ICO issues fines over electronic marketing breaches

The question

Why did the Information Commissioner’s Office (ICO) fine two companies a total of £225k for nuisance marketing messages, and what does this mean for businesses sending emails and texts?

The key takeaway

The ICO's message remains clear. If you send electronic marketing without valid consent, or you misuse the “soft opt-in” exception, you risk significant potential fines under the Privacy and Electronic Communications Regulations 2003 (PECR).

The background

PECR sits alongside the UK GDPR and the Data Protection Act 2018. It includes specific rules for electronic direct marketing by email and SMS.

Under PECR:

• businesses must have prior consent to send marketing emails or texts to an individual, unless the narrow “soft opt-in” applies
• the soft opt-in can only be used where:
  •  contact details were obtained during a sale or negotiations for a sale to that individual;
  • marketing relates to the sender’s own similar products or services;
  • the individual was given a clear opportunity to refuse marketing at the point of data collection
  • an opt-out is provided in every message.

The development

In January 2026, the ICO fined Allay Claims Ltd (£120k) and ZMLUK Limited (£105k) for sending millions of unlawful marketing messages.

Allay Claims Ltd (Allay) sent over four million marketing SMS messages promoting PPI tax refund services over the course of 12 months. The ICO found that the messages were not service messages but were clearly direct marketing. Allay did not obtain consent to send the messages, nor could it (as it claimed) rely on the soft opt-in as it failed to provide individuals with an opportunity to opt-out of direct marketing at the point of obtaining the individuals' contact details.

From January 2023 to July 2023, ZMLUK Limited (ZML) sent more than 67 million marketing emails using data it obtained from a third-party. Individuals were presented with a list of 361 "partner" organisations on the third-party website but were not given a way to choose which companies could contact them. The ICO concluded this did not amount to specific, informed consent. Further, ZML did not carry out sufficient due diligence to check that personal data has been obtained fairly and lawfully, and that consent had been validly obtained, by the third parties on which it relied for the relevant marketing lists.

Why is this important?

These decisions reinforce that:

• direct marketing consent mechanisms should be clear and granular, so individuals understand, and have a choice about, the direct marketing they receive
• soft opt-in is narrow and strictly applied. It cannot be used for third-party marketing, where no sale or negotiation for sale occurred or where no opt-out was given at collection and in each subsequent communication
• when buying in marketing lists or sending marketing on behalf of a third party, the organisation sending the direct marketing must conduct due diligence and be able to evidence lawful consent
• the ICO continues to treat nuisance direct marketing as a serious privacy infringement.

Any practical tips?

The fines are a strong reminder around the basics of obtaining marketing consent, including:

• using clear, unticked opt-in boxes for marketing
• providing a simple opt-out at collection and in every message
• conducting due diligence on third party data sources
• keeping auditable records of consent
• treating promotional content as marketing, regardless of how it is labelled and even if combined with a service-related message.

Spring 2026