The Information Commissioner’s Office guidance on direct marketing issued in September 2013, and re-issued in March 2016, spells out the kind of questions users of third party lists need to ask of data suppliers. Data users are encouraged to check the provenance of the data and, specifically, how consent for third party contact was obtained. For electronic 3rd party consent, the ICO requires that the type of organisation to which the data may be released is specified although it is conceded that a generic consent for would be sufficient for hosted emails and for postal communications.
The ICO’s checklist of reasonable due diligence reads like this:
• Who compiled the list? When?
• Has it been amended or updated since then?
• When was consent obtained?
• Who obtained it and in what context?
• What method was used – eg was it opt-in or opt-out?
• Was the information provided clear and intelligible?
• How was it provided – eg behind a link, in a footnote, in a pop – up box, in a clear statement next to the opt -in box?
• Did it specifically mention texts, emails or automated calls?
• Did it list organisations by name, by description, or was the consent for disclosure to any third party?
• Has the list been screened against the TPS or other relevant preference services? If so, when?
• Has the individual expressed any other preferences –eg regarding marketing calls or mail?
• Has the seller received any complaints
• Is the seller a member of a professional body or accredited in some way?
A Guide to Sourcing Data from Third Parties
Telemarketing Campaigns – Practical Guidance on Consent and Due Diligence
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.