We are always harping on about data protection and consent to our clients and here is why…
The ICO has recently fined a company £270,000 for making automated marketing calls without the appropriate consent. The reason this is interesting is because the company bought various marketing lists thinking they did have consent to contact individuals on those lists.
When the data was collected from various websites most just had a statement along the lines of the following “We may share your details with third parties whose offers we think might interest you”.
However, the ICO has indicated that “Informing individuals that their details will be shared with unspecified third parties, is neither freely given nor specific and does not amount to a positive indication of consent.”
Whilst consents for some types of marketing are easier to satisfy than others, automated calls and email marketing are at the less easy end of the scale. So in another recent case the ICO issued a fine of £22,000 to a company which had sent out emails to individuals which had not properly consented to receiving them.
So when using bought-in marketing lists, companies should:-
• Seek warranties which are backed up an indemnity from the company providing the list (Company A) that the consent not only allows Company A to pass the data to you, but that you can then use it for your intended purpose (i.e. to contact individuals). It doesn’t mean you still won’t be liable under the DPA but it gives you some contractual protection to pass back the cost.
• Not simply rely on statements from Company A but also carry out rigorous checks to ensure that appropriate consents have been obtained from individuals AND that the consent is applicable to the type of marketing being carried out.
Consent and GDPRs
Under the General Data Protection Regulation (GDPRs) the standard for consent is set to become harder to comply with. The ICO has recently issued guidance on the consent requirements under the GDPR and of particular relevance to bought-in marketing lists is the requirement to name any third parties that data will be passed to and states “even precisely defined categories of third-party organisations will not be acceptable under the GDPR”.
This does bring into question the data list market as it is going to be extremely hard to rely on any consents collected.
Updating marketing preferences
If you’re not sure whether you have consent, do not then contact people to “update their marketing preferences! This is still classed as marketing, which FlyBe and Honda have recently found out to their detriment.
So unfortunately, if you haven’t kept clear records which give you the certainty that someone has provided their consent the advice would be not to market to them.
Get in touch if you’d like more information about consent, or data protection in general. We also have a series of fact sheets on the new GDPRs – contact us if you would like us to send you a copy.