The GDPR promises to give individuals considerably more power over their data. Many consumers will think that means two things: No more spam, and no more cold callers. But is that really the case?
People who value their privacy should be delighted that the EU has developed new regulation that gives them control over who handles their personal information and for what purpose.
But when the General Data Protection Regulation comes into force on May 25th, what will it mean for the world of ad emailers, data brokers and nuisance spammers?
Companies who compile lists of potential customers for cold-callers and other bulk marketers often use publicly available registers, or buy databases from other companies who collect people’s details who have, at some point, consented to direct marketing. What may surprise a lot of people is that when they agreed to receive messages from ‘selected third parties’ on a website, or on a survey form, they were agreeing to be contacted by any number of similar companies – in effect, agreeing to the details being passed on between list compilers, list brokers, lead generators and marking companies.
As an example, the REaD Group – which runs the director enquiry service UK Phone Book – confidently publicises that its sells lists of consumer details, and “captures and gathers permissioned personal data from the Edited Electoral Register and a number of select U.K. based data contributors […] customer satisfaction and lifestyle surveys, mail order, purchase/warranty card responses and offers and competition websites. The data is collated, validated, verified, screened and enhanced then combined into a series of dat abases from which extracts of data may be provided under contract to REaD Group’s business partners and clients.”
If you’ve ever wondered how that cold caller or spam emailer gets your details in the first place, it all comes back to a box you’ve ticked somewhere allowing ‘selected third parties’ to contact you with offers and information. After you ticked that box, your data was snapped up by a list compiler, who will produce reams of ‘permissioned’ leads to sell to different market sectors. It may just be your email address, but that data has been turned into a commodity along with that of millions of others.
So when the ICO told the direct marketing industry that getting ‘generic consent’, they took issue with their interpretation of the law.
“Until now we have considered that, for digital marketing, a consent for the use of personal data in a named vertical sector is informed and unambiguous,” said a statement on their website. “However, the ICO guidance on consent provided on 2 March 2017 suggests that this will not be specific enough. We do not agree with this and have presented our views to the ICO. […] We do not support the stance being taken by the ICO which currently seems intent on going well beyond the requirements described within the regulation.”
The Direct Marketing Association (REaD’s industry body) also took issue with the guidance on consent, claiming the ICO has ‘got it wrong when it comes to consent and third party email marketing’, and ‘effectively shut down a viable way for consumers to receive relevant offers’ by focusing not on the content of the advert, but who sent it (they use the example of a Dominos’ Pizza offer and their appointed marketing company).
So what does the law say about direct marketing?
The GDPR holds a general sentiment that customers should be in control of their data – allowing data to jump from company to company goes against its core principles. But it does also state the direct marketing should be seen as a legitimate purpose to process data.
But most would be surprised to learn that the GDPR doesn’t create a firewall for people who want to rid their life of all marketing. There isn’t a single mention of the terms ‘third party consent’, ‘third party opt-in’ or ‘indirect consent’. So the new law largely leaves regulation of direct marketing at the mercy of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which requires companies to obtain an individual’s consent before sending marketing communications to them, and basically allows them to call any phone number not listed on banning registers.
The PECR specifically says if a data collector is going to pass on data to third parties it must be explicit about which third parties, and that consenting to marketing “from ‘selected third parties’ does not constitute genuine consent,” but companies could demonstrate a valid indirect consent if the consent had ‘very clearly described precise and defined categories of organisations […] The categories of companies need to be sufficiently specific that individuals could reasonably foresee the types of companies that they would receive marketing from, how they would receive that marketing and what the marketing would be.” (ICO Direct Marketing Guidance 2016, Par 88-89).
So it’s only when companies are gathering together their contact lists – holding, editing and sharing them, that the GDPR comes into play.
The ICO’s judgement that the DMA refers to is the assertion in its GDPR Consent Guidance for Consultation 2017, recommends that any consent which doesn’t specifically name the third parties who will receive compiled data is invalid (p7). It adds: “Even precisely defined categories of third-party organisations will not be acceptable under the GDPR.”
The basis for this guidance may be in paragraph 42 of the GDPR, which states: “For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
So the upshot is: no company who isn’t named in the consent notice has any valid claim to process personal data. It’s strengthened by the strict orders that any data controller who comes into possession of personal data from a third party should notify the data subject upon receipt of the data.
So the old rule of thumb that consent must identify a clear market sector for details to be shared with third parties no longer holds up – this may be the case for making the calls and sending the emails, perhaps on instructions of data controlling clients, but for controlling the data itself consent needs to be given for specific companies, in a clear and accessible notice, separate from other terms, and with a clear right to object.
The validity of any third party consent is further distorted by the principles that any consent given for the processing of data which isn’t itself needed to fulfil a contract between the data subject and controller doesn’t meet the high standard of the ‘specific, unambiguous, freely-given indication of wishes’ that the GDPR demands. So any website which made a voucher code or access to a service on the conditional on the customer giving their consent to third-party marketing is no longer lawful – it coerces the customer onto these compiled lists.
And then there’s Article 21 which also grants the right to object to any further marketing: “Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”
The GDPR should in theory adjust how direct marketing companies operate – meaning they will need to refresh their consent from data subjects periodically, and carve out any part of their database which was acquired with coercive consent. Moreover, customer consents will now need to be abundantly clear, and separate from other T&Cs to make it ‘unambiguous. But the question of whether a linked privacy notice makes consent ambiguous is, itself, ambiguous.
By any stretch of the imagination, direct marketers may need to send out a new consent form to every one of their leads before May 25th – more likely, and this should be seen as an opportunity, direct marketers will be cleaning out the cobwebs of their old databases and start afresh. And come May, I hope all DMA members embrace the true meaning of the GDPR, and not justify loopholes in the legislature to try and keep hold of their reams of data. It isn’t actually theirs, after all.