Promoters, distributors, fulfilment houses, agencies …. as more businesses become involved in the marketing and selling process, just who owns customer data is becoming an increasingly live issue.
Topic: Direct Marketing
Adam Haines, Osborne Clarke
Most people would take exception to being 'owned' or even having their information regarded as someone else's asset. The commercial reality is that the customer and information pertaining to the customer is extremely valuable as it is the key to controlling the customer relationship. When a customer buys a CD from a branded website, a car from a distributor or subscribes to a telephone company, there is a good chance that more than one company will be involved in the supply chain. It is in these circumstances that the issue of customer ownership arises due to the value of the information.
Can Customer Data be 'Owned'?
In many commercial contracts a party will often assert its ownership of intellectual property in the customer data. This is quite often a contentious issue at the negotiation stage but it is worth noting that sometimes the customer data will not quality for protection at all and therefore no one will 'own' rights to it. According to UK law, there are really only two forms of intellectual property rights which may apply to customer data, namely copyright and database rights.
The Copyright, Designs and Patents Act 1988 ("CDPA") affords copyright protection to, amongst other things, original literary works. This protection is subject to various qualification requirements and assuming these are met, the customer data needs to fall within the scope of a 'literary work'. This is defined as 'any work, other than a dramatic or musical work, which is written'. This is defined to include 'a table or compilation other than a database' and 'a database'. Individual customer records will not attract copyright protection as copyright works cannot be insubstantial and so copyright protection is limited to a collection of customer records which could take the form of a database (a collection of independent works, data or other materials which are systematically arranged and individually accessible by electronic or other means) or a table.
What usually prevents customer data from being afforded copyright protection is the requirement of originality, which does not require literary merit but does require original literary expression. A database of customer information will be original if 'by reason of the selection or arrangement of the contents of the database the database constitutes the author's own intellectual creation'. The problem is that the customer data will usually be automatically alphabetically arranged by customer name. Case law provides some clarification on this point – a table comprising commonplace information involving no skill in its arrangement was held not to be original (Cramp v Smythson) whereas the compilation of a table involving "skill and labour, possibly only labour" was held to be original (Express Newspapers v Liverpool Daily Post and Echo). Customer account information will almost certainly fall within the scope of the Cramp case. The Express case is important because a subset of the database may be protected where the author used skill to select the customers comprising the subset.
There is no requirement of originality for a database to be protected by database rights under the Copyright and Rights in Database Regulations 1997 ("Database Regulations"). This protects databases (as defined in the CDPA) 'if there has been a substantial investment in obtaining, verifying or presenting the contents of the database'. The Database Regulations do not define 'substantial' but do define 'investment' to include investments of "financial, human or technical resources". The maker of the database (who is first owner save where he is an employee) is defined as 'the person who takes the initiative in obtaining, verifying and presenting the contents 'of a database and assumes the risk of investing in that obtaining, verification or presentation'.
To the extent that customer information forms part of a protected database, the customer data can be considered 'owned', either by one company or jointly owned by two or more companies. Although ownership is better than nothing, it does not automatically mean that the owner has unfettered rights to commercially exploit the customer information as use of customer information. Furthermore, joint ownership means that neither party can exploit the jointly-owned database without the consent of the other and this is very important if the partnership between two companies in the supply chain comes to an acrimonious end.
Data Protection Implications
The Data Protection Act 1998 ("DPA") will have a more significant impact on use of customer data than the intellectual property rights outlined above, as the customer data will be personal data relating to a living individual the processing of which will be strictly controlled by the DPA. The exception to this is where customer data has been aggregated and anonymised and cannot be referenced back to the individual customers. Whether a party acts as data controller or data processor, it will have to notify the Information Office prior to processing the customer data and must provide the customer with certain information prior to, or at the time that the customer data is collected (including the identity of the data controller and the purposes for which the data controller will use the customer's personal data).
In addition, Members of the European Parliament have recently, and controversially, approved an early draft of a Privacy in Electronic Communications Directive which will require all businesses that send unsolicited commercial emails to ask all customers for permission before they send marketing material to them by email. It may be some time before this Directive is adopted and then implemented in the UK, however, businesses can begin to prepare for changes in the law by obtaining express consent to their use of unsolicited commercial emails now. This avoids the need to re-contact existing customers in the future when this law is introduced.
Most issues relating to ownership and use of customer data can be addressed in the contract between the companies in the supply chain and this will usually involve each party giving warranties and indemnities in relation to compliance with data protection law. Other issues are not so easily covered. An example of this is the usual contractual disclaimer in relation to loss or inaccuracy of data (which will cover customer data) and the extent to which this can be reconciled with the third principle regarding the accuracy of personal data and the seventh principle requiring appropriate technical and organisational measures to be taken against loss or damage to personal data.
What is clear is that ownership of the customer data should be taken with a pinch of salt – the customer data may not be capable of being owned, and if jointly owned cannot be used without the consent of each owner. Even then, such use is subject to all of the constraints set out in the Data Protection Act. Save in limited exceptions, the customer will always be able to determine what use (if any) is made of his personal data.
So who owns the customer data?
The customer does.