ICO Assessment (RFA0851298): Does a car insurance renewal communication constitute direct marketing?

I don’t like having to renew my car insurance because I think the insurance industry is, as a rule, self-serving and corrupt. Take the “No Claims Bonus” (NCB) for example; why do some companies only allow 9 years NCB while others allow you up to 20 years NCB?

When I asked the Financial Ombudsman to investigate this issue in 2016 (Ref: 17901539) they forwarded me the response they received from the insurance business that I had complained about:

Although I accept that the process is potentially flawed as some consumers do have 20 or 30+ years NCB, it is the same across the industry which is overseen by the FCA who seem quite happy with the current process. Leading insurers will generally (although I can’t speak for them all) only accept a maximum of 6-9 years as a maximum; I have worked in insurance for nearly 10 years and I don’t know of any insurer that will currently accept more than 9 years as maximum.

This response by an insurance provider confirms that the NCB process is misleading. If 9 years is the maximum NCB that can be carried over, then is it reasonable to conclude that any business that allows for more than 9 years to be selected in the form, is misleading us, because they’re trying to give the impression that they’ll consider more than 9 years NCB? Why can’t the FCA enforce a standard? The protected no-claims scheme is also seriously misleading because your NCB is not necessary protected if you make a claim.

Introducing ICOBS

Of course, the FCA does implement some standards, via ICOBS – the regulatory guidance that all insurance businesses must adhere to. To clarify, the GDPR places a statutory obligation on all controllers, whereas ICOBS (Insurance Conduct Of Business Sourcebook) places a regulatory obligation on insurance businesses. To clarify, an Insurance Business is an organisation that arranges insurance contracts on behalf of an insurance company. My understanding is that the GDPR will supersede any ICOBS obligation.

Understanding the relationship between ICOBS and the GDPR is key to this case. This is because Section 6.5.1 of ICOBS places an obligation on an insurance business to target policy holders with a quote on how much it will cost to carry the policy forward for another year. Yet, a quote to renew a service will constitute direct marketing, and we all have a fundamental GDPR right to opt-out of all direct marketing from a data controller. So, what happens if I opt-out of all direct marketing? Can the insurance business still target me with the renewal quote? Well, No!

To be fair though, while I would normally object to any controller that challenged my right to opt-out of ALL direct marketing from them, I personally think it’s reasonable for an insurance business to ask me whether the renewal quote should be included in any Article 21(2) GDPR opt-out. Unless of course, you’ve already stipulated that you want the opt-out to include the renewal quote, as I do.

However, in this case, the controller’s customer service staff, as well as their Executive Board, believe that they have the right to target us with the renewal quote communication regardless. This is because they believe that Section 6.5.1 of ICOBS negates the statutory definition of direct marketing. Allow me to clarify. They’re not saying that ICOBS requires them to target us with specific direct marketing in the form of a renewal quote, and that this obligation supersedes the GDPR. Instead, they’re saying that the renewal quote does not constitute direct marketing. Seriously?

To be clear, just because a communication is classed as a “service message” by a controller, doesn’t mean that it doesn’t constitute direct marketing. It’s common practice among many data controllers to label direct marketing as a service message because the majority of controllers are self-serving so they’ll do anything they can to target us with direct marketing. Take no notice. A “service message” is not defined by the GDPR or DPA but what constitutes direct marketing is.

As such, if a communication falls under the statutory definition of direct marketing, pursuant to Section 122(5) DPA 2018, then that communication constitutes direct marketing and you have a valid claim if you received direct marketing as a direct result of unlawful data processing. It’s not about the controller, it’s about the communication. To be fair, the view of the controller is mute. Who cares what they think – does the communication contain any advertising or marketing material?

How to prevent a policy from rolling over

To set the scene then… I don’t like rollover insurance contracts and I want to use the rights afforded me by the GDPR to prevent the rollover of a policy. Here’s what I know:

  • I know that ICOBS 6.5.1 will prevent an insurance business from rolling over a policy for a second year, unless they’ve communicated the cost of renewing that policy to the policy holder in a timely manner – the renewal quote communication;
  • I know that such a communication – a quote to renew a service, will fall under the statutory definition of direct marketing, pursuant to Section 122(5) DPA 2018;
  • I’m confident that our key GDPR right to opt-out of all direct marketing from a controller will supersede any ICOBS obligation.

