In the first three weeks of 2017 we saw the UK's Information Commissioner's Office (ICO) issue fines to two companies whose marketing communications failed to comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003. These notices serve as a timely reminder that the ICO will come down heavily on companies that carry out marketing activities without the necessary consents.
On 11 January 2017 the ICO fined IT Protect Ltd £40,000 for making unsolicited marketing calls to individuals registered with the Telephone Preference Service (TPS). IT Protect had purchased the individuals’ data from a third party company and were informed that the individuals had opted in to receiving marketing communications from IT Protect. However, they failed to carry out the necessary due diligence checks to ensure such consent had been obtained. Similarly, on the 18 January 2017 the ICO fined LAD Media Ltd £50,000 for sending nearly 400,000 unsolicited direct marketing texts. LAD Media had also purchased the relevant data from a third party company, however the consents relied upon were insufficient.
The monetary penalty notices issued, as well as relevant ICO guidance in this area, make it clear that companies which buy marketing lists from third parties must conduct thorough checks to ensure that the consent is valid and covers their marketing. It is not enough to rely on the assurances of the third party without undertaking independent due diligence.
Fines imposed by the ICO in this area have reached up to £350,000, and following the implementation of the new ePrivacy Regulation in May 2018, the relevant authorities will have the power to issue fines of up to 20 million euros or 4% of the undertaking’s annual worldwide turnover, whichever is greater. Failure to comply, therefore, is not something which should be overlooked.
1. Diligence Questions
Awareness of the ICO's enforcement action and guidance in this area is also essential for organisations which are looking to invest in businesses that regularly rely on third party marketing lists. When carrying out due diligence on the target, attention should be paid to determining whether the target’s management has conducted adequate checks into third party marketing lists. Potential buyers should also seek appropriate warranties in the purchase contract.
When conducting independent due diligence the ICO suggests that the following should be checked:
- when consent was obtained, by whom and in what context;
- what method was used (e.g. opt-in or opt-out);
- whether the information provided was clear and intelligible and how it was provided (e.g. via a link, in a footnote, in a pop-up, clearly next to the opt-in box);
- whether texts, emails or automated calls were specifically mentioned;
- whether the company is listed by name or description, or whether the individual simply consented to disclosure to any third party;
- whether the list has been screened against the TPS or other preference service;
- whether the seller has received any complaints; and
- whether the seller is a member of a professional body or an accredited organisation.
2. Contractual Protection
Organisations may want to seek indemnities from third party organisations in respect of any data protection exposure arising as a result of using the purchased lists. However, although such indemnities may cover financial exposure, they fail to guard against the reputational damage inherent in the issuance of a monetary penalty notice by the ICO.
3. Indirect Consent
The fine imposed on LAD Media further highlights that indirect consent is rarely sufficient for electronic marketing (i.e. marketing by text, email or automated calls). General wording stating that individuals consent to electronic marketing communications from "selected third parties" is not sufficient. Indirect consent may be valid for third party marketing if:
- it is reasonably recent (the ICO recommends that generally indirect consent should not have been given more than 6 months ago);
- the organisation is specifically named or evidently falls within a clearly described, precise and limited category of organisation; and
- the marketing relates to similar goods or services to those being marketed when the consent was obtained.
However, the ICO considers that it is best practice for organisations to only conduct electronic marketing activities where consent has been obtained directly from the individual in question.