An investigation by the Information Commissioner’s Office (ICO) found The Data Supply Company’s sale of more than 580,000 records containing people’s details resulted in 21,000 unsolicited spam texts being sent by the firm who bought the information.
From the monetary penalty notice:
- Between 19 June 2015 and 21 September 2015, 174 complaints were made to the 7726 service or direct to the Commissioner about the receipt of unsolicited direct marketing text messages about pay day loans. Following an investigation, the Commissioner established that the person responsible for sending those text messages had obtained its data from the Company. The Company had provided 580,302 records containing personal data.
- In correspondence with the Commissioner, the Company claimed that it obtained customer data from financial institutes that had declined or were unable to assist with the individuals’ requests for financial products.
- The Company identified a number of third party websites from which the complainants’ personal data had been obtained. These were not all, as suggested, the websites of financial institutions but included, for example, competition websites.
So it seems the big issue here is that the data broker did not obtain the data fairly in that those whose information it obtained were not informed, and/or did not consent to it being used for marketing purposes:
- Data controllers must take extra care if buying or selling a list that is to be used to send marketing texts, emails or automated calls. The Privacy and Electronic Communications Regulations 20003 specifically require that the recipient of such communications has notified the sender that they consent to receive direct marketing messages from them. Indirect consent (ie consent originally given to another organisation) may be valid if that organisation sending the marketing message was specifically named. But more generic consent (eg marketing ‘from selected third parties’) will not demonstrate valid consent to marketing calls, texts or emails.
- Data controllers buying in lists must check how and when consent was obtained, by whom, and what the customer was told. It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence.
You can read the full monetary penalty notice here (pdf). And if you’re wondering what the penalty was, well, it was £20,000.