What does this cover?
Readers may recall that in January this year we reported on the ICO Enforcement notice made against Optical Express (Westfield) Limited regarding their sending of nuisance marketing text messages to members of the public. The ICO received over 7500 complaints about the company. Optical Express had purchased the marketing lists from Thomas Cook.
Optical Express subsequently challenged the ICO's decision arguing that Thomas Cook had agreed via contract to only send Optical Express the contact data of individuals who had consented and that that should be sufficient proof of consent; however, the First Tier Tribunal determined that when consent was obtained by the supplying company it had not been made apparent to customers that their data would be processed by Optical Express, therefore there had been no consent.
The Tribunal made it clear that consent has to be provided to the sender. The Thomas Cook privacy notice had told data subjects that their details might be shared but it did not explicitly mention Optical Express nor a reference to the products which might be marketed. The Tribunal stated: "In my opinion it should say something about the products to be marketed if they are different from the business of, for example, Thomas Cook. This falls under the “to guarantee fair processing” category. If the data subject doesn’t know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?”
Optical Express further argued that recipients had the option to "opt out" of unwanted messages but this argument also failed on the basis that the messages should not have been sent out in the first place.
To view the First Tier Tribunal's decision, please click here.
What action could be taken to manage risks that may arise from this development?
The Optical Express decision demonstrates how difficult it can be for businesses to make lawful use of mailing lists purchased or licensed from another organisation. This is now even more of a concern for businesses since the threshold for fining for breaches of PECR has been reduced such that the ICO do not need to prove substantialdamage and/or distress.
Organisations purchasing mailing lists should ask for evidence of the consent notices given to data subjects and these should contain reference to the specific kinds of products or services to be marketed and the company/companies that the information provided is/or may be shared with.
Organisations should then ensure that they provide their own fair processing information as soon as possible.