What changed
The ICO has fined KRA Consultancy Ltd £300,000 after it sent more than 5.5 million unlawful marketing text messages to people who were already in financial difficulty.
The ICO said the company sent 5,575,715 unsolicited direct marketing texts between April 2022 and May 2025, promoting debt solutions to people who had previously been declined for loans. The investigation found that KRA did not check whether recipients had consented to receive marketing messages and, in some cases, used fabricated bailiff threats to frighten people into responding.
What do the PECR rules require for marketing texts?
Marketing text messages to individuals normally require valid consent, unless a business can meet all of the conditions for the soft opt-in. Consent must be freely given, specific, informed and clearly evidenced. Every marketing message should also make it clear who is sending it and provide an easy way to opt out.
Why this matters
This case is a strong reminder that organisations cannot assume contact data is compliant simply because it has been bought, supplied by a third party, collected some time ago or linked to someone who may have shown interest elsewhere.
The ICO’s findings are particularly important for organisations carrying out SMS marketing, lead generation, debt-related services, financial services, claims work and other campaigns involving potentially vulnerable audiences. Consent, data sourcing, suppression and campaign approvals need to be treated as operational controls, not paperwork completed after the event. For wider updates across PECR, direct marketing and data protection, see our Regulatory Updates page.
What organisations should do
Organisations using SMS marketing should review whether they can evidence a lawful route to contact every recipient.
- Check whether marketing texts are being sent to individuals, sole traders or corporate subscribers, as the PECR rules differ.
- Keep clear evidence of when, how and for what channel each person gave consent.
- Do not rely on bought, aged or third-party data without proper due diligence and consent checks.
- Review whether any soft opt-in reliance meets every legal condition.
- Ensure every SMS identifies the sender and includes a simple, working opt-out route.
- Maintain suppression lists and make sure opt-outs are actioned promptly across relevant systems.
- Introduce clear approval checks before campaigns involving sensitive subjects or potentially vulnerable audiences.
Practical takeaway
SMS is not a shortcut around consent. Before sending marketing texts, organisations should be able to explain where the data came from, why contact is lawful, what consent or soft opt-in route applies, and how people can stop future messages easily.
Grounded in
ICO enforcement action against KRA Consultancy Ltd, including findings on unsolicited marketing texts, missing consent checks, inaccurate and aged data, vulnerable recipients, fake bailiff messages and PECR compliance.
Sources
- Information Commissioner’s Office: Manchester firm fined £300,000 for bombarding people in debt with over 5.5 million unlawful texts , 23 June 2026.
- Information Commissioner’s Office: electronic mail marketing guidance .
- Information Commissioner’s Office: PECR electronic mail marketing rules .