£300,000 ICO Penalty for Illegal Automated Marketing Calls: Home Improvement Marketing Ltd Case Analysis

In August 2025, the Information Commissioner’s Office (ICO) fined Home Improvement Marketing Ltd (HIML) £300,000 for making 2.4 million illegal automated marketing calls. The monetary penalty notice reveals a deliberate pattern of evasion, overseas operations, and a director with previous violations—offering important lessons for any business using automated calling systems.

The Case Summary

The Violation

Between 31 May 2023 and 31 August 2023, Home Improvement Marketing Ltd made 2,449,380 automated marketing calls without obtaining any consent from recipients. The calls generated 274 complaints to the ICO and Telephone Preference Service (TPS).

The company violated two key provisions of the Privacy and Electronic Communications Regulations (PECR):

• Regulation 19: Automated marketing calls without specific consent
• Regulation 24: Failure to properly identify the caller

The ICO issued a £300,000 penalty on 28 August 2025, with a 20% early payment discount available if paid by 29 September 2025.

The Players

Director Mathew Terry controlled HIML, but this wasn’t his first encounter with ICO enforcement. His previous company, Eco Friendly Energy (EFE), made 6.7 million illegal calls and generated 217 complaints before being placed into liquidation in November 2023—whilst already under ICO investigation.

HIML used an overseas call centre called “1 in 4 BPO” based in Pakistan to execute the calling operation. The calls used generic trading names like “Energy Hub,” “Energy Saving Team,” and “local energy advisor” to conceal the company’s identity.

The Violations Explained

Regulation 19: Automated Calls Without Consent

PECR Regulation 19 prohibits automated marketing calls to individuals unless they have given specific prior consent. This isn’t the same as general marketing consent—it must specifically cover automated calls.

HIML made 2.4 million calls without obtaining any consent whatsoever. When questioned, the director admitted: “no consent was obtained.” No evidence of consent was provided to the ICO throughout the investigation.

Regulation 24: Failure to Identify Caller

PECR Regulation 24 requires organisations making marketing calls to provide their company name and either a contact address or freephone number. This allows recipients to identify who’s calling them and exercise their rights.

HIML deliberately used generic trading names to conceal their identity. Recipients couldn’t identify who was actually calling them, preventing them from opting out or complaining effectively. The ICO determined this was a deliberate attempt to evade accountability.

How the Scheme Worked

The Overseas Call Centre Operation

HIML contracted with “1 in 4 BPO,” a Pakistan-based call centre, to execute the calling campaign. The operation used an “avatar” or recorded voice system to automate calls to UK homeowners about energy assessments.

Recipients reported receiving multiple calls per day—sometimes from the same automated system. The calls offered no opt-out option. When challenged, callers often hung up or refused to respond to questions about TPS registration.

The automated system responded to answers with pre-recorded responses, creating an illusion of interaction whilst maintaining the efficiency of mass calling.

The Data Sources

HIML had access to approximately 20 million phone numbers sourced from various data suppliers. The director conducted no due diligence on these providers to verify the quality or lawfulness of the consent.

Claims were made that data came with “legitimate interest” consent, but this is not valid for automated marketing calls. Automated calls require specific, explicit consent that names the calling company—not vague permissions for “similar organisations” or “partners.”

WhatsApp messages recovered from the director’s phone showed plans to scrape additional data worth £200,000-£300,000, demonstrating the scale of intended operations.

The Evasion Tactics

When network providers repeatedly blocked HIML’s telephone numbers, the company didn’t stop—it sought new phone numbers to bypass the blocks. Messages between the director and the overseas call centre discussed ways to continue operations despite these restrictions.

The use of generic company names served a dual purpose: it concealed HIML’s identity from recipients whilst making it harder for regulators to trace complaints back to the company.

Evidence seized from the director’s home included a document titled “Introduction to PECR” dated 27 June 2023—during the violation period. This demonstrated knowledge of the regulations whilst simultaneously violating them.

