Suing Spammers 101 – Or how you do it!

I’ve gotten a lot of mail recently asking “How do you sue a spammer?” and I thought I’d write up the general guide and give you all some help.

Please note, I am not a lawyer, and this is my advice as a Lay person. You should satisfy yourself that you know what you are doing, and that I am not a regulated person and thus cannot guarantee that my advice here is correct. E&OE Excepted. Please comment if you think I’ve got something wrong, or have anything you think can add to this work.

So this works for all mediums of directed marketing, eMail, Phone, Direct Mail, Tweets etc.

Step 1 – Gather Evidence

So first and foremost you need to preserve all the data on the marketing you’ve been sent. Save the email, with it’s headers, make a screenshot of the SMS or Phone record on your phone, scan the direct mail and screenshot the tweet.

You now need to identify the sender. In some instances this is easier than others, with PPI calls and the like, you’ll need to work quite hard to get company info out of the callers without them hanging up, or giving you duff info. With eMail it’s easier. WHOIS the domain name and look on the website for terms & conditions, privacy policy etc. Direct mail should have a obvious advertiser. Tweets should be pretty obvious too.

I personally only go after Advertisers that are Limited Companies. They have a financial duty to their shareholders to get best value for money, and that’s often by settling with you out of court. Plus, as a business they’re required to come to your home court to defend the claim, further increasing your chances of settling. Frankly very few of my claims get as far as court papers, most times the company will settle out of court and include a confidentiality clause (which is why things have been a bit quiet of late!). Sometimes the claim will settle during mediation, and if they don’t settle there I’ve had a couple do a deal the day before the court date. Anyone after that date just gets a bloody nose and coughs up if your evidence is in line and you follow the courts directions.

You will now need to send the advertiser a Subject Access Request (SAR) asking for details on all the information they have on you. You must allow 40 days for this to be responded to, and you may be asked to pay a fee. Here’s my template;

Dear Sir/Madam,

I have never dealt with your company before now, nor have I ever given you any consent to send direct marketing emails to my email address (EMAIL_HERE).

I consider the below email as a marketing email, being that of your products/services.

As a result I would like to know exactly what data you hold on me, and where it was obtained from. Accordingly below is a formal SAR under the DPA.


Please supply the information about me I am entitled to under the Data Protection Act 1998 relating to my personal information you hold based upon my email address.

I would like to know both the source of this information, and if you have passed this information on to any other parties.

It may be helpful for you to know that a request for information under the Data Protection Act 1998 should be responded to within 40 days.

If you do not normally deal with these requests, please pass this letter to your Data Protection Officer. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you and can be contacted on 0303 123 1113 or at

Please note that while a fee is normally payable for a subject access request, I would suggest that as this data is stored electronically and disclosure can be done electronically, no fee should be payable. However if you insist upon causing me a loss by charging a fee, this would be added to any future legal action that will arise out of this breach of the PECR and the DPA. It should be noted that in this instance the 1st Principle of the Data Protection Act has not been adhered to; namely that I have not given you my consent to process my data as per Schedule 2 S1. If you believe I have given you my consent, then please provide me with evidence of this.



People rarely comply with these, but it’s just another thing to add to your claim if they don’t respond. If they do respond, you need to then have a look at the consent information they supply. If it’s data that they say they got from another company that claims you opted in, then boom, they’re stuffed. Consent can’t be transferred, and it’s unreasonable to expect a consumer to give blanket consent for their data to be traded. The *worst* one I’ve seen so far was a chunk of transaction data that was being banded around!

If you did consent, to the company that sent the email, then you’ll probably need to move on. It’s worth asking them to unsubscribe you, and you could serve a Section 11 notice on them at this point to ensure that happens. Here’s that template for you;

Dear Spammer,


I write pursuant to my rights granted by Section 11 of the Data Protection Act 1998.

