“We would like to share your details with selected third parties…”
Consumers dislike it, assuming it means ‘anybody’, and in some cases they’re probably right. Adding ‘carefully selected third parties’ doesn’t cut the mustard either. In an age of transparency, it’s high time to ditch this meaningless phrase. It’s not just distrusted by consumers, but is firmly set in the Regulator’s sights.
Ignore recent rulings at your peril
In a recent ruling, the Information Commissioner’s Office fined data broker The Data Supply Company £20,000 for unlawful third party texts. Before you think this doesn’t apply to you, because your organisation doesn’t conduct SMS marketing campaigns, note the headline on the ICO’s press release on the case:
“Companies selling marketing lists are breaking the law if people haven’t been told how their information will be used”
The Data Supply Company fell foul of the law, in part, due to the permission statements used on other firms’ websites from which it had acquired personal data. An example highlighted from one website was:
“We may share your information with carefully selected third parties where they are offering products or services that we believe will be of interest to you”
The Regulator found that many of the privacy notices like this one were “too general and unspecific to comply with the law.” The ICO stressed Data Controllers must make rigorous checks to ensure third parties have obtained personal data “fairly and lawfully, that individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent.”
Further consideration is required if Data Controllers buy or sell lists for direct marketing via texts, email or automated calls, which fall under the Privacy and Electronic Communications Regulations (PECR). The regulator states that indirect consent may be valid if the organisation that sends the marketing is specifically named when consent is collected or, at least, closely defined categories of company are included. However, the ICO clearly stipulates:
“More generic consent (e.g. marketing ‘from selected third parties’) will not demonstrate valid consent to marketing calls, texts or emails”
In another recent case, the ICO fined credit broker Digitonomy Ltd £120,000 for using affiliate marketing companies to send out over five million of texts without proper consent. Again, the consent wording used was found inadequate.
Ensuring third party data collection is compliant
In the ICO’s updated Direct Marketing Guidance (May 2016) the rules surrounding third party data and ‘indirect consent’ were tightened. To ensure transparency and compliance, organisations need to provide information to consumers as to who their data might be shared with:
“Consent is not likely to be valid where an individual is presented with a long, seemingly exhaustive list, of general categories of organisations. The names of the categories used must be tightly defined and understandable to individuals. In practice, this means that the categories of companies need to be sufficiently specific that individuals could reasonably foresee the types of companies that they would receive marketing from, how they would receive that marketing and what the marketing would be.”
Whether you’re sending marketing texts, email, making telemarketing calls or even sending postal campaigns, it’s time to move on from using ‘selected third parties’. While ‘trusted partners’ or ‘official sponsors’ may seem less harsh, simply changing the wording won’t be sufficient: It won’t wash with consumers and it won’t wash with the Regulator.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.