Allay Claims Ltd – €140,400 Fine (United Kingdom, 2026)

Allay Claims Ltd (the controller) sent over 4 million direct marketing text messages to individuals promoting a different entity’s services. The DPA received over 48,000 complaints regarding the direct marketing messages sent by the controller over the course of one year. The controller claimed it relied on the soft opt-in in Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003 (PECR), where an organisation may send direct marketing communications to its customers even if they did not specifically consent to electronic mail. However, only the organisation that collected the contact details can rely on the soft opt-in rule. The controller therefore argued that it did not require the consent of the individuals for such direct marketing messages. It further argued that the recipients of the messages were previous customers. The DPA noted that the controller did not obtain valid consent from the data subjects for electronic direct marketing messages. Subsequently, the DPA analysed if the controller could have relied on the soft opt-in exception. However, the DPA found that data subjects did not have the opportunity to refuse direct marketing communications at the moment of collection of customer details. Thus, the DPA found that the controller breached Regulation 22(3)(c) PECR, ordered the cessation of unlawful direct marketing communications and fined the controller GBP 120,000 (approximately €138,000).