Does your bought-in marketing list come with consent?

Recent enforcement action by the UK Information Commissioner's Office ("ICO") demonstrates that when it comes to buying in a marketing list, as with anything, you really need to know what you're buying.

Having fired off just shy of 7.7 million unsolicited marketing texts over a six-month period in mid-2015, an online finance broker is now nursing a hefty £130,000 fine for failing to obtain the right marketing consents from the recipients.

Email, text and other "electronic" forms of marketing is governed by the snappily titled Privacy and Electronic Communications (EC Directive) Regulations 2003 – more affectionately known as PECR (pronounced "pecker").

Regulation 22 provides that you can't send direct marketing to someone by electronic mail unless (i) that person has given you consent to receive such marketing from you or (ii) you are relying on what's called the "soft opt-in": essentially, you obtained the recipