ICO gives fresh guidance to businesses on buying in marketing databases

Out-Law News | 01 Apr 2016 | 9:52 am | 3 min. read

Businesses should not promote products or services to consumers whose contact details they have bought from another company until they have checked that the seller obtained appropriate consent for such marketing activity, the UK's privacy watchdog has said.

In new guidance on direct marketing (50-page / 310KB PDF) the Information Commissioner's Office (ICO) said that organisations will find it "very difficult to use bought-in lists for text, email, or automated call campaigns" since they "require very specific consent" to market to consumers via those communication channels under the UK's Data Protection Act (DPA) and Privacy and Electronic Communications Regulations (PECR).

"Although there is a well-established trade in third party opt-in lists for traditional forms of marketing, organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls," the ICO said. "PECR specifically requires that the customer has notified the sender that they consent to messages from them... In most circumstances, indirect consent would not meet this test – as the customer did not directly notify the sender, they notified someone else. Therefore it is best practice for an organisation to only send marketing texts and emails, or make automated calls to individuals, if it obtained consent directly from that person."

"However, we do accept that indirect consent might be valid in some circumstances, if it is clear and specific enough. In essence, the customer must have anticipated that their details would be passed to the organisation in question, and that they were consenting to messages from that organisation. This will depend on what exactly they were told when consent was obtained," it said.

Businesses run the risk of acting in breach of PECR if the indirect consents they rely on are of a general nature, the ICO said.

"Clearly, organisations cannot infer consent just because consent was given to a similar organisation, or an organisation in the same group," the ICO said. "It must have extended to the organisation actually sending the message as well. Indirect consent may therefore be valid if that organisation was specifically named. But if the consent was more general (eg marketing ‘from selected third parties’) this will not demonstrate valid consent to marketing calls, texts or emails."

"However indirect consent could also be valid if the consent very clearly described precise and defined categories of organisations and the organisation wanting to use the consent clearly falls within that description. Consent is not likely to be valid where an individual is presented with a long, seemingly exhaustive list, of general categories of organisations," it said.

The ICO said that businesses should check that data obtained from third parties demonstrate appropriate consent to marketing communications. It said that where data has been traded more than once then third-hand recipients of the data will be unable to rely on previous consents given to proceed with their marketing activities.

"Organisations need to remember that consent for third party marketing is a one-step process," the ICO's guidance said. "For example the customer gives consent to organisation A to pass their details onto organisation B. This original/same consent cannot be used by organisation B to pass the customer’s details onto further organisations. Organisations must therefore make rigorous checks as to how and when consent was obtained, by whom, and what the customer was told."

"It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence, in order to demonstrate consent if challenged. Organisations must ensure that consent was validly obtained, that it was reasonably recent, and that it clearly extended to them or organisations very closely fitting their description. If it was generic consent to marketing from any third party, it will be very difficult to show specific enough consent for calls, texts or emails," the watchdog said.

In its new guidance the ICO reiterated its previous views that businesses can rely on implied consent to marketing activities in some circumstances. However, it said that relying on implied consent can be as burdensome from a compliance perspective as using mechanisms that gather explicit consent from consumers. It therefore recommended that businesses use "an opt-in box" to obtain explicit consent as "best practice" for organisations.

"Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent," the ICO said. "In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user."

"An opt-out box is a box that the user must tick to object or opt out of receiving marketing messages. However, the fact that someone has failed to object or opt out only means that they have not objected. It does not automatically mean that they have consented. For example, they may not even have seen the box if they were using a smartphone or other small screen device. For this reason, we would always advise the use of opt-in boxes instead," it said.

The ICO said, though, that businesses can comply with PECR when using opt-out boxes for consent in limited circumstances.

"For example, if the user must take a positive action to submit a form (eg click a button), and the organisation provides a clear and prominent message along the following lines, the fact that a suitably prominent opt-out box has not been ticked might help to establish that clicking the button was a positive indication of consent," it said.