Thus, by opting out of all direct marketing from the controller, they cannot target me with the renewal quote, so they cannot rollover the policy. Simple, right? And it does actually work.

There have been two occasions now, where separate insurance businesses sent me a letter to inform me when my policy would expire. They sent me a non-promotional letter instead of the renewal quote because I had opted out of all direct marketing. Both of these insurance businesses were bound by ICOBS yet they managed to find a way not to target me with the renewal communication. Instead, the letter informed me that my policy would expire on a certain date and that it would not be renewed. My guess is that these two controllers treated my opt-out as a cancellation of the service – that because they cannot target me with the renewal quote, they cannot renew the service. That makes sense to me.

Third time unlucky

Aware that two insurance businesses had previously complied with my opt-out, I contacted my car insurance provider, “The Company” on the 6 June 2018 to opt-out of all direct marketing. This was about four months after the policy had started. Here’s what I said:

I don’t like automatic renewals so I wish to opt-out of all direct marketing from you in accordance with Article 21(2) GDPR:

[I quoted Article 21(2) GDPR]

My understanding is that your organisation will not be able to target me with a quote to renew the service if I am opted out of all direct marketing and as such, you won’t be able to process the auto-renewal. If you disagree with this view then you need to let me know so that I can seek advice from the ICO.

Note how I’ve specifically mentioned the renewal communication in my opt-out. The Company’s customer service person responded to my opt-out as follows:

I have reviewed your emails and I can confirm that although we will invite you to renew at least four weeks before they are due, we will not automatically renew your policies. Upon receipt of our renewal invite letters please contact us to make payment if you wish to renew.

Despite my clear instruction, they’ve cancelled the rollover of the policy but they’re still going to target me with the renewal communication? I sought further clarification, and they replied as follows:

I would like to confirm that a renewal reminder is not marketing material. As your broker we have a duty of care to inform you when your renewal is due. I can confirm that all other forms of marketing material from the [the Controller] have been suppressed.

They don’t have a duty of care; they have a regulatory obligation under ICOBS. And as they’re refusing to comply with a key statutory right, methinks that they could at least do me the courtesy of explaining why by quoting ICOBS 6.5.1.

Let’s be clear folks… a renewal reminder absolutely is direct marketing. Indeed, a quote to subscribe to or renew a service is likely to be the pinnacle of direct marketing because it’s closer to a sale than, say, advertising that serves to raise awareness of a product or service. I replied to inform the customer service person that they were misunderstood. Just under a month later, a more senior member of their customer service staff contacted me. She said:

I think it is important to start by offering my apologies on behalf of [The Company] that you have been put to the trouble of contacting us again. I can confirm that your car insurance will lapse at one minute past midnight on 8 February 2019 and as requested no reminder will be issued.

That’s what I wanted to hear. She apologised and agreed not to target me with the renewal quote. It remains unclear however, why this issue was not passed to the controller’s DPO? As far as I was concerned the matter was resolved.

They can’t help themselves

Unfortunately, shortly before the renewal date, they sent me the renewal quote by post. This was really frustrating. I contacted The Company again and this time I received the following reply from their Data Request Team:

As I understand it, you are unhappy that you have received our notification that your motor Insurance is due for renewal. As we have explained previously, we have an obligation to remind all customers when their policy is due to expire, particularly in the case of motor insurance as it is a legal requirement to have this in place.

But I was told that I would not receive the renewal quote. She continued:

My colleagues have confirmed to you that your policy will not renew automatically as per your request but we have sent the reminder that the cover is due to close and an explanation of what you need to do should you wish to continue your policy with us.

