The Data Supply Company Ltd fined £20,000 by the ICO
Article added: 07/02/2017
This is an unusual case, The Data Supply Company Ltd is the first list broker to be fined for selling data used in a text campaign by another company.
An ICO investigation found The Data Supply Company had sold more than 580,000 records containing people’s details to a company that then used that data to send text messages. This resulted in 21,000 spam texts being sent by the firm who bought the information and result in 174 complaints.
The company is a list broker, one of the key focus areas of the ICO at present.
This case is unusual because it is the first time that we have seen a data supplier being fined for supplying the data used in a text messaging campaign. There have been multiple fines levied for companies who have actually sent text campaigns i.e. the companies advertising themselves by text and not the actual text broadcasters, but never the data suppliers.
The Company claimed to have purchased data from financial institutes that had declined or were unable to assist with the individuals’ requests for financial products. The Company identified a number of third party websites from which the complainants’ personal data had been obtained. These were not all, as suggested, the websites of financial institutions but included, for example, competition websites.
This is an important point, because this general misunderstanding about data sources is a very common problem within the industry. The Data Supply Company Ltd Is not doing anything that thousands of other data companies are not also doing at present. A fact only serving to highlight the need for better awareness.
The privacy policies on these websites were very loose and vague stating such things as:
“We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you.”
Others provided a long list of general categories of organisations to whom the data would be disclosed, such as:
“...including for example organisations in the automotive sector, broadband sector, charity sector, competition sites, daily deals, debt and finance, education, gambling sector, gardening, general marketing, health and beauty, home and lifestyle, lottery, pension, personal injury, sport, telecommunications, travel and utilities.”
The ICO considers such a lengthy list of categories to be exhaustive and in contravention of PECR. In other words, trying to opt consumers into ‘everything’ is simply too much, unreasonable, and does not allow them to actively chose what their data is used for and as such invalidates the consent.
None of the Privacy Policies identified the company to whom the consumer’s data would be supplied to, a further issue that means the data cannot be used for under PECR for texting.
The ICO Stated:
- Whether an organisation is collecting personal data for its own use, or to sell marketing leads on to others, it must always process that data fairly and lawfully.
- Data controllers must take extra care if buying or selling a list that is to be used to send marketing texts, emails or automated calls.
- Data controllers wanting to sell a marketing list for use in text, email or automated call campaigns must keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told (including copies of privacy notices), so that it can give proper assurances to buyers. Data controllers must not claim to sell a marketing list with consent for texts, emails or automated calls if it does not have clear records of consent. It is unfair and in breach of the first data protection principle to sell a list without keeping clear records of consent, as it is likely to result in individuals receiving noncompliant marketing.
Referring again to the fact that this is the first fine that we’ve seen that tackles the data seller as opposed to the data user, the ICO have stated:
The Data Supply Company Ltd Monetary Penalty Notice as issued by the ICO
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Data Protection Act (DPA) and this is an opportunity to reinforce the need for data controllers, particularly those in the list broking industry, to ensure that they have complied with the first data protection principle before they buy and sell personal data.
If your business purchases or sells data then you should read the latest Direct Marketing Guidance
issued by the ICO for a complete explanation of what the ICO expects from companies involved in or buying from the direct marketing industry.