The ICO issued the warning as it announced that it had fined a credit broker £120,000 for failing to secure appropriate consent from consumers who it had targeted with more than five million marketing text messages.
The ICO said Digitonomy was responsible for "a serious contravention" of the UK's Privacy and Electronic Communications (e-Privacy) Regulations (PECR).
PECR generally prohibits organisations from sending or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has given their prior consent for the messages to be sent or other limited exceptions apply.
Digitonomy instigated the transmission of 5,238,653 spam text messages to consumers between 6 April 2015 and 29 February 2016, the ICO said.
The company obtained consumer's contact details from third parties it was working with on affiliate marketing activities. It provided the ICO with copies of the wording the data providers had used in their contracts with consumers and claimed the terms provided it with the consent it required to target those consumers with its marketing messages.
In a statement Digitonomy said "appropriate due diligence" had been conducted, however, the ICO said that the "consent wording" relied upon did not demonstrate that the consumers who received the messages had given their consent to receiving marketing communications from Digitonomy.
In its monetary penalty notice (17-page / 166KB PDF), the ICO said: "Consent must be freely given, specific and informed, and involve a positive indication signifying the individual’s agreement. Indirect, or third party, consent can be valid only if it is clear and specific enough. Informing individuals that their details will be shared with unspecified third parties, is neither freely given nor specific and does not amount to a positive indication of consent."
"It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence," it said.
Steve Eckersley, ICO head of enforcement said: "Businesses that rely on direct marketing must be able to confirm that people have given their permission to receive text messages and to comply with the law they must have the evidence to prove it. Depending on the word of another company is simply not acceptable and is not an excuse. Digitonomy is paying a hefty price for not meeting its responsibilities."
"We say it over again - any business that has instigated a marketing campaign is responsible for the information involved. Businesses need to get it right or we will take action," he said.
Editor’s note 17/02/17: this story has been updated to reflect Digitonomy's statement on the due diligence conducted.