This is all wrong. They told me this initially, but the more senior colleague agreed not to target me with the renewal quote. And to be clear, I did not specifically request that the policy should not be renewed; they inferred this from the wording of my opt-out. And they did not send me a reminder that the cover is due to close – as the other two companies did, they sent me the renewal quote that I had been assured that I would not receive. I sought further clarification and they replied as follows:

Whilst I appreciate that you had requested we do no send you a renewal reminder, I am satisfied that it was explained to you that this is our process and we have an obligation to let you know when your policy is due to expire and what you need to do should you wish to continue cover with us. The documents sent to you are not marketing communications.

The renewal quote is indeed a marketing communication and I was clearly advised by a more senior member of their customer services team that “no reminder will be issued”. Sorry, but it’s not open to debate. By telling me that no reminder will be issued, this controller can no longer rely on a condition for processing. They’ve acknowledged that I had withdrawn my consent, they’re not able to balance the LI condition, and no term in a contract can negate statutory instrument.

Further emails ensued, so to cut a long story short, the view of The Company is that the renewal quote does not constitute direct marketing because of ICOBS. Thus, they are of the view that the renewal quote is a service message and I’m obligated to receive the renewal because I accepted their terms and conditions. Clearly, they had every intention of targeting me with the renewal quote regardless of their assurances that they would not.

What the ICO had to say

Prior to submitting my complaint to the ICO, The Company clarified that the renewal quote was an essential service communication that did not constitute direct marketing. Whereas I was of the view that a quote to renew a service will constitute direct marketing – period, because it falls under the statutory definition of direct marketing. In other words, their argument was fundamentally flawed. As I said previously, what they should be arguing is that ICOBS gives them the right to target me with direct marketing in the form of the renewal quote, not that the renewal quote does not constitute direct marketing, because that’s absurd.

A Lead Case Officer (LCO), rather than a Case Office (CO) carried out the Assessment. My understanding is that a LCO manages a number of COs and a Team Manager manages a number of LCOs. So, while I’m honoured to have had an LCO carry out the Assessment, I expected an elevated level of expertise.

The LCO started by asking me to provide some further information, and she also contacted The Company to ask them some questions before carrying out an Assessment. The Assessment (RFA0851298) was as follows. I’ve broken the response down into sections and commented on each:

We have considered the information available in relation to this complaint and we are of the view that the Controller has complied with their Data Protection obligations. This is because The Company have applied a legitimate condition for processing personal data and therefore no infringement.

Point 1: It’s not the role of a Case Officers to adjudicate, so the LCO should not be telling me that there has been “no infringement” in an Assessment. That’s a failure of process right there. It’s up to a judge to decide whether there has been an infringement of the law.

The LCO continued…

The GDPR requires organisations to ensure that personal data shall be processed: Lawfully, Fairly; and in a transparent manner. For processing to be lawful an organisation must also be able to identify at least one lawful basis for processing (Article 6).

The Company has confirmed that it has not sent direct marketing to yourself. The document you refer to as a renewal quote is actually an annual car insurance renewal notice. This is a standard and important customer service document, which is sent by all insurance companies to their customers at the end of the car insurance policy year, and is one which is required by Financial Conduct Authority (FCA) regulation.

Point 2: A quote to renew a service constitutes direct marketing because it promotes the cost of continuing with a service. The renewal quote may well be a standard important customer service document, I’m not denying that, but a communication that promotes the renewal of a service will fall under definition of direct marketing. It would appear that this LCO does not understand the statutory definition of direct marketing. Or perhaps she conveniently ignored it.

The LCO continued…

This is an important duty of care communication given that car insurance is required by law and to enable the proper functioning of the car insurance market. The renewal notice contains important information, including the date of expiry of the policy, what a customer would need to do to remain covered, how much the premium will be if they wish to renew on the same terms, what they paid last year for the policy (for transparency and comparison purposes), details of any applicable no claims bonus, and details of certain information impacting the quoted policy premium. A copy of the new terms and conditions and proposed schedule of insurance are also included. The notice does not market or advertise any products or services. The FCA’s Insurance Conduct of Business rules (see rules 6.1.5R, 6.1.6G, and 6.5.1R in particular) oblige the Controller to send this communication and the renewal notice aims to ensure customers have full and appropriate information on which to base insurance renewal decisions.

