ICO fines businesses more than £14.3m for misusing data

In 2023, the Information Commissioner’s Office (ICO) ordered 18 businesses to pay more than £14.3m in fines for misusing data, according to analysis by a cyber security and data protection consultancy.

The ICO also reprimanded 36 companies, issued enforcement notices against a further 19 and prosecuted four businesses for failing to meet their information rights obligations.

At £12.7m, social media platform TikTok was hit with the largest fine for breaching data protection law, including failing to use children’s personal data lawfully – with the ICO estimating that up to 1.4m under 13s in the UK were able to use the video sharing app in 2020.

Three marketing firms were fined a combined £310k for making a total of 483,051 unsolicited marketing calls to businesses and sending 107m spam emails to jobseekers; two energy firms were fined a combined £250k for bombarding people and businesses on the UK’s ‘do not call’ register with unlawful marketing calls; a business support consultancy was fined £30k for sending 558,354 direct marketing SMS messages without valid consent; and an appliance service and repair company was fined £200k for making more than 1.7m unsolicited direct marketing calls.

In the final six months of the year, 10 companies were collectively fined more than £800k for sending a total of 4,698,841 unwanted text messages, 39,906,342 emails and making 1,937,028 nuisance phone calls, the research by CSS Assure found.

Charlotte Riley, director of information security at technology at CSS Assure, said: “The fines imposed by the ICO in 2023 highlight the serious consequences of misusing data. Mishandling personal information not only violates data protection laws but also erodes trust among consumers.

“TikTok’s £12.7m penalty underscores the importance of lawful use of personal data and implementing appropriate safeguards, especially when it involves children. TikTok is a large, well-known brand and its fine was substantial due to the sheer amount of data involved. However, much smaller SMEs were also subject to enforcement action and hit with financial penalties.

“The fines imposed on businesses for unsolicited calls and text messages, and spam emails, as well as firms for disregarding the 'do not call' register, demonstrate the significant impact of invasive marketing practices. These penalties send a clear message that companies must respect individuals’ privacy preferences and refrain from bombarding them with unwanted communications.”

• Comment below on this story. Or let us know what you think by emailing us at [email protected] or tweet us to tell us your thoughts or share this story with a friend.

Elevate Talent launches across sports, media and lifestyle sectors

Full-service consulting firm Elevate has announced the launch of Elevate Talent.

New to Market 7 February 2024

Concept and Onyx merge as part of expansion drive

Specialist North-East recruitment firm Concept Personnel has embarked on an ‘ambitious’ expansion programme, starting with the merger with another recruitment business.

Contracts 18 December 2023


This week’s appointments include: 360Work, Escape Recruitment Services, Talentic

People 28 September 2023


This week’s new launches include: Braver, Campbell Tickell, Holler, NorthStar People, Personio

New to Market 28 September 2023