Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. In 2012, data brokers’ trade in personal data was reported to have generated over $150 billion in revenue.
The UK data protection regulator (the “ICO”) has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications.
In October 2016, the ICO imposed a £20,000 fine on Rainbow (UK) Limited, a lead generation company, for precisely this reason. In its monetary penalty notice, the ICO set out a suggested list of questions that organisations should ask the data broker in these circumstances:
- How and when was the consent obtained?
- Who obtained it and in what context?
- What method was used – e.g., was it opt-in or opt-out?
- Was the information provided clear and intelligible? How was it provided – e.g., behind a link, in a footnote, in a pop-up box, or in a clear statement next to an opt-in box?
- Did it specifically mention texts, emails, or automated calls?
- Did it list organisations that would be provided the information by name or by description, or was there consent for disclosure to any third party?
- Is the seller a member of a professional body or accredited in some way?
However, this was not the end of the matter. On 27 January 2017, the ICO imposed an additional £20,000 fine directly on the data broker, The Data Supply Company Ltd, for selling the personal data to Rainbow (UK) Limited. In the monetary penalty notice, the ICO noted that UK data protection law also places independent obligations on data brokers to ensure that they handle personal data “fairly and lawfully,” and explained that, amongst other things, this means:
- Data brokers are also responsible for ensuring that individuals have been adequately informed about how their personal data is handled – e.g., that the data broker is selling it to particular organisations for particular purposes; and
- Data brokers must not claim to sell lists of individuals who have consented to receive marketing texts, emails, or automated calls from particular organisations unless they have clear records of those consents.
Under the forthcoming GDPR, compliance with the transparency principle and ensuring a legal basis for the use of personal data in this context are bound to become top priorities for regulators. In practice, this means providing a sufficiently clear, comprehensive, and future-proof notice when data is collected from individuals. In terms of consent, now more than ever, the emphasis will be on giving individuals a genuinely free option and evidencing their choice.
The decision to proceed against both the data broker and its customer is a departure from previous cases, which have tended to focus on the customer. This suggests that the ICO may be shifting its enforcement strategy in this area. Considering that, from May 2018, the ICO will be empowered to impose fines of up to 4% of annual worldwide turnover, both data brokers and their customers are advised to take note of the ICO’s stated expectations.