almost £13.5 million in fines for misusing data, according to analysis by cyber security and data protection consultancy CSS Assure.
At £12.7 million, social media platform TikTok was hit with the largest fine for breaching data protection law, including failing to use children’s personal data lawfully – with the ICO estimating that up to 1.4 million under 13s in the UK were able to use the video sharing app in 2020.
Three marketing firms were fined a combined £310,000 for making a total of 483,051 unsolicited marketing calls to business and sending 107 million spam emails to jobseekers; two energy firms were fined a combined £250,000 for bombarding people and businesses on the UK’s ‘do not call’ register with unlawful marketing calls; a business support consultancy was fined £30,000 for sending 558,354 direct marketing SMS messages without valid consent; and an appliance service and repair company was fined £200,000 for making more than 1.7 million unsolicited direct marketing calls.
The ICO also reprimanded 15 companies, issued enforcement notices against a further eight and prosecuted three businesses in the first six months of 2023 for failing to meet their information rights obligations.
Mike Wills, co-founder and director of strategy and policy at CSS Assure, said: “The recent fines imposed by the ICO highlight the serious consequences of misusing data. Mishandling personal information not only violates data protection laws but also erodes trust among consumers.
“The fines serve as a stark reminder that data protection is not to be taken lightly. TikTok’s £12.7 million penalty underscores the importance of lawful use of personal data and implementing appropriate safeguards, especially when it involves children. TikTok is a large, well-known brand and its fine was substantial due to the sheer amount of data involved. However, much smaller SMEs were also subject to enforcement action and hit with financial penalties.
“The fines imposed on marketing firms for unsolicited calls and spam emails, as well as energy firms for disregarding the ‘do not call’ register, demonstrate the significant impact of invasive marketing practices. These fines send a clear message that businesses must respect individuals’ privacy preferences and refrain from bombarding them with unwanted communications.
“Moreover, the enforcement notices and prosecutions against companies failing to meet their information rights obligations further emphasise the ICO’s commitment to upholding data protection standards. It is crucial for businesses to understand their responsibilities in handling personal information and take proactive measures to ensure compliance.
“Misusing data not only exposes businesses to financial penalties but also damages their reputation and undermines customer trust. Adhering to data protection laws and adopting ethical data practices are essential for safeguarding individuals’ privacy and maintaining a healthy business ecosystem.
“As data protection experts, we urge businesses to prioritise data privacy and invest in robust systems and processes to prevent data misuse. By doing so, they can not only avoid hefty fines but also foster a culture of trust and transparency, ultimately benefiting both their customers and their bottom line.”