Since March 2022, the ICO (Information Commissioner’s Office) has issued 49 monetary penalty notices for PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) breaches relating to unsolicited direct marketing.
In total, these have cost UK organisations £4,630,000.
What’s the difference between a monetary penalty notice and an enforcement notice?
Louise Brooks, our head of privacy consultancy, explains:
“The ICO has several enforcement powers for infringements of the PECR and the UK GDPR [General Data Protection Regulation] that can be used in combination depending on the circumstances.
“A monetary penalty notice is just a fine, whereas an enforcement notice requires an organisation to do other things – implement policies, for example.
“An organisation can be fined without an enforcement notice and vice versa.
“So, it’s perfectly possible for an organisation to have all the right accountability documents and procedures in place but still be fined.”
With that in mind, this page only accounts for monetary penalty notices under the PECR, and not enforcement notices. This includes the HelloFresh case, for which the ICO issued a fine but not an enforcement notice.
When were the fines issued?
On average, the ICO issues 1.4 PECR fines a month.
However, as you can see in the graph below, the ICO tends to issue multiple fines within a short period, then lets a month or more pass without issuing fines at all.
This averages out as about 3.7 per quarter:
How high are the fines?
The average PECR fine is £94,490. However, this varies a lot over time:
To smooth out this graph, here is the average fine per quarter:
Can the ICO do more?
We asked Louise Brooks whether she felt that the ICO had been doing a good job on enforcement in this area:
“The ICO has shown itself to be fairly consistent with PECR enforcement, certainly in the marketing arena.
“It’d be good to see the same commitment to enforcement for breaches of the GDPR, too. The reality is that the ICO has effectively replaced monetary penalty notices for GDPR breaches with reprimands, which are nothing more than a slap on the wrist.”
Which sectors has the ICO fined?
Since March 2022, the ICO has fined six sectors (based on its own categorisation):
This only reflects the ICO’s enforcement priorities – not PECR non-compliance as a whole.
The average fine per sector varies between £66,250 and £125,000. However, those are for the two sectors with the fewest PECR fines, so are more prone to data skewing.
Which types of unsolicited marketing receive the most and biggest fines?
Broadly speaking, the ICO distinguishes between four types of unsolicited marketing:
- Texts
- Emails
- Calls to individuals
- Calls to businesses
‘Nuisance’ calls typically lead to more and higher fines:
Note that some fines were for both emails and texts.
When we account for this, it becomes even clearer that nuisance calls lead to worse penalties than written nuisance messages:
List of PECR fines
| Month | Organisation name | Number of unsolicited calls/texts/emails | Fine |
| March 2022 | H&L Business Consulting Limited MPN | 451,705.00 | £80,000.00 |
| April 2022 | Reed Online Limited | 6,250,966.00 | £40,000.00 |
| April 2022 | Finance Giant Ltd | 505,759.00 | £60,000.00 |
| April 2022 | Bizfella Limited | 224,550.00 | £30,000.00 |
| September 2022 | Halfords Limited | 498,179.00 | £30,000.00 |
| October 2022 | Apex Assure Limited | 122.00 | £230,000.00 |
| October 2022 | Eco Spray Insulations Limited | 178,190.00 | £100,000.00 |
| October 2022 | Euroseal Windows Limited | 169,830.00 | £80,000.00 |
| October 2022 | Posh Windows UK Limited | 461,062.00 | £120,000.00 |
| October 2022 | Green Logic UK Ltd | 11,825.00 | £40,000.00 |
| November 2022 | Zuwyco Limited | 93,558.00 | £160,000.00 |
| December 2022 | Utility Guard Limited | 1,932.00 | £20,000.00 |
| December 2022 | Repair Plans UK Limited | 21,347.00 | £70,000.00 |
| December 2022 | Boiler Cover Breakdown Limited | 9,075.00 | £120,000.00 |
| December 2022 | Boiler Breakdown Limited | 348,724.00 | £140,000.00 |
| December 2022 | Allapplianceservices UK Ltd | 99,313.00 | £85,000.00 |
| December 2022 | Ryan Hill Partners | 463,360.00 | £70,000.00 |
| December 2022 | Monetise Media Limited | 3,506,157.00 | £125,000.00 |
| February 2023 | It’s OK Limited | 1,752,149.00 | £200,000.00 |
| April 2023 | Join the Triboo Limited | 107,000,000.00 | £130,000.00 |