I hereby give you notice that you must, within the time periods prescribed below, permanently cease processing any and all personal data of which I am the data subject. You should also ensure you do not process my personal data in future by the implementation of a suitable process to achieve the end results specified below.

If you do not normally handle Data Protection notices for your organisation, please pass this notice to your Data Protection officer or another appropriate official.


For the avoidance of doubt this notice requires you to do all of the following:
(1) within 3 days of receipt of this email to cease or not to begin to:
(a) obtain;
(b) record; or
(c) hold, any personal data of which I am the data subject (“my personal data”); and
(2) with immediate effect to cease or not to begin to carry out any operation or a series of
operations involving my personal data including operations that would amount to the:
(a) organisation, adaptation or alteration;
(b) retrieval, consultation or use;
(c) disclosure by transmission, dissemination or otherwise making available; or
(d) alignment or combination, of information or data.


In any event you must within 21 days of receiving this NOTICE give me notice in writing stating:

(1) you have complied with the provisions of this NOTICE in full; or
(2)(a) you have complied with the provisions of this NOTICE in part , stating which parts; and
(2)(b) as to the parts not so complied with, your reasons for not doing so, including evidence that you can substantiate.


Should you fail to comply with the provisions of this notice, I reserve absolutely the right to obtain without further reference to you a county court or High Court order to compel you to comply with this notice together with an order that you pay my associated legal costs in full and for me to make an application for damages and distress associated with your unlawful processing of my personal data

Yours sincerely


So, they responded to your SAR and stitched themselves up, or didn’t respond, what now?

Step 2 – Notice Before Action

Yep, you heard it, it’s the Notice Before Action (NBA) time! You’re now going to send the Advertiser a warning that if they do not respond and resolve things to your satisfaction within 14 days you will take them to court. You’re required to give them this period under the Civil Procedure Rules (CPR) and it’s going to go a bit like this;


You (Spammer Limited) have transmitted, or instigated the transmission of, an unsolicited communication for the purpose of direct marketing by means of electronic mail to an individual subscriber contrary to section 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003. This communication is attached for your reference.

Feel free to look up those regulations on

I, as the recipient and individual subscriber, have never given you consent to send me marketing emails and I have never provided my email address to you as part of a negotiations or sale by you to me in the past.

Although I am not in a position to offer you legal advice, this is clearly unlawful. The Information Commissioner’s Office have stated “I would confirm that your understanding of Regulation 22 is correct; that is, if a company sends an unsolicited marketing email to an individual subscriber without their prior consent and/or without satisfying the conditions of the soft opt-in, then they will be breaching the Privacy and Electronic Communications Regulations”

There is a defence for having taken all reasonable steps to comply, but as you have no way to know that any target email address is that of an individual subscriber, the only step you could have taken is not to send unsolicited marketing emails at all.

Section 30 of the regulations permits me to take civil action to recover damages suffered as a result of your breach of the regulations. It is difficult to assess damages exactly but your email has used resources on my computers and my Internet connection, wasted some of my time, caused distress and annoyance which has interrupted my chain of thought and concentration, and so disrupted work I am doing. Looking in to similar cases for such damages it is clear that claims range from £270 to £750. In this instance I feel that £xxx per email would constitute a reasonable level of damages for the hassle you have caused me by your breach of the regulations.

However you have also breached the Data Protection Act (Principles 1, 2 and 7) relating to use of the data without the consent of the data subject. In the process you have violated my privacy and caused me considerable distress.

To surmise, I would be entitled to raise a civil claim against you for damages & distress – and will be doing so unless we can reach a settlement.

In accordance with section 8.2(1) of the Pre-Action Conduct Directions of the Civil Procedure Rules, I would like you to consider Alternative Dispute Resolution to this matter by means of discussion and negotiation. I therefore invite your comments and to make any offer of settlement or other negotiation.

I would be prepared to settle for an amount as follows;

1 eMail in breach of the PECR at £xxxea – £xxx
Breach of my privacy and the DPA – £xxx

This would make a total settlement of £xxx.

