Tempting, isn’t it? You are offered an email marketing list of business individuals at half the normal price but you find that the data has been obtained from the ‘public domain’ so should you turn it down?
There is a general misunderstanding in the business market that published data is fair game in terms of compiling business databases but there has been little guidance on what constitutes ‘public domain’ from the UK Information Commissioner’s Office. The most recent guidance states “It is good practice to only use publicly available information in a way that is unlikely to cause embarrassment, distress or anxiety to the individual concerned. You should only use their information in a way they are likely to expect and to be comfortable with. If in doubt about this, and you are unable to ask permission, you should not collect their information in the first place.” (ICO – Personal information online code of practice).
‘Data scraping’ and ‘web crawling’ has highlighted the fact that some consider all data published on the web is up for grabs, but that isn’t the case. Certainly the data published online can be accessed for information purposes, but the individuals who have parted with their personal data and the publishers who have collected it may not have had third party marketing in mind at the time the data was disclosed by the individual.
Individuals who give permission for their details to be included in a published data product do so in order to attract business for themselves. Their expectation does not include receiving marketing messages from other companies if they haven’t given their consent.
To protect their intellectual property. publishers of directory products are now installing sophisticated software to track the extraction of their online data and are putting in place measures to catch those companies who do it. One company was offered its own data – including data from individuals who had not given third party permission – at half the legitimate rental cost. Understandably, appropriate action was soon taken against the perpetrator.
Web crawling for personal data stems mostly from the United States where the lack of a national Data Protection Act has failed to limit unfair data collection. Indeed a few uninformed US companies are scraping data from global sources and then selling it back into the marketplace as fairly collected when it is not.
Even in the business community, direct marketers have a responsibility to establish how the data they wish to use has been compiled. We have already seen action taken against data gatherers and data users who did not appear to conduct due diligence on their data sources.
Published March 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.