| May 2023 | UK Direct Business Solutions Limited | 410,369.00 | £100,000.00 |
| May 2023 | Ice Telecommunications Ltd | 72,682.00 | £80,000.00 |
| June 2023 | Maxen Power Supply Limited | Unknown | £120,000.00 |
| June 2023 | Crown Glazing Ltd | 503,445.00 | £130,000.00 |
| June 2023 | Fortis Insolvency Limited | 558,354.00 | £30,000.00 |
| August 2023 | This Is The Big Deal Limited | 41,417,889.00 | £30,000.00 |
| September 2023 | Simply Connecting Ltd | 441,830.00 | £40,000.00 |
| September 2023 | SGS Home Protect Ltd | 24,214.00 | £70,000.00 |
| September 2023 | Cover Appliance Ltd | 511,499.00 | £200,000.00 |
| September 2023 | F12 Management Ltd | 1,346,019.00 | £200,000.00 |
| September 2023 | House Hold Appliances 247 Ltd | 19,069.00 | £55,000.00 |
| September 2023 | RHAP Ltd | 15,288.00 | £65,000.00 |
| September 2023 | MCP Online Ltd | 20,939.00 | £55,000.00 |
| October 2023 | Digivo Media Limited | 415,041.00 | £50,000.00 |
| October 2023 | Argentum Data Solutions Ltd | 2,330,423.00 | £65,000.00 |
| January 2024 | Skean Homes Ltd | 614,342.00 | £100,000.00 |
| January 2024 | Poxell Ltd | 2,647,805.00 | £150,000.00 |
| January 2024 | Grocery Delivery E-Services UK Ltd t/a HelloFresh | 80,893,013.00 | £140,000.00 |
| January 2024 | L.A.D.H Limited | 31,329.00 | £50,000.00 |
| March 2024 | Pinnacle Life Limited | 47,998.00 | £80,000.00 |
| October 2024 | Service Box Group Limited | 5,361.00 | £40,000.00 |
| October 2024 | WerepairUK Ltd | 42,688.00 | £80,000.00 |
| October 2024 | National Debt Advice Limited | 129,902.00 | £30,000.00 |
| October 2024 | Quick Tax Claims Limited | 7,863,547.00 | £120,000.00 |
| December 2024 | ESL Consultancy Services Ltd | 37,977.00 | £200,000.00 |
| December 2024 | Breathe Services Ltd | 4,376,037.00 | £170,000.00 |
| December 2024 | Money Bubble Ltd MPN | 168,852.00 | £120,000.00 |
| March 2025 | AFK Letters Co Ltd | 95,277.00 | £90,000.00 |
| April 2025 | Darian Bishop trading as ECO4U | 194,110.00 | £40,000.00 |
Note: we started analysing the PECR fines listed on ico.org.uk in December 2023, when the earliest cases listed were from March 2022. However, under the ICO’s website retention policy, information about individual PECR fines is periodically removed from its website, so monetary penalty notices relating to some of the older cases listed above are no longer available on ico.org.uk. You can, however, find archived versions of the ICO website on the National Archives website, including information about PECR fines dating back to 2012.
How does the ICO decide to take action?
When we put the question to Louise Brooks, she explained:
“The ICO doesn’t proactively investigate organisations for PECR infringements but relies on being notified of breaches through complaints. This can be directly, via the online reporting tool, or through other mechanisms, like the 7726 spam reporting service.
“PECR violations are largely a numbers game, and enforcement is reliant on us as individuals reporting bad practices.”
With that in mind, and considering the data we just analysed, is it worth becoming compliant?
Louise explains:
“I usually present things to clients as follows: ‘This is what the law says. This is the gap between what you’re doing and that law. And these are the changes I think you need to make to be compliant.’
“‘However, given your operational circumstances of X, Y and Z, you may consider taking a risk-based approach, but you should be mindful of A, B and C.’
“That A, B and C might be, for example, a recent fine or what the guidance says.
“And then I just leave it with the client! I just need to tell them what they should be doing to comply, but I understand that the organisation then has to weigh up the risk of making that change against the risks of non-compliance materialising.”
How can GRC Solutions help?
We understand the reality of compliance. If you want advice from an expert who can help you meet your privacy obligations while you continue to meet your business objectives, get in touch with us.
We’ll assign you an experienced consultant who’ll:
- Tell you what your risks are; and
- Give you practical advice and guidance on how to make changes.
That advice is completely tailored to your organisation. We recognise that every organisation is different, and that our offerings must reflect that.
Note: We periodically update this page as the ICO releases new data. We first published a version of this blog post in December 2023.