ICO stings tax consultancy with £200,000 privacy fine

A London-based tax return consultancy has reportedly been fined £200,000 for sending out millions of spam texts without consent. The UK’s data protection watchdog stung Tax Returned with the levy following thousands of complaints about the firm’s marketing tactic.

UK accounting and auditing firm Tax Returned specialises in reclaiming overpaid tax for taxpayers. According to the firm’s LinkedIn profile, it has processed more than 90,000 claims and sent out over £4.5 million in tax refunds, with its largest single refund to date standing at £8,198. While this suggests the firm has been doing solid business in recent times, however, a surprisingly desperate recent marketing ploy has landed the firm in hot water.

According to online news site The Register, the London firm sent out a huge 14.8 million spam SMSs between July 2016 and October 2017 in a bid to drum up business. Incredibly, the firm had actually attempted to send out millions more messages, however a number of the 22.7 million it had intended to deliver were not received. That may have been for the best however, as those which were successfully issued sparked 2,100 complaints from recipients.

Pending an investigation from the UK’s data protection watchdog, Tax Returned said it had received valid consent to send the messages which were delivered via a third-party service provider. However, the firm was unable to provide evidence for any consent having been given for some, while for others it claimed consent had been gathered via privacy policies on certain websites. As a result, the Information Commissioner's Office (ICO) ruled that the messages were sent without consent, and hit the professional services firm with a £200,000 fine.

Tax Returned argued that it was not involved in the actual sending of the message – and the third-party service provider was therefore to blame – however this fell on deaf ears. This was because the ICO found that the wording of the firm’s existing policies was not clear or precise enough for people to understand they would receive direct marketing messages advertising the firm's services.

According to the watchdog, in most cases, Tax Returned’s policies failed to mention either itself or the third-party service provider by name. At the same time, the ICO scalded Tax Returned for pointing the finger at a third-party provider, neglecting the fact that firms must perform due diligence when drawing up contracts with those they are working with, or be held accountable. The ICO therefore concluded that by failing to do this, or to ensure it had the right to text the people it spammed, the firm broke the Privacy and Electronic Communications Regulation.

Commenting on the case, ICO Director of Investigations Steve Eckersley stated, "Firms using third-party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third-party consent is also not enough and companies will be fined if they break the law."