If I do not receive a reply within 14 days I reserve my right to issue a claim on the small claims track of the county court without further notice.

Should this matter go to court I will rely on the email you have sent and associated headers, as well as whois data and other resources identifying the sender. If you believe you have evidence that shows I did give *you* consent to the sending of that email I ask that you forward this to me by reply.

I look forward to your prompt reply, you may in the interest of prompt resolution of this matter, correspond with me by email in preference to by post.


I will normally email this, and I’ll also send a copy by recorded delivery to the companies registered address. If you look in the Resources section at the bottom of this post, you’ll see a handy service or two that you can use to print and post. Nice and easy 🙂 I will sometimes modify the NBA to suit various breaches and failure of the SAR also which drives the claim amount up as it adds to the distress.

With that, they have 14 days to respond, and some will ignore it, and others will fall over themselves to unsubscribe you, apologise, and try and worm their way out of paying. Don’t take this bullshit, and push them to hand over the readies. Keep the pressure on and don’t let them forget about you. If they refer this to outside counsel at this point (solicitors) then you’ve got them panicked, plus every email you send is now costing them mucho dinero.

Eventually, they’ll either settle, or you will have to issue a claim.

Step 3 – Small Claims Court

So if all the above has failed and they’re still holding out on you, you’ve got the next trump card to use – Small Claims Court. You can do this online and the fees vary depending on the amount claimed. The next thing they know, your claim will drop through the letterbox and they’ll panic.

Personally, I send an abbreviated Particulars of Claim (POC) through the website, and opt to send a full POC via eMail and Snail Mail to their registered address. Here’s a simple template for the website;

Detailed Particulars of Claim to Follow.
That on $DATE$ the Defendant  sent, or instigated the sending of  an unsolicited direct marketing email to my email address, which  is that of an individual subscriber, without my prior agreement in  breach of Section 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
The Defendant has also processed my personal details without my consent, in breach of the 1st Principle of Data Protection, as set out in the Data Protection Act (DPA).
Accordingly The Claimant claims £xxx damages in relation to the breach of the PECR under Section 30 of the PECR, and £xxx damages & distress in relation to the breach of the DPA under S13 of the DPA.

Modify to suit, you’ll need to write a fuller POC, but these vary enormously so I don’t have a template right now. Drop me a message if you’d like help here.

So what happens now is you will send them into panic mode – and they have 14 days from the date of service (which is 5 days from date of issue) to respond. They can either admit the claim in full, opt to defend it, or acknowledge the claim. If they acknowledge, then they get another 14 days to decide.

Once this period expires, you’ll get a copy of their defence from the court, along with a N180. The N180 needs to be filled in, and you’ll want to opt for your local court, agree to mediation (although I normally agree on the N180, I let the company know if they’ve not responded to my SAR that I will not be able to proceed until that is fulfilled) etc. Send a copy to the court and to the Defendant.

Step 4 – Mediation

This is a bit boring, basically a mediator will ring you and the Defendant on a specified date, and go back and forth between you and try and hash out a deal. It’s always worth a try, and remember you’ll get your hearing fee back if you have > 7 days before the hearing.

Step 5 – Documents

Make sure you’ve compiled all the things you intend to rely upon and send a copy to the court, and to the defendant, and take a copy for yourself. This needs to happen at least 14 days prior to the hearing. Include a schedule of costs to date in there as well, with the time you’ve spent at each stage at £19 an hour (LIP Rate) plus all your postage expenses. There’s a handy link to a company that will do excellent priced bundles along with printing and postage in the Resources Section.

Step 6 – Court Hearing

So on the appointed date and time you’ll need to rock up prepared with your copies of your documents and evidence.