Point 3: It looks like this has been copied and pasted from the controller’s response. Where’s the evidence? In this evidence-based Assessment, where is the evidence that ICOBS supersedes the GDPR or DPA? For example, has the controller supported their view with confirmation from the FCA? No, the LCO has simply opted to side with the controller. As is often the case.

Point 4: In order to side with the controller, the LCO has demonstrated utter contempt for the laws that she gets paid to uphold. She doesn’t understand what she’s doing so she’s opted to side with the controller as the path of least resistance.

The LCO continued…

Therefore the Controller can apply as outlined in GDPR (Article (6)(1)(b)) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

As the Controller are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply.

Point 5: She started off arguing the LI condition and now she’s arguing the fulfilment of a contact condition. So, what condition for processing is the controller relying on? The controller cannot rely on any condition for processing because they told me that I would not receive the renewal quote.

Point 6: It would appear that the LCO is of the view that an organisation’s terms and conditions can override statutory instrument. They cannot, as I’ve proven on many occasions.

The LCO continued…

On the basis of the information provided it seems the Controller is likely to have complied with the DPA. We tend to agree with their requirements for processing would apply in the circumstances and that the fairness requirements of this principle were met because it was not unreasonable to assume that data would be processed in this way.

From the information you have provided to us it does not appear that the Controller has breached the DPA/GDPR, for reasons I hope I have explained above, and the issue you have raised does not suggest any wider concerns about their information rights practices.

Point 7: It absolutely was unreasonable because the controller held the view that a renewal quote does not constitute direct marketing – which is nonsense, and they assured me that I would not receive the renewal quote. The LCO conveniently overlooked this fact.

With Assessments like this, one has to reasonably conclude that the ICO is complicit in the abuse of the key rights afforded to us all by the GDPR. This is because, on the face if it, this LCO gives the impression that she talks with authority on the subject matter, so there’s no reason for a member of the public not to accept her view. Yet to anyone that actually understands the law, it’s clear that she’s either grossly incompetent or she’s actively and deliberately sided with the controller. Most likely both – that because she’s incompetent she will always side with the controller so as not to get caught out.

To demonstrate the one-sided approach by the LCO, her Assessment failed to mention Article 21(2), and she failed to consider the fact that the controller told me that they would not target me with the renewal quote. This is standard practice for the ICO’s case officers.  I obviously objected to the Assessment and sought a Case Review.

The Case Review

The Case Review (RCC0863814) was carried out by a Team Leader and for once, someone at the ICO actually got it right. The Team Leader said:

I have considered the points you have raised and have also reviewed the relevant information that we hold about your data protection concern. I am satisfied that [the LCO] dealt with this matter appropriately and in line with our case handling procedures. However, after further consideration it is my view that the renewal notice sent to you by the Controller did include direct marketing, therefore the incorrect assessment was reached.

In this case [the LCO] explained the reasons for her decision in her letter of 19 July 2019. Having reviewed the matter, I agree that the Controller did have legitimate grounds to contact you to inform you that your policy was due to expire, and this is in line with the Article 6(1)(b) of the GDPR. However, because you had opted out of direct marketing and this letter also contained a renewal quote and instruction to ‘call us to renew’, this constitutes direct marketing and is therefore a breach of the legislation.
As such, I have asked [the LCO] to contact the Controller to inform them of our view and to provide advice regarding their contact with customers who have opted out of receiving direct marketing, to ensure that any contact does not contain marketing material.

Although I agree with the decision to overturn the Assessment, because it was clearly incompetent, it’s a concern that the Case Review failed to pick-up on the behaviour of the LCO. The fact that the LCO adjudicated in the Assessment, the fact that she failed to obtain evidence, that she accepted the controller at their word, and that she failed to understand or stand-by the law that she’s paid to uphold. For this reason, I shall be submitting a complaint to the PHSO.

It’s gross incompetence that would not be accepted in any other government agency. The ICO get away with it because the public trust that what they’re being told by ICO staff is correct. We’ll wait to see now whether the controller’s CEO is going to challenge the view of the Case Review.

