Who: The Information Commissioner’s Office (“ICO”)
Where: United Kingdom
When: 22 November 2015
Law stated as at: 9 December 2015
What happened:
The Information Commissioner’s Office (“ICO”) has recently been continuing its crackdown on nuisance calls.
Over 1,000 list brokers will have recently received a letter from the data regulator. This is because ICO believes they have been playing a role in compiling and trading lists of personal data used by cold callers. The ICO gathered its mailing list based on notification entries, targeting data controllers stating that they “trade or share personal data, some of which may be used for direct marketing purposes”.
In a blog entry on its website, the regulator suggests that the letter will require targeted companies to set out how they comply with applicable laws, including providing the ICO with information on the data they share, how they obtain consent, and all the companies they have worked with in the last six months.
Companies who fail to respond are at risk of having an Information Notice served on them. This will compel the company to engage and exposes them to court action if they do not. The ICO has recently reported on a fine of £2,500 being imposed on a recalcitrant company which had chosen to ignore ICO’s Notice.
Why this matters:
The proliferation of buying and selling data is an area that the ICO is particularly interested in at the moment.
Christopher Graham, the Information Commissioner, has recently appeared in front of the House of Commons Science and Technology Committee requesting powers to compel list brokers and lead generation companies to submit to compulsory ICO audits.
Anyone following recent ICO enforcement action will have seen that there have been a number of cases where data was first provided to organisations without proper consents, then in some cases passed on to inappropriate third party organisations.
There was the recent case of Pharmacy 2U, where a list broker passed on customer data obtained by a major pharmacy website to third parties who were at best unwholesome and in some cases targeting vulnerable people.
It remains to be seen how the list brokers contacted by the ICO will respond, and what action the regulator takes as a result. However, businesses which regularly obtain telephone list data from list brokers should be aware that their details may have been passed to the regulator as a result of this exercise. Such businesses will have a particularly pressing reason to review their marketing practices to ensure that these are in order.
They should also remember that the general position at law is that the business instigating the marketing activity will need to ensure that it is complying with the provisions of the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. Marketing to people who have not given valid and suitably specific opt-in consent (for SMS or Email marketing) or are listed on the Telephone Preference Service’s “do not call” list and have not notified the caller that they do not for the time being object to receiving their marketing calls (for telemarketing) cannot be explained away on the basis that a bought-in list was purchased as “compliant” or “consented” data.