ICO (UK) - KRA Consultancy Ltd
ICO fines KRA Consultancy Ltd £300,000 for sending 5.5M unsolicited SMS without consent
Summary
The UK Information Commissioner's Office (ICO) fined KRA Consultancy Ltd £300,000 for transmitting over 5.5 million unsolicited direct marketing SMS messages promoting debt services between April 2022 and May 2025 without valid subscriber consent. The controller also concealed its identity using fake trading names, anonymous websites, and bulk messaging services, and sent deceptive "fake bailiff messages" targeting financially vulnerable individuals. The investigation, supported by search warrants and seized electronic devices, found the controller had obtained personal data from loan decline datasets and third-party sources without demonstrating compliance with PECR consent requirements.
Full text
Help ICO (UK) - KRA Consultancy Ltd: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 12:11, 29 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators125 edits Tag: submission [1.0] (No difference) Latest revision as of 12:11, 29 June 2026 ICO - KRA Consultancy Ltd Authority: ICO (UK) Jurisdiction: United Kingdom Relevant Law: Article 22 PECRArticle 23 PECR Type: Investigation Outcome: Violation Found Started: Decided: 20.05.2026 Published: Fine: 300.000 GBP Parties: KRA Consultancy Ltd National Case Number/Name: KRA Consultancy Ltd European Case Law Identifier: n/a Appeal: Unknown Original Language(s): English Original Source: Bailii (in EN) Initial Contributor: bms The DPA fined a controller £300,000 for sending over 5.5 million unsolicited direct marketing SMS messages without valid consent and concealing its identity. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Information Commissioner, the DPA, investigated KRA Consultancy Ltd, the controller, in relation to unsolicited direct marketing SMS messages promoting debt-related services. The case was initially connected to investigations into other companies and individuals involved in mass SMS marketing. During these investigations, the DPA identified links between the controller, debt advice websites, bulk SMS platforms, short URLs and complaints submitted by subscribers to the 7726 spam reporting service. The controller was found to have used different trading names, websites and bulk messaging services to send large volumes of SMS messages to subscribers. These messages promoted debt write-off or debt solution services and invited recipients to click links leading to websites operated by, or connected to, the controller. The DPA also found evidence that the controller used personal data obtained from loan decline datasets and other third-party sources. The controller did not demonstrate that the subscribers had provided valid consent to receive marketing SMS messages about debt solutions. The DPA further found that the controller used so-called “fake bailiff messages” to pressure individuals into responding. These messages suggested that enforcement agents or bailiffs would attend the recipient’s address. The DPA considered that these messages targeted financially vulnerable individuals and were likely to cause distress. During the investigation, the DPA executed search warrants and seized electronic devices. The evidence included WhatsApp messages, SMS messages, access to bulk SMS platforms, customer communications, call recordings and internal group chats. These showed that the controller was involved in the transmission or instigation of the SMS messages and had sought to make the messages difficult to trace. Holding The DPA held that the controller infringed Regulation 22 PECR by transmitting or instigating the transmission of unsolicited direct marketing SMS messages without valid consent. The DPA found that, between 24 April 2022 and 29 May 2025, 5,575,715 direct marketing SMS messages were delivered by, or at the instigation of, the controller. These messages generated over 60,000 complaints to the 7726 spam reporting service. The DPA considered that the controller could not rely on valid consent. Consent under PECR must meet the UK GDPR standard, meaning that it must be freely given, specific, informed and unambiguous. The DPA found no evidence that the subscribers had specifically consented to receive marketing from the controller. The use of old or purchased datasets, and the absence of adequate due diligence, did not meet the required standard. The DPA also held that the controller infringed Regulation 23 PECR. The controller had concealed its identity by using generic trading names, anonymous websites and messaging services designed to make the SMS activity untraceable. The DPA considered this conduct especially serious because recipients were not properly informed of who was behind the marketing communications. The DPA found that the infringement was serious due to the very high volume of messages, the number of complaints and the nature of the marketing. It also found that the infringement was deliberate. The controller had obtained loan decline data, failed to verify consent, used fake bailiff messages and sought repeated assurances that the messages could not be traced. In the alternative, the DPA found that the controller was at least negligent. The controller knew or ought to have known about the risk of non-compliance, given the DPA’s public guidance on direct marketing and consent. The controller nevertheless failed to take reasonable steps to prevent the contraventions. As aggravating factors, the DPA considered that the controller concealed its identity, targeted financially vulnerable individuals, sent distressing fake bailiff messages, provided debt-related advice despite not being FCA-authorised, misled the DPA during the search warrant, obstructed the investigation and continued unlawful marketing activity after the warrant. The DPA found no mitigating factors. The DPA therefore issued a monetary penalty of £300,000. The penalty could be reduced to £240,000 if paid early and if no appeal was lodged. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. MONETARY PENALTY NOTICE KRA Consultancy L td 20 May 2026 FOR PUBLIC RELEASE Contents Introduction.............................................................................................................................3 Legal framework....................................................................................................................4 Background to the case.....................................................................................................8 The contravention...............................................................................................................19 Seriousness of the contravention .............................................................................21 Deliberate or negligent....................................................................................................22 The Commissioner’s decision to issue a monetary penalty.......................24 The amount of the penalty ............................................................................................27 Conclusion and right of appeal...................................................................................27 Annex..........................................................................................................................................30 2FOR PUBLIC RELEASE DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: KRA Consultancy Ltd Of: 1 Hardman Street, Spinningfields, Manchester, M3 3HF Introduction 1. The Information Commissioner (“the Commissioner”) has decided to issue KRA Consultancy Ltd (“KRA”) with a monetary penalty under section 55A of the Data Protection Act 1998 (“DPA”) in the sum of £300,000. This Monetary Penalty Notice (“Notice”) is in relation to a serious contravention of regulations 22 and 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 2. In accordance with section 55B of the DPA, KRA was previously served with a Notice of Intent dated 27 February 2026 which set out the Commissioner’s provisional findings. Having considered KRA’s representations submitted on 9 April 2026, the Commissioner is satisfied that a monetary penalty remains an appropriate sanction. 3. This Notice explains the Commissioner’s decision. 3FOR PUBLIC RELEASE Legal fra