The Investigation

ICO’s Discovery Process

The ICO’s investigation began with a pattern identified through complaints to the TPS and ICO. Initial focus centred on Eco Friendly Energy (EFE), the director’s previous company.

When EFE was placed into liquidation in November 2023, complaints didn’t stop—they continued under different company names. The ICO traced these back to the same director operating through HIML, which had been incorporated in March 2023.

The timeline reveals concurrent operation of both companies, with HIML established whilst EFE was already under investigation.

The Search Warrant

On 14 March 2024, ICO officers executed a search warrant at the director’s home address. They seized an Apple laptop and iPhone 14, which proved to contain critical evidence of the operation.

The devices revealed:

• Employment contracts with overseas call centre staff
• Call scripts and operational instructions
• Invoices documenting payments to the call centre
• WhatsApp messages coordinating the calling campaign
• The “Introduction to PECR” document demonstrating regulatory knowledge

Key Evidence Discovered

An invoice from “1 in 4 BPO” charged £5,500 for 275 “bites”—industry terminology for successful call connections or sales leads. This demonstrated the commercial nature of the operation.

WhatsApp messages showed the director instructing Pakistan-based staff to call specific postcodes and discussing strategies to avoid network provider blocks. Conversations revealed plans to merge companies and continue operations despite regulatory scrutiny.

In August 2024—during the ICO investigation—the director applied to strike off HIML, demonstrating a pattern of dissolving companies when facing enforcement action.

Sample Complaints from Victims

The Human Cost

Recipients described the calls as intrusive, aggressive, and relentless. Multiple complaints referenced receiving several calls per day, often from numbers they’d previously blocked.

Some callers made false claims of government affiliation, saying they were “local energy advisors” conducting assessments. Recipients registered with the TPS—who should not receive marketing calls—reported continued harassment.

The automated nature of the calls meant there was no human discretion. The system simply worked through lists, making call after call regardless of recipient circumstances.

Complaint Examples

Complaints to the ICO and TPS included:

• “Very bad quality robocall with clipping of voice clips”
• “At least the sixth call I have received from this organisation”
• “I have changed my number but still get calls”
• “Caller refused to respond when challenged that my number was TPS registered”
• Recipients noted the software responded based on answers with no opt-out option

These complaints represent only a fraction of the 2.4 million calls made. For every person who complained, thousands more likely received unwanted calls without reporting them.

Why This Was Deliberate, Not Negligent

Evidence of Knowledge

The “Introduction to PECR” document found on the director’s laptop, dated 27 June 2023, demonstrated clear knowledge of regulatory requirements during the violation period.

The director’s previous company, EFE, was already under ICO investigation for making 6.7 million illegal calls when HIML began operations. This wasn’t a case of ignorance—it was a pattern of deliberate non-compliance.

When the ICO issued a Notice of Intent—the formal warning before a penalty—HIML failed to respond. This failure to engage with the enforcement process demonstrated disregard for regulatory authority.

Pattern of Evasion

The timeline reveals a clear pattern:

• March 2023: HIML incorporated
• May-August 2023: HIML makes 2.4 million illegal calls
• November 2023: EFE (previous company) placed into liquidation
• March 2024: ICO executes search warrant
• August 2024: Director applies to strike off HIML

This pattern shows a director liquidating one company under investigation whilst operating another, then attempting to dissolve that company when enforcement action looms.

Active Circumvention

WhatsApp messages revealed active discussions about evading ICO regulations. When network providers blocked telephone numbers, the response wasn’t compliance—it was seeking new numbers to continue operations.

The deliberate use of generic trading names rather than the legal company name served no legitimate purpose. It was designed to prevent recipients from identifying the caller and complaining effectively.

No systems existed to obtain or verify consent. The director admitted “no consent was obtained,” confirming there was never any intention to comply with consent requirements.

The Aggravating Factors

Previous Violations

The director’s other company, EFE, made 6.7 million illegal calls before being liquidated. During that investigation, the director assured the ICO that compliance issues had been resolved. They hadn’t been—the same conduct simply continued through a different corporate entity.