Check in with the Clerks, confirm your name and ask who and where your case will be. The When is a bit variable – everyone is set to arrive at 10AM or 1PM and they work their way through. Ask if the Defendant has arrived, and if not, ask that they let you know and/or point the Defendant your way. This is always the best time to do a deal, and sometimes the Judge may send you out for an hour if they’re busy and tell you to come to a deal! (This is a hint from the Judge that they’re not amused about such matters, and that the one of you is an idiot for letting this get this far).

At the appointed time you’ll both go in (with counsel if you retain it, or with their counsel if they have retained any) and you will present your case to the Judge who may or may not have read it already. Make sure you know your case, and any relevant case law (look below for that in the Resources Section) and know what the Defendant’s Defence is and how you plan to attack it.

At that point it’ll be down to you to argue your damages (and recent case law is on your side here, as the threshold is de minimis or automatic when there is a breach). You’ll need to convince the Judge of the Defendant’s actions being against the law, and that the Information Commissioner’s Office (ICO) is not the right body to be dealing with this (the ICO is not interested in small fry cases like this, and basically ignores them until they have sufficient volume).

If you’ve done things right the Judge will find in your favour. You now need to persuade the Judge that the Defendant acted unreasonably to get all your costs, or you’ll have to settle for your time that day (and prove you have lost money by attending court) and travel. If the Defendant has ignored you throughout, and never responded to the SAR, then there’s a good chance the Judge will side with you.

What if the Defendant doesn’t turn up?

If the Defendant doesn’t turn up, you’ll still need to make your case to the Judge. Assuming you can do that, then you’ll also get your costs awarded as well as they are automatically being unreasonable not turning up.

Step 6 – Collect your money

So the next step is to collect your money. It’s worth speaking with the defendant after the hearing (the Judge may even encourage them to get their cheque book out!) and agreeing when you’ll be paid. Even if they want to appeal, they need to pay up.

If they don’t pay within the time frame allotted, then you will need to involve Bailiffs. If you’ve claimed over £600, then get it upgraded to the High Court via a Writ of Fi Fa. Costs a few quid (everything does at this point) but you’ll be able to set much more capable bailiffs on them. Remember, this is a company, so they’ll walk into the offices and start seizing stuff. Very amusing when it’s a high street chain…

Further Advice

Don’t take on too many claims, you have 6 years to deal with them under the Limitations Act. Make notes at the time about the time wasted and save those.

Prepare for some pretty wacky claims (I am apparently a Professional Claimant, nope – I’m not, and you’ll struggle to prove that to a Judge – I’m a LIP who’s a IT Geek, this stuff is second nature to me.) and figure out your POC templates.


Online Services

  • PC2Paper – link – These guys are great for uploading PDF’d documents and posting them out. You can also use their online editor to knock out quick letters.
  • Dox Direct – link – This company will bind your evidence bundles up, and put them in a professional looking ring binder.
  • Money Claim Online – link – This is the Government service for the small claims court.

Case Law

  • TLT and others v Secretary of State for the Home Department [2016] EWHC 2217 (QB) – link
  • Gulati v MGN Ltd. [2016] 2 WLR 1217 – link
  • Vidal-Hall v, Google Inc ([2015] EWCA Civ 311) – link
  • Yentob v MGN ([2015] EWCA Civ 1292) – link
  • Optical Express v IC (Dismissed Data Protection Act 1998) [2015] UKFTT 2015_0014 (GRC) – link
  • Halliday v Creation Consumer Finance Ltd (CCF) ([2013] EWCA Civ 333) – link
  • Christopher Niebel v Information Commissioner (Privacy & Electronic Communications Regulations 2003) [2013] UKFTT EA_2012_0260 (GRC) (14 October 2013) – link
  • Microsoft Corporation v Paul Martin McDonald [2006] EWHC 3410 (Ch) – link
  • Durant v Financial Services Authority [2003] EWCA Civ 1746 – link

Posted in SPAM

Leave a Reply

Powered by WordPress. Designed by Försäkra Online.