Telemarketing remains a prominent topic in public debate. This method of commercial communication—originally designed to bring companies and consumers closer together—is often criticized for degenerating into privacy violations. In recent years, as awareness of personal data protection has grown, authorities have introduced increasingly stringent measures to counter such practices. A recent case in the United Kingdom highlighted this issue again, with two companies being fined for engaging in unlawful telemarketing practices.
New sanctions for unwanted telemarketing
The Information Commissioner’s Office (ICO), the UK data protection authority, has fined two companies a total of £290,000 for making millions of promotional calls in violation of privacy regulations. The companies contacted consumers who had explicitly stated they did not wish to receive promotional calls, attempting to offer services such as life insurance and debt management consultations.
One of the companies, between March and July 2022, and again between October and December of the same year, made over 4.3 million unwanted calls using more than 1,000 different phone numbers to conceal its identity. The company also refused to cooperate with the authority during the investigation, further aggravating its position, which led the ICO to impose a fine of £170,000.
The other fined company made over 168,000 illegitimate promotional calls in just two months, from October to November 2022. In this case as well, improper practices were penalized with a significant fine of £120,000.
These measures highlight the importance for companies to comply with data protection regulations, as unauthorized promotional calls not only cause inconvenience to consumers but also constitute a clear violation of their rights.
Violations by telemarketing companies
Regulatory authorities impose fines on telemarketing companies to counter behaviors that violate the rights of individuals and fail to uphold the fundamental principles of the General Data Protection Regulation (GDPR). Among the most frequently sanctioned violations are:
- lack of or inadequate privacy notices: the data controller must provide a clear and comprehensive privacy notice to the individual. This document must transparently outline the purposes and methods of data processing, the parties involved, the duration of processing, and the rights of individuals. Failure to provide such a notice, or providing incomplete, vague, or hard-to-understand information, constitutes a violation of the transparency principle;
- processing personal data without valid consent: the processing of personal data for marketing purposes requires the collection of the individual’s free, specific, informed, and unambiguous consent;
- purchasing contact lists from third parties without verifying consent: a recurring violation involves acquiring and using databases or contact lists provided by third parties without ensuring the data was collected in compliance with GDPR. Companies that use such lists for telemarketing or other promotional activities without verifying the legitimacy of the consent are liable for unlawful processing. This misconduct becomes even more severe when data from the lists is used to contact individuals listed on the public opt-out register;
- collecting excessive data beyond the stated purposes: a core principle of the GDPR is data minimization, which requires that personal data collected be limited to what is strictly necessary to achieve the purposes described in the privacy notice;
- unlawful data transfers to third parties or non-EU countries: the transfer of personal data to third parties without the individual’s consent or adequate guarantees constitutes a GDPR violation. This issue is particularly serious in cases of data transfers to countries outside the European Economic Area, which require specific conditions and safeguards (e.g., standard contractual clauses or adequacy decisions);
- iInadequate security measures for data protection: organizations must implement appropriate technical and organizational measures to ensure a level of security that matches the risks associated with personal data processing. Failure to implement such measures, which may lead to unauthorized access, data loss, or unlawful disclosure, constitutes a significant violation with severe financial and reputational consequences.
The public opt-out register
In this context, the Public Opt-Out Register (RPO)—regulated by DPR No. 26 of January 27, 2022—is an essential tool for protecting individuals. The regulation requires telemarketing operators to consult the Public Opt-Out Register at least once a month and before launching any promotional campaign.
Specifically, the register, which covers all national phone numbers, both landline and mobile, allows users to opt-out of marketing communications, canceling any previously granted consents except those explicitly authorized after registration and/or related to existing contractual relationships.
Conclusions
The violations described above expose companies to significant penalties, which can reach up to 4% of their annual global turnover or €20 million, whichever is higher. However, it is important to emphasize that beyond the financial burden, the reputational damage caused by a fine can be even more detrimental for companies, eroding consumer trust and undermining their market position.
In conclusion, recent measures underscore the need to promote more transparent and responsible business practices, steering telemarketing towards models that better respect consumer privacy. Transparent and respectful telemarketing management can, in fact, represent a competitive advantage for companies, ensuring consumer satisfaction while reducing the risk of fines and reputational harm.