This pattern of deception across multiple companies represented a serious aggravating factor in the ICO’s penalty calculation.

Deliberate Misconduct

The ICO found clear evidence of discussing how to circumvent regulations rather than comply with them. There was no attempt to obtain valid consent for automated calls.

Operations continued after network providers blocked numbers, demonstrating persistence in unlawful activity. The failure to engage with the ICO enforcement process—including not responding to the Notice of Intent—showed contempt for regulatory oversight.

No Mitigating Factors

The ICO identified no mitigating circumstances that would justify reducing the penalty. HIML:

• Failed to respond to the Notice of Intent
• Failed to provide financial information when requested
• Attempted to dissolve the company during the investigation
• Provided no evidence of efforts to comply
• Demonstrated no remorse or corrective action

Understanding Automated Calls vs Live Calls

What Makes a Call “Automated”

An automated call is one where a system automatically initiates a sequence of calls and transmits sounds that are not live speech. This includes:

• Pre-recorded messages
• Synthesized voice systems
• “Avatar” systems that respond to caller answers with pre-recorded segments

Automated calls differ from predictive dialers that connect recipients to live agents. The avatar system used by HIML fell squarely into the automated category—it used recorded voice segments to simulate conversation.

Why Consent Requirements Are Stricter

Automated calls face stricter consent requirements because they’re more intrusive than live calls. Recipients can’t reason with them, can’t interrupt them, and often can’t stop them.

The technology enables much higher call volumes than human callers could achieve. This amplifies the nuisance factor and potential harm.

Most importantly, specific consent is required—not general marketing consent. A person who ticks a box saying “you may contact me with marketing information” has not consented to automated calls.

What “Specific Consent” Means

For automated marketing calls, consent must:

• Specifically cover automated calls (not just “marketing”)
• Name the specific company making the calls
• Be freely given, informed, specific, and unambiguous
• Be documented and provable

General marketing permissions don’t suffice. Consent for live calls doesn’t extend to automated calls. Vague permissions for “us and our partners” or “similar organisations” don’t meet the standard.

Recipients must know exactly who they’re consenting to receive automated calls from—which is why HIML’s use of generic trading names violated Regulation 24.

The Penalty Decision

Maximum Penalty Considered

The ICO could have imposed a maximum penalty of £500,000. Instead, it issued a penalty of £300,000, with a 20% early payment discount available.

If paid by 29 September 2025, the penalty reduces to £240,000. The payment is due by 30 September 2025 and goes to the Consolidated Fund, not to the ICO.

Factors Considered

The ICO assessed the seriousness of the contravention:

• 2,449,380 violations (each call being a separate contravention)
• 274 complaints from distressed recipients
• Deliberate nature of the violations with knowledge of the law
• Previous violations through another company
• No mitigating factors whatsoever

The penalty serves both a punitive and deterrent function. It punishes HIML for deliberate violations whilst sending a message to the wider industry about the consequences of non-compliance.

ICO’s Objectives

The penalty aims to:

• Promote compliance with PECR
• Encourage the industry towards lawful practices
• Deter other organisations from similar violations
• Address significant public concern about nuisance calls
• Protect consumer privacy rights

The ICO considers automated marketing calls without consent one of the most serious breaches of PECR, justifying substantial penalties.

Lessons for Businesses

Automated Calls Require Explicit Consent

You cannot rely on general marketing permissions for automated calls. The consent must specifically reference automated calling and name your company by name.

Permissions for “similar organisations,” “partners,” or “selected third parties” don’t work. Each organisation making automated calls needs specific consent naming them.

Document and retain evidence of consent. If you can’t prove consent when the ICO asks, you’ll face the same problem HIML faced—an admission that “no consent was obtained.”

Due Diligence on Data is Mandatory

Don’t accept data supplier assurances at face value. You must verify that consent is appropriate for your intended use—in this case, automated marketing calls.

“Legitimate interest” doesn’t work for automated marketing. The legal basis must be consent, and it must be specific consent for automated calls.

