At some time or another, most of us will have received one of those annoying marketing calls, texts or emails asking if we’ve been involved in a road traffic accident or been mis-sold PPI, and have no doubt responded with “how did you get this number?” or simply blocked the caller. However, what many of us don’t realise is that at some point we will have either expressly or (more likely) inadvertently given our consent to being contacted by these parties for marketing purposes. This can be, for example, when we make an online purchase or enter a competition and omit to tick that tiny box to confirm that we don’t actually want to receive such marketing communications!
Where consent has been given, such direct marketing is perfectly legal, but where no consent has been obtained, recipients can report the unsolicited communications directly to the Information Commissioner’s Office (ICO) or the Groupe Speciale Mobile Association (GSMA), an organisation that represents the interests of mobile operators worldwide.
Businesses can be in a difficult position. They are not always involved in the process of obtaining consent, rather, they rely on the third party data suppliers to conduct appropriate due diligence when purchasing data sets or to obtain the necessary consents at the point of collecting the data. As such, it is common for businesses to claim they were not aware that the appropriate consents had not been obtained. However, the ICO has little sympathy for this excuse. Its view is that it is not acceptable for businesses to rely on third party assurances and that they should undertake their own proper due diligence in these circumstances. The ICO has recently issued some hefty fines to businesses for failing to obtain the appropriate consent before sending marketing communications.
In May 2017, the ICO issued Radcliffe based used-car dealer Concept Car Credit Limited with a £40,000 fine for instigating the sending of over 300,000 marketing texts. Concept Car Credit argued that it had obtained the data used to send the text messages from third party data suppliers, however, the ICO confirmed that, as the instigator of the texts, it was Concept Car Credit’s responsibility to ensure it was only texting people who had consented to receive the marketing. Organisations cannot rely on assurances of indirect consent without undertaking proper due diligence.
The ICO has also fined Onecom Limited £100,000 under similar circumstances. Here, Onecom sent millions of spam texts without proper consent in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). In fact, Onecom could not even provide evidence explaining the source of the data used to send the text messages. The ICO reiterated that organisations must undertake rigorous checks to satisfy themselves that the necessary consent has been obtained.
Enforcement action by the ICO hasn’t been restricted to large corporate entities. Since December 2016, the ICO has issued significant fines totalling £181,000 to a number of Charities for breaching the Data Protection Act (DPA) and the PECR (for more details on this see our blog “Have you donated more than just your money?”).
In light of the above decisions by the ICO, it is important for organisations to only send marketing communications to individuals who have specifically consented to receiving such communications from the sender, and the sender has carried out its own due diligence in relation to any third party data it is using. It is clear that particular care must be taken when relying on “indirect consent”, for example, when purchasing marketing lists from third parties.
If you have any questions about marketing and/or use of databases, please contact our Corporate Commercial team by phoning 0161 941 4000 or e-mailing firstname.lastname@example.org.