As a privatised water utility Thames Water was keen to keep its shareholders happy
Topic: Data privacy
Who: Thames Water Utilities and the Data Protection Commission
When: Mid 1999
Where: UK
What happened:
As a privatised water utility Thames Water was keen to keep its shareholders happy. It had a huge and largely untapped (!) asset in its database of customer names and addresses, used up to that time only for providing water utility services and billing them. It therefore started to use those customer details for the purposes of marketing non water-related products. After this came to the attention of the Data Protection Commission, Thames Water was informed that the practice was contrary to the first of the eight fundamental personal data principles of the Data Protection Act 1998, requiring the fair and lawful obtaining and processing of personal data.
To avoid enforcement action by the Commission, Thames Water gave various undertakings. These effectively prevented it from (1) using data relating to its customers to market non water utility-related services or goods available from either Thames Water or third parties and (2) transferring customer data to third parties for marketing purposes. The only way round these restrictions was for Thames Water to obtain its customers' express consent to activities (1) or (2) (or "non obvious" activities as we will call them from now on). Express consent would not be implied from simple lack of response to a mailing indicating that recipients' details would be used for non obvious activities unless they sent back an "opt out" reply. Before starting out on or authorising a third party to start a marketing campaign promoting non obvious products, Thames Water had to be in possession of documentary proof that every single recipient of the intended campaign had consented to this use being made of their data. This could be by way of a ticked "opt in" box or a blank "opt-out" box.
Why this matters:
This is not new law. British Gas Trading and Midlands Electricity had a similar experience in 1998 and 1999 respectively, though in these cases the matter went before the Data Protection Tribunal. But the rules in the UK for marketing use of personal data are not as strict as they might be.
Unlike in Italy, for example, the UK regime is not blanket opt-in. Without obtaining express prior consent or even providing an "opt-out" opportunity, UK brand owners can make extensive marketing use of data about their customers and stay within the law. The golden rules are (1) not to share the data with third parties or sell it and (2) not to use customer's details to market products which are in a different category to those the customer was buying or reading about at the time they first provided their data. As long as these are adhered to, (and of course all relevant uses etc are notified to the Commission as part of the statutory notification process all data collectors have to follow), marketers should be able to keep on the right side of the Commission!
