The ICO also reprimanded 36 companies, issued enforcement notices against a further 19 and prosecuted four businesses for failing to meet their information rights obligations.
At £12.7 million, social media platform TikTok was hit with the largest fine for breaching data protection law, including failing to use children’s personal data lawfully – with the ICO estimating that up to 1.4 million under 13s in the UK were able to use the video sharing app in 2020.
Three marketing firms were fined a combined £310,000 for making a total of 483,051 unsolicited marketing calls to businesses and sending 107 million spam emails to jobseekers; two energy firms were fined a combined £250,000 for bombarding people and businesses on the UK’s ‘do not call’ register with unlawful marketing calls; a business support consultancy was fined £30,000 for sending 558,354 direct marketing SMS messages without valid consent; and an appliance service and repair company was fined £200,000 for making more than 1.7 million unsolicited direct marketing calls.
In the final six months of the year, 10 companies were collectively fined more than £800,000 for sending a total of 4,698,841 unwanted text messages, 39,906,342 emails, and making 1,937,028 nuisance phone calls.
Charlotte Riley, director of information security at technology at CSS Assure, said: “The fines imposed by the ICO in 2023 highlight the serious consequences of misusing data. Mishandling personal information not only violates data protection laws but also erodes trust among consumers.
“TikTok’s £12.7 million penalty underscores the importance of lawful use of personal data and implementing appropriate safeguards, especially when it involves children. TikTok is a large, well-known brand and its fine was substantial due to the sheer amount of data involved. However, much smaller SMEs were also subject to enforcement action and hit with financial penalties.
“The fines imposed on businesses for unsolicited calls and text messages, and spam emails, as well as firms for disregarding the ‘do not call’ register, demonstrate the significant impact of invasive marketing practices. These penalties send a clear message that companies must respect individuals’ privacy preferences and refrain from bombarding them with unwanted communications.
“Moreover, the enforcement notices and prosecutions against companies failing to meet their information rights obligations further emphasise the ICO’s commitment to upholding data protection standards. It is crucial for businesses to understand their responsibilities in handling personal information and take proactive measures to ensure compliance.
“Misusing data not only exposes businesses to financial penalties but also damages their reputation and undermines customer trust. Adhering to data protection laws and adopting ethical data practices are essential for safeguarding individuals’ privacy and maintaining a healthy business ecosystem.
“As data protection experts, we urge businesses to prioritise data privacy and invest in robust systems and processes to prevent data misuse. By doing so, they can not only avoid hefty fines but also foster a culture of trust and transparency, ultimately benefiting both their customers and their bottom line.”