Marketing lists must come with a full audit trail showing who consented, when, how, and to what exactly. Your responsibility for compliance doesn’t end because you bought data from a supplier.

Always Identify Your Company

Provide your legal company name on every call. Provide either a contact address or freephone number. Generic trading names that don’t identify your legal entity violate Regulation 24.

Recipients must be able to identify who’s calling them. If they can’t, you’re committing a separate violation on top of any consent issues.

Concealing your identity suggests you know your practices won’t withstand scrutiny. The ICO views this as evidence of deliberate misconduct.

Overseas Operations Don’t Provide Immunity

Using an overseas call centre doesn’t exempt UK companies from ICO enforcement. The director remains liable for company actions regardless of where the actual calling occurs.

The ICO can execute search warrants, seize devices, and conduct forensic analysis of operations. Messages coordinating with overseas staff become evidence of your involvement.

Network providers will block non-compliant numbers regardless of where calls originate. Attempting to evade these blocks by obtaining new numbers demonstrates deliberate evasion.

Previous Violations Increase Penalties

The ICO tracks patterns across companies and directors. Liquidating one company and starting another doesn’t reset your enforcement history.

Previous assurances of compliance will be checked. If you told the ICO you’d resolved issues with one company, then the same problems appear in another company you control, this becomes evidence of deliberate misconduct.

Repeat offenders face aggravated penalties and heightened scrutiny. The ICO will consider your full compliance history when calculating penalties.

Red Flags the ICO Looks For

Complaint Patterns

The ICO monitors:

• Volume of complaints to TPS and ICO
• Similar wording in complaints indicating systematic problems
• Calls from unidentifiable companies using generic names
• Multiple calls per day to the same numbers
• Calls to TPS-registered numbers

Even if only a small percentage of recipients complain, patterns emerge. The 274 complaints about HIML’s 2.4 million calls represented just 0.01% of call volume, but were sufficient to trigger investigation.

Corporate Structures

Red flags include:

• Same directors across multiple companies with similar business models
• Companies placed into liquidation during ICO investigations
• New companies formed whilst others are under investigation
• Overseas operations with UK directors or beneficiaries
• Applications to strike off companies during enforcement proceedings

The ICO investigates individuals, not just companies. Corporate veils don’t prevent enforcement against directors who control unlawful operations.

Operational Red Flags

The ICO considers:

• No systems to capture or verify consent
• Generic trading names rather than legal entity names
• Inability to produce contracts with data suppliers
• Admission of no consent obtained
• Evidence of regulatory knowledge alongside non-compliance

The “Introduction to PECR” document found on the director’s laptop was particularly damaging. It proved knowledge of requirements whilst simultaneously violating them—evidence of deliberate misconduct rather than ignorance.

What Happens Next for HIML

Payment Requirements

HIML must pay the fine of £300,000 – 20% discount applies, reducing the penalty to £240,000 if paid by a day earlier. We don’t know yet whether it was settled or not.

The payment goes to the Consolidated Fund—the government’s general bank account—not to the ICO. The ICO doesn’t financially benefit from penalties.

Alternatively, HIML can appeal, if so the early payment discount becomes unavailable even if the appeal fails.

Appeal Rights

HIML has 28 days from receipt of the penalty notice to appeal to the First-tier Tribunal. Appeals can challenge either the imposition of the penalty or its amount.

Enforcement if Unpaid

If HIML doesn’t pay, the ICO can pursue enforcement through:

• County Court or High Court (England, Wales, Northern Ireland)
• Sheriff court (Scotland)

Enforcement proceedings can’t begin during an appeal period. Once appeals are exhausted, the ICO can pursue payment through the courts.

The Wider Context

Energy Sector Marketing Problems

The HIML case forms part of a wider ICO operation targeting the energy and home improvements sector. Multiple companies use similar tactics:

• Targeting homeowners for solar panels, insulation, and energy assessments
• Making false claims of government affiliation
• Using overseas call centres to obscure operations
• Persistent calling campaigns to the same individuals

This represents a sector-wide compliance problem requiring ongoing enforcement.

