Design and marketing firm Xerpla fined £50,000 for a reported 1.25 million spam emails

email data breach

Xerpla Limited boasts of a range of services for companies who really want to get their business off the ground. The London-based firm say they provide innovative design, advertising, and web hosting and consultancy services for their customers.

However, they may be using the cheapest way to reach as many people as possible.

The Information Commissioner’s Office (ICO) received 14 complaints over emails sent from the firm, and therefore began investigating them. The ICO found that the firm was responsible for sending over 1,257,580 million spam emails to promote and advertise products and services on behalf of their customers.

The emails promoted things like:

  • Dog food
  • Wine
  • Competitions
  • Boilers
  • Motoring services
  • Magazines
  • Insurance

Although Xerpla comes across as a sophisticated marketing and consultancy firm who suggest they understand the modern market, their actions show that they appear to be nothing more than one of many companies reduced to spamming people repeatedly in order to drum-up some business.

The emails were sent to email addresses registered with two websites that Xerpla operates: and In signing up, individuals had to agree to consent in having their information being shared with the website partners and similar third parties.

However, the ICO found that its privacy terms and conditions for signing up did not constitute as valid consent under the Privacy and Electronic Communications Regulations, and the emails sent were therefore unsolicited.

Head of enforcement at the ICO, Steve Eckerley explained the decision:

“People need to be properly informed about what they are consenting to. Telling them their details could be passed to ‘similar organisations’ or ‘selected third parties’ cannot be relied upon as specific consent.”

Nowadays, virtually everyone in modern society has access to the internet and owns at least one email address. To keep up with the modern world, it’s almost impossible to not have one. Modern technology has rendered emailing to be the most cost-effective way to reach masses of people. However, too many companies are exploiting this and see it as an opportunity to connect their advertisements with millions of people.

Companies are so excited to expand their public reach that they’re not always stopping to consider whether what they are doing is essentially a form of harassment. The Privacy and Electronic Communications Provisions provides that electronic mail cannot be used for direct marketing purposes unless the company sending it has received consent from the recipient to receive it. In this case, Xerpla never received consent from the recipients to indicate that they wanted to receive an email about new dog food or a boiler. In sending them anyway, the ICO found that Xerpla breached PECR and data protection provisions for misusing the data it held.

The ICO concluded that Xerpla transmitted unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to the PECR provisions, and therefore issued a £50,000 fine. The decision may have been influenced by the ICO’s recent publications providing guidance on the legal obligations for those who carry out direct marketing. Xerpla should have therefore been aware that what they were doing would contravene PECR and data protection laws.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a Callback from our team!

Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.