Unlawful Robo-Calls: ICO Fines Energy Firms Over Automated Marketing Breach
The Information Commissioner’s Office (ICO) has cracked down on two energy firms, fining them a combined £550,000 for making unlawful automated marketing calls (robo-calls).
The firms used voice-avatar software to make millions of calls that misled recipients into believing they were speaking with local UK agents. In reality, the calls originated overseas and were generated using pre-recorded scripts voiced by actors.
This case highlights the rising risks in automated marketing as businesses adopt AI-driven communication tools, especially when organisations push boundaries with limited oversight.
Why This Case Matters
As automated and AI-driven tools become more accessible, companies may see robo-calls as an efficient outreach method. But the ICO’s enforcement shows regulators are watching closely.
Also, robo-calls are not a grey area. Under the Privacy and Electronic Communications Regulations (PECR), organisations must have clear, prior consent before making any automated marketing call. The ICO’s latest fines are a reminder that:
- Automated calls attract stricter rules than live calls
- Innovation is no excuse for non-compliance
- Failures carry serious consequences regarding fines and reputational harm
This action reflects a wider regulatory trend. In recent months, the ICO and Ofcom have publicly warned of increasing misuse of AI-driven telemarketing. In the US, the Federal Trade Commission (FTC) has also fined firms for voice cloning and avatar call scams. The message is clear on both sides of the Atlantic: consent and transparency are non-negotiable.
The ICO’s Findings
The ICO fined Home Improvement Marketing Ltd (HIM) in Pembrokeshire £300,000. HIM used overseas call centres to make roughly 2.4 million automated calls from May to August 2023, using avatar software that masked the origin.
The ICO also fined Green Spark Energy Ltd (GSE) £250,000 after it made 9.5 million calls. Complaints poured in, nearly 500 people contacted the ICO or the Telephone Preference Service (TPS), including elderly and vulnerable individuals.
Key findings included:
- Lack of consent: many recipients never agreed to receive automated calls.
- Misleading practices: voice avatars masked overseas origins.
- Vulnerable individuals targeted: nearly 500 complaints were lodged, many from elderly people.
- Shared leadership: both companies were linked to a common director, Mathew Terry.
The ICO executed a search warrant in March 2024, seizing phones and documents that revealed instructions for evading detection and converting the calls into insulation product sales.
As Andy Curry, ICO Head of Investigations, commented:
“Advances in technology may make detection harder, but the rules remain the same. Companies using these systems must ensure they are lawful, transparent and fair.”
Our Legal Obligations Around Robo-Calls: PECR and UK GDPR
PECR: Automated marketing calls require prior, informed, and recorded consent. Organisations must identify themselves and provide an opt-out option.
UK GDPR: Organisations must handle personal data lawfully, transparently and fairly. When automation processes personal data for marketing, businesses must ensure people can understand how their data is used, including in decision-making.
ICO Direct Marketing Code of Practice: This statutory code sets out good practice and is essential reading for any organisation engaged in marketing.
How to Spot a Robo-Call
Consumers should remain vigilant. The ICO offers practical tips to recognise robo-calls:
- Notice small pauses before responses, the system selects prerecorded clips.
- Check if replies sound generic or irrelevant.
- Listen for identical voices across “agents.”
- Observe overly polished calls with no background noise.
- Notice if conversations revert to fixed marketing language regardless of replies.
Reports can be made directly to the ICO or via the Telephone Preference Service (TPS), which remains a key enforcement tool.
What Organisations Should Do Now
If your organisation uses or plans to use automated calling or avatar-based outreach, follow these steps to stay compliant:
- Consent mechanisms: Review contact lists to ensure valid, recorded consent exists before making any automated call.
- Maintain evidence: Document consent records with timestamps, sources, and purpose.
- Transparency: Ensure scripts clearly identify your organisation.
- Opt-out options: Provide a straightforward way for customers to object.
- Quality checks: Monitor call quality and avoid misleading avatars.
- Training: Train marketing teams on PECR and GDPR obligations.
- Auditing: Run regular audits to identify risks early.
We recommend running a Direct Marketing Audit as part of your data protection governance. You can integrate this into a broader GDPR Audit. Technology should support compliance, not bypass it.
Our View
At Data Protection People, we see this case as a clear signal from the ICO: using advanced technologies like avatar software and automated script systems does not exempt organisations from compliance. If anything, it heightens risk.
Compliance is not a barrier to innovation, it is a framework for deploying new technologies responsibly. Organisations that invest in consent, transparency, and accountability will not only stay on the right side of the law but also build lasting trust with customers.
FAQs
Are all robo-calls illegal?
No. Some automated calls are lawful, for example, where individuals have given prior, informed consent. Without consent, they breach PECR.
Do I need consent for avatar-style calls?
Yes. Whether calls use avatar software or a live agent, you must have explicit consent to make automated marketing outreach.
What type of consent qualifies?
Consent must be freely given, specific and informed. Keep detailed records showing the consent method, time and purpose.
What should I do if customers report robo-calls?
Investigate immediately, suspend suspect activities, review consent records, and cooperate with the ICO. Use our Data Protection Support if necessary. Consider SAR Support if the call involved personal data.
Contact Us
If your business engages in automated marketing, we can help you:
Contact us today to make sure your automated marketing complies with the law.
References:
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/09/warning-over-robo-calls-as-energy-firms-fined-half-a-million-pounds-for-unlawful-marketing-calls/#:~:text=unlawful%20marketing%20calls-,Warning%20over%20robo%20calls%20as%20energy%20firms%20fined%20half,pounds%20for%20unlawful%20marketing%20calls&text=We%20are%20warning%20the%20public,for%20making%20automated%20marketing%20calls.
https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/direct-marketing-guidance/
https://www.ofcom.org.uk/phones-and-broadband/unwanted-calls-and-messages/recorded-message-marketing-calls