The Avatar Call Technology Issue

The director claimed the avatar recording was accessible to former employees, suggesting technology created for one campaign could be misused by others.

However, the ICO rejected this as mitigation. Responsibility remains with whoever instigated the unlawful campaign and provided access to the calling lists.

Technology doesn’t absolve human decision-makers. The director who commissioned the avatar system, provided the data, and coordinated the overseas operation bears responsibility for the results.

How to Comply with Automated Call Rules

Before Making Automated Calls

1. Obtain specific consent for automated calls naming your company
2. Document who consented, when, where, how, and to what exactly
3. Ensure consent specifically covers automated calls, not just marketing
4. Keep a full audit trail of consent records
5. Implement opt-out mechanisms that work immediately
6. Screen all numbers against the TPS database

Without specific, documented, provable consent from every recipient, don’t make the call.

During Calls

1. Clearly state your legal company name
2. Provide either a contact address or freephone number
3. Offer an easy, immediate opt-out option
4. Don’t make misleading claims about government affiliation
5. Respect time-of-day restrictions (no calls before 8am or after 9pm)
6. Stop immediately if requested

Remember that recipients have no obligation to listen to your message or interact with your system. Make it easy for them to opt out.

Record Keeping

1. Document all consent with full details
2. Track opt-outs promptly and apply them immediately
3. Maintain suppression lists and check them before every campaign
4. Keep contracts with data suppliers showing consent verification
5. Conduct regular compliance audits of calling practices
6. Train all staff on PECR requirements and your internal processes

Good records prove compliance. Poor records prove nothing and leave you vulnerable to enforcement action.

Working with Data Suppliers

1. Verify consent is appropriate for automated marketing calls
2. Check consent is recent and specific, not vague or outdated
3. Review the supplier’s consent capture process in detail
4. Get contractual warranties about consent quality
5. Don’t accept vague assurances—demand evidence
6. Conduct proper due diligence before using any marketing list

If a supplier can’t prove valid consent for your specific use, don’t use the data. Cheap data often means poor consent, which means regulatory risk.

Key Takeaways

• Automated marketing calls require specific, explicit consent—general marketing consent isn’t enough
• You must properly identify your company by legal name—generic trading names violate PECR Regulation 24
• Using overseas call centres doesn’t exempt UK companies from ICO enforcement or liability
• Previous violations and patterns of evasion significantly increase penalties and prove deliberate misconduct
• “No consent was obtained” isn’t a defence—it’s an admission of 2.4 million separate violations
• Liquidating companies and starting new ones doesn’t evade ICO investigation or reset your enforcement history
• Maximum penalties can reach £500,000 for PECR violations, with the ICO willing to impose substantial fines
• The ICO conducts forensic analysis of devices and follows money trails through WhatsApp messages and financial records
• Directors are personally liable for companies they control, and corporate structures don’t provide immunity
• Evidence of knowing about regulations but violating them anyway transforms negligence into deliberate misconduct

What You Should Do Now

1. Audit your current practices: Do you make or commission automated marketing calls?
2. Review your consent: Is it specific to automated calls from your named company?
3. Check your data sources: Can suppliers prove valid consent for automated calls?
4. Verify identification: Do your calls clearly state your legal company name and contact details?
5. Implement controls: Systems to capture consent, honour opt-outs, and screen against TPS
6. Train your team: Everyone involved must understand PECR requirements and your processes
7. Document everything: Consent records, data source contracts, compliance checks, and audit trails

If you use automated calls for marketing and can’t demonstrate specific, valid consent from every recipient, stop immediately and seek legal advice.

The HIML case demonstrates the ICO’s willingness to impose substantial penalties for deliberate violations. Don’t assume you can evade enforcement through corporate restructuring, overseas operations, or generic trading names. The ICO will investigate, gather evidence, and enforce.

Further Resources

• PECR Guidance – ICO
• Direct Marketing Guidance – ICO
• Telephone Marketing – ICO
• What is Valid Consent? – ICO
• Using Marketing Lists – ICO