The past few years have seen a crackdown from the Information Commissioners’ Office (ICO) on the use of personal data by organisations in relation to their marketing communications. Most recently, British Heart Foundation (BHF) and the RSPCA were investigated and fined for “wealth screening” their donors – piecing together donors’ information from other sources and trading donor data with other organisations. These fines are part of a wider movement in this area, putting greater demands on organisations which process individuals’ data, and this looks set to continue with the introduction of further regulation coming in next Spring in the form of the General Data Protection Regulation (GDPR).
Practices under scrutiny
In the most recent case, the ICO identified three practices by BHF and the RSPCA which breached data protection rules.
The first of these, “wealth screening”, involved the charities hiring wealth management companies to analyse their donors’ personal data, and data from other sources, to try to ascertain how much money they might be persuaded to give. The charities did not make the donors aware that they were doing this or obtain the donors’ consent to use their personal data in this way.
The second, “data and tele-matching”, involved the charities employing companies to use donors’ data to discover additional personal information about them. For example, they might use contact information provided by a donor such as a telephone number to discover further information such as their email or postal address, in order that they could contact them through further channels.
Finally, both the RSPCA and BHF took part in a scheme called Reciprocate, in which they shared their donors’ personal data with other charities in the scheme in order to identify possible future donors. This involved the disclosure by charities of millions of donors’ data. In the data collection process, both charities offered their donors the opportunity to opt out of their data being shared with “similar organisations”, which the ICO ruled was not sufficient to constitute valid consent, particularly as the scheme included such a broad range of charities that donor data was shared between considerably different organisations. Moreover, it was later discovered that the RSPCA had shared donors’ data even where they had asked to opt out of their data being shared.
All three of these practices are common in the charity sector and others, and both charities appeared to express surprise that their practices were illegal. That they were investigated and fined for practices they did not see as problematic demonstrates the importance of maintaining an awareness of new regulation in this area as well as the ICO’s guidance and views, especially when, as now, the laws are getting tougher all the time.
An increasingly demanding regulatory regime
The above case follows in the same direction of travel as a decision last year, in which the First-tier Tribunal ruled that Thomas Cook had not obtained valid consent to pass on its marketing recipients’ data to Optical Express. This meant that when Optical Express sent those recipients its own marketing texts, it breached the Privacy and Electronic Communications Regulations (PCRs). In order for consent to be valid, the Tribunal ruled, the recipient must freely give a specific and informed indication of their wishes. They must be made aware of who is going to process their data, what it will be processed for and anything else necessary to ensure it is processed fairly. Because Thomas Cook did not tell its recipients that their data would be processed by Optical Express or specify what products would be marketed to them, they did not obtain sufficient consent and breached Regulation 22(2) of the PCRs.
The Optical Express ruling followed the ICO’s new guidance for direct marketing, published in 2016, which strongly advises against the use of general opt-in consents to third party marketing communications. Under this guidance, a consumer ticking a box stating, for example, “Tick here to confirm that you are happy to receive marketing emails or texts from selected third parties” is unlikely to be considered valid consent. Further, even where consent is freely and properly given, it is likely to remain valid for only six months.
The ICO’s guidance makes it clear that where organisations receive an individual’s contact details from a third party (as Optical Express did from Thomas Cook and as the RSPCA and BHF did from the other organisations in the Reciprocate scheme), those recipient organisations must carry out rigorous checks before relying on the indirect consent (i.e. consent originally given to a third party).
The guidance goes on to state that indirect consent is highly unlikely to be valid for calls, texts or emails and that whilst the use of bought-in marketing lists is not banned, organisations must take steps to ensure the list was compiled fairly and accurately reflects peoples’ wishes. In most cases this will require each recipient organisation to be individually named as a recipient of the data or to fall within a precisely defined category of organisation with whom the data will be shared, for example by using the following wording “Tick here to confirm that you are happy for us to share your information with [name of charity] / [other animal welfare charities operating in the UK] and to receive marketing emails or texts from such charities”.
Tougher laws to come
The direction of the law, moving towards tougher rules for companies who process personal data and higher fines for those that fail to comply, is set to continue over the next few years. In particular, a new EU data protection framework has now been agreed and adopted in the form of the General Data Protection Regulation (GDPR), which will come into force on 25 May 2018. This law unifies European data protection regulations, creating a tougher regime overall and one that applies to all companies targeting consumers in the EU, including those based outside the EU.
Going forward, all companies which control or process personal data in relation to offering goods or services in the EU will be subject to the GDPR, and may need to appoint a representative in the EU. The GDPR requires such companies to demonstrate their compliance through maintaining records, conducting impact assessments on their processing and actively integrating data protection measures with their business processes. Importantly, their obligations to provide information to data subjects will become more onerous; in particular, companies will be required to inform individuals of their ability to withdraw their consent and for how long they will store their data.
In view of the recent cases above and the tighter regulations to come, companies should review their current data protection policies and marketing practices as a matter of priority to ensure they are prepared for the coming changes, and in particular ensure they have individuals’ fully informed and freely given consent before they use personal data for marketing.
For further information about marketing or any issue relating to data protection, please contact Kathryn Rogers on firstname.lastname@example.org or +44 (0)1892 506 147 or Elliot Fry on Elliot.email@example.com or +44 (0)1732 224 034.