ICO v. Emailmovers Limited

3 months to comply


Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.

Our analysis

The ICO (Information Commissioner's Office) found that the privacy policy of the organisation that collected the personal data was not specific enough. While the policy stated that an individual's personal data would be shared with third parties for marketing purposes, it did not clearly name the third party recipients. This lack of specificity can lead to confusion and concern among individuals whose personal data is being shared which can be classified into the deceptive pattern of hidden and misleading information. The ICO emphasised the importance of clear and transparent communication when it comes to the handling of personal data, and recommended that the organisation update their a policy accordingly. It is essential for organisations to be clear about how they collect, use, and share personal data to foster trust and maintain their reputation. 
The ICO emphasises the requirements for consent, which must be “specific and informed”. It clarifies that consent for purchased “consented” data is valid only if the purchaser is identified at the time the data is collected (i.e., when consent is given). Therefore, EML could not have lawfully purchased the data based on valid consent, as it was not identified as a potential buyer to individuals. The use of these deceptive patterns meant that individuals were not fully aware of the nature of the data collection and how their personal data would be used for marketing purposes. This violated several provisions of data protection regulations, including Article 5(1)(a) of the GDPR, which requires that personal data shall be processed lawfully, fairly and transparently.


Emailmovers Limited must comply with ICO's requirements within three months, which include notifying individuals about the processing of their personal data, ceasing the processing of data for those who were not informed, and keeping appropriate records of consent. Failure to comply may result in a penalty of up to £17.5 million or 4% of the annual worldwide turnover.


Emailmovers Limited

Case number

Enforcement Notice - 2620027

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us