The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.

The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties.  This had led to at least 21,045 unsolicited text messages and 174 complaints.

Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data.

Instead, the ICO’s position is that under the UK Privacy and Electronic Communications Regulations 2003 (which implement the EU E-Privacy Directive in the UK), marketing consent requests must “specifically name” the party that sends the communication.

TDSC was also found to have exercised insufficient due diligence when purchasing the data, in breach of the UK Data Protection Act 1998.  The ICO held that:

Data controllers buying in lists must check how and when consent was obtained, by whom, and what the customer was told. It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence. Such due diligence might, for example, include checking the following:

• How and when was consent obtained?

• Who obtained it and in what context?

• What method was used – eg was it opt-in or opt-out?

• Was the information provided clear and intelligible? How was it provided – eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?

• Did it specifically mention texts, emails or automated calls?

• Did it list organisations by name, by description, or was the consent for disclosure to any third party?

• Is the seller a member of a professional body or accredited in some way?

The ICO also held that companies cannot sell marketing lists if they do not keep “clear records” of individuals’ consent to marketing – emphasizing that both the provider and recipient of data can be held to breach UK data protection laws.

The ruling against TDSC is just one of a line of similar decisions from the UK regulator – including a £270,000 fine for claims lead generation company Media Tactics Ltd, and a £120,000 fine for credit broker Digitonomy Ltd.

These laws are currently undergoing significant changes.  From May 2018, the EU General Data Protection Regulation (GDPR) will overhaul the UK Data Protection Act 1998, introducing stricter consent requirements backed by fines of up to 4% of global annual turnover, or 20 million Euros.

Meanwhile, the EU is currently debating a replacement to the E-Privacy Directive’s electronic marketing rules, in the hope that it can be agreed and brought into effect at the same time as the GDPR.  Under current proposals, a new “E-Privacy Regulation” would bear the same strict consent standards and high fines as the GDPR, and would expressly apply to a wider range of electronic marketing channels than today’s rules, including instant messaging apps and private chats on social media sites.