In Xerpla Ltd v. Information Commissioner [2018] UKFTT 2017_0262 (GRC) (14 August 2018), an English General Regulatory Tribunal has overturned a fine, issued by the Information Commissioner’s Office (ICO) against the direct marketing company, Xerpla Ltd, after the ICO determined that Xerpla had failed to obtain the necessary consents for electronic communications to its subscribers.

The ICO fined Xerpla £50,000 in October 2017 for sending 1.26 million marketing emails to its subscribers, which, according to the ICO, breached the Privacy and Electronic Communications (EC Directive Regulations 2003) (PECR). Central to PECR is that any direct marketing emails to subscribers must only be sent with the prior consent of the email recipient.

The tribunal found that Xerpla’s subscribers had “consented to, and knew they were consenting to, the direct marketing of third party offers for all kind of products and services… That is why they subscribed…” It was therefore considered obvious what was being consented to, given the services offered by Xerpla.

The ICO referred to a section of its direct marketing guidance, which covers indirect consent and scenarios where subscribers consent to receive marketing information from third party companies. The guidance states that subscribers must have understood that their details would be passed on to a third party and that that third party would contact them for marketing purposes. The tribunal deemed this to be irrelevant, as it was Xerpla that provided the direct marketing.

The tribunal also noted that only 14 complaints had been made to the ICO, which accounts for less than 00.00012 per cent of the 1.26 million emails that Xerpla sent. The tribunal commented that this indicated that the “majority of Xerpla subscribers were content to receive direct marketing about a wide range of product and services – and that is likely to have been precisely because that is what they had signed up for.”


This case pre-dates the General Data Protection Regulation (GDPR), which, and as recognised by the tribunal, has introduced a stricter definition of consent. Although Xerpla shows that the ICO may not always apply the law correctly, or even follow its own guidance, it equally serves as a timely reminder that consent for direct marketing must now be GDPR compliant. It is unlikely that the ICO will be deterred by its loss in the Xerpla appeal, given the more stringent GDPR regime that they must now uphold. Businesses conducting direct marketing exercise should therefore take note and ensure that consent is “freely given, specific, informed and an unambiguous indication of the individual’s wishes”. The individual must opt-in to any direct marketing, instead of opting out.