Memorandum of Understanding

As I shall be taking the controller to court at some point, I spent some time reviewing ICOBS and associated laws. While carrying out my analysis, I discovered a Memorandum of Understanding (MOU) that had been recently created between the ICO and the FCA:

I provided the MOU information to support the Case Review but nothing was ever said about it. To clarify, the MOU stipulates that the FCA and the ICO will work together to resolve any potential conflicts. And as this case apparently involves conflicting laws, I’d reasonably expect one of the case officers involved in this case to follow a process to have this case considered as part of the MOU. I’d expect the findings to be documented as part of the ICO’s and DMA’s published guidance. However, nothing was said about the MOU on the Case Review. Does such a process exist or was the undertaking just a soundbite?

What the Financial Ombudsman had to say

I submitted a complaint to the Financial Ombudsman (FO) but their initial response was to tell me to contact the ICO. So, the Ombudsman clearly wasn’t aware of the MOU. You’ve got to laugh. I’m still waiting for a response from the Ombudsman. Ideally, I want them to tell the FCA to include a section within ICOBS that requires controllers to follow a process to engage the MOU if they believe that ICOBS supersedes any data protection laws.

What the Direct Marketing Association had to say

As the controller is a member of the DMA, I’ve submitted a complaint to the DMA Commission and I’m still waiting to hear back from them. It’s been quite a few months now but nothing so far.

About a previous Assessment and Case Review in 2013

While investigating this case, I discovered that I had submitted a complaint to the ICO about the same controller back in 2013. I was aware of the case but I didn’t realise that it was the same controller. In that Assessment (RFA0487660), the Case Office (CO) actually got it right first time, she said:

From the information you provided, it appears unlikely that The Company has complied with the DPA in the circumstances described in this case. This is because The Company has sent you an automatic renewal notice despite receiving a Notice under Section 11 of the DPA from you.

This view, given in an Assessment from more than five years ago, is consistent with the view given in the Case Review for this case. They both held the view that ICOBS will not supersede a formal opt-out of all direct marketing. However, back in 2013, when the CO wrote to the controller to tell them that they needed to comply, The Company CEO objected. He said:

I can confirm that [The Company] does not accept these findings. It is the our view that a section 11 Notice does not prevent the sending of an insurance renewal notice. Whilst we apologise that you were sent a renewal notice in error and despite assurances from us that this would not be sent, we do not consider that this was a breach of the First Data Protection Principle.

Section 11 DPA 1998 was the previous right to opt-out of all direct marketing from a controller, which has now been superseded by Article 21(2) GDPR. Note too, how the CEO apologises for his staff giving me assurances that I would not receive the renewal quote. Yet, five years later, and his staff are still giving assurances that they have no intention of keeping.

Due to this response, I asked the ICO to make the controller comply with the view given in the Assessment. This prompted a Case Review (RCC0513623), and the LCO that carried out the Case Review, opted to overturn the Assessment in order to side with the controller. The LCO, back in 2013, said:

Although you had asked The Company not to issue you with a renewal notice and it had indicated that it wouldn’t, section 11 of the DPA does not require it to refrain from sending the renewal notice because the communication was not direct marketing material.

It’s another fine example of how case officers will say anything to side with a controller. 

The LCO continued…

The Company has also explained that it could legitimately decide not to issue the renewal notice in circumstances where an individual has specifically requested that they do not wish to receive one (as in your case). However, this again does not relate to the requirements of the DPA and would instead be a matter for The Company to consider in relation to its responsibilities under the FCA’s rules.

Now, this is interesting. So, The Company could decide not to issue the renewal quote. Does this mean that there is something in ICOBS that would allow them to comply? Is this the same rule that the other two companies used I wonder? Are we saying that there has always been a rule within ICOBS and that The Company has just ignored it in favour of sending me the renewal? So, they’ve actually breached my rights as a data subject and failed to comply with ICOBS for their own self-serving needs? I’ll need to raise this issue with the Financial Ombudsman.


It’s an utter shambles isn’t it? Despite a clear instruction to opt-out, it would appear that The Company is trying to scam its customers into receiving the renewal quote so that they can automatically rollover the contract. It’s despicable. And the ICO’s case officers are so incompetent and so keen to side with controllers that they just go along with it. How is that possible?