The UK Information Commissioner’s Office (ICO) has issued two monetary penalties totalling £225,000 after finding millions of unlawful marketing messages were sent without valid consent under the Privacy and Electronic Communications Regulations (PECR).
The regulator fined Allay Claims Ltd £120,000 for sending 4,046,947 marketing text messages promoting PPI tax refund services, and ZMLUK Limited £105,000 for sending 67,772,285 marketing emails promoting a range of products and services using third-party sourced data.
Andy Curry, the ICO’s Head of Investigations, said unwanted marketing messages are “an intrusion”, and warned that “relying on vague or third-party consent, or sending marketing messages under the guise of service updates, isn’t enough.”
Allay Claims: 4.0m SMS messages, 46k complaints, “service updates” argument rejected
According to the ICO, Allay Claims’ texts were “clearly promotional”, encouraged recipients to make further claims, and drove people to external landing pages – making them direct marketing, not operational or service communications.
The investigation also points to the scale of consumer frustration: more than 46,000 complaints were submitted via the UK mobile spam reporting shortcode 7726 during the period under review, and complaints continued even after Allay was aware of the ICO’s concerns. (ICO)
Crucially, the ICO found Allay failed to offer a simple way to refuse marketing when collecting details, meaning it couldn’t rely on the “soft opt-in” exemption it sought to use. (ICO)
ZMLUK: 67.8m emails, “361 partners”, invalid bundled consent – and weak due diligence
ZMLUK’s case will sound familiar to anyone who has reviewed lead-gen flows. The ICO says the data used was sourced primarily from a third-party website where individuals were shown a long list of 361 “partner” companies with no mechanism to choose who could contact them. The regulator concluded that this prevented informed, specific consent – and therefore the consent was invalid.
The ICO also underlined a point many brands and agencies still get wrong: even if you’re sending “on behalf of” another organisation, the sender is still responsible for PECR compliance. In this case, the ICO noted emails were sent on behalf of Zuru Jersey Ltd, but responsibility still sat with ZMLUK as the sender.
Finally, the regulator criticised the company’s approach to list sourcing: it said ZMLUK relied heavily on third-party data without sufficient due diligence to understand how consent was obtained, and failed to take reasonable steps to prevent unlawful marketing.
The compliance message for email and SMS teams
1) “Soft opt-in” is narrow – and you must engineer it end-to-end
PECR’s soft opt-in can be useful, but it’s not a shortcut. The ICO reiterates it only applies where:
- details were collected during a sale (or negotiations for a sale);
- marketing is for similar products/services; and
- the recipient had a clear, simple refusal at collection and in every message. (ICO)
If your capture flow doesn’t make opting out easy at the point of data collection, you’re already on thin ice – and “we thought it counted” won’t survive scrutiny.
2) Bundled “partner consent” (especially long lists) is a high-risk pattern
The ZMLUK decision is another reminder that “selected partners” consent is often non-compliant in practice. If people can’t make a real choice about which organisations will market to them, you’re likely looking at consent that isn’t freely given, specific and informed. (ICO)
3) Due diligence on third-party data isn’t optional – and “we were told it was consented” won’t help
The ICO explicitly flags inadequate due diligence on how data was sourced and consent captured. (ICO)
For any list acquisition or affiliate/lead-gen arrangement, assume you may one day need to evidence:
- the exact consent wording shown at the time of capture;
- who the user believed would email them;
- whether consent was granular (brand-by-brand), unbundled, and unambiguous; and
- how your organisation audits and monitors suppliers.
4) Labels don’t matter; content and intent do
Allay’s attempt to frame the texts as “service updates” didn’t land. The ICO looked at the tone, the calls to action, and the presence of promotional intent.
If a message tries to drive revenue or conversion, treat it as marketing and apply the correct PECR controls.
One more thing to watch: guidance updates in flight
The ICO’s own “electronic mail marketing” guidance notes it’s under review following the Data (Use and Access) Act coming into force on 19 June 2025. That doesn’t change the fundamentals in these cases – but it’s a prompt for compliance teams to keep an eye on updated regulator guidance as it lands.
Practical checklist: quick self-audit for 2026
If you manage email or SMS programmes, these cases suggest a simple risk-reduction pass:
- Confirm which sends rely on explicit consent vs soft opt-in, and verify the capture journey supports the choice you’re relying on.
- Review all third-party data sources: capture screenshots, consent language, and partner disclosure flows; add contractual audit rights.
- Ensure unsubscribe/STOP is one-click / one-step and honoured promptly.
- Treat “service message” claims skeptically: if there’s promotion, run it through marketing compliance rules.
- Monitor complaint signals (including spikes) and pause aggressively when something looks off.
For email professionals, the headline isn’t really the £225k – it’s the ICO’s continued focus on mass scale, weak consent design, and hand-waved provenance in third-party data. (ICO)
