The U.K. Information Commissioner’s Office (ICO) fined catalog retailer Easylife 1.35 million pounds (U.S. $1.5 million) for marketing health-related products to individuals without their consent.
Easylife used the personal information of 145,400 customers in an attempt to predict their medical conditions for targeted marketing campaigns in violation of Article 5 of the U.K. General Data Protection Regulation (GDPR), the ICO stated in a press release Thursday. The alleged misconduct occurred from August 2019 through August 2020 and included the processing of special category data, which is largely prohibited under the GDPR.
Easylife was further fined £130,000 (U.S. $145,000) resulting from a separate ICO investigation into more than 1.3 million predatory marketing calls made in violation of the Privacy and Electronic Communications Regulations (PECR).
The details: “The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalog, the company would make assumptions about their medical condition and then market health-related products to them without their consent,” the regulator said. “For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.”
This alleged profiling of Easylife customers was done without their knowledge. Nearly two-thirds—80 out of 122—of the items the company sold in its Health Club catalog were considered “trigger products” that Easylife would use to make health-related determinations about its customers, according to the ICO.
“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge and then peddled them a health product—that is not allowed,” said Information Commissioner John Edwards. “The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.”
In its monetary penalty notice, the ICO said it considered an initially calculated penalty of £850,000 (U.S. $946,000) to not be effective, proportionate, or dissuasive given the severity of the alleged violations. Easylife was further faulted for having a “poor track record of regulatory compliance,” including the alleged violations that led to its fine for predatory marketing. The PECR probe was a catalyst for the ICO’s investigation into the company’s compliance with the GDPR.
“Although Easylife agreed to stop the profiling, the commissioner noted that Easylife has been very reactive in its approach to compliance and only seems to make changes to its practices in order to comply with the law when failings are discovered, and changes are required, by a regulator,” the ICO stated.”
Easylife implemented a new customer relationship management system, strengthened its contracts with data processors, and changed the wording of consent statements offered to customers among its remedial measures in response to the ICO’s investigation.
Easylife response: The company defended its targeted sales practices in an emailed statement, saying the strategy was aimed at “avoiding making unnecessary nuisance calls to our customer base.” It added it has ceased the practice, “pending clarification of the law in this area.”
“Easylife fundamentally disagrees with the ICO both that it has broken the law and also in relation to the level of fine imposed, which is out of all proportion to the alleged wrong,” the company said. “… We are appealing the ICO’s fines and expect a decision from the Court sometime next year.”
Editor’s note: This story was updated Oct. 10 to include Easylife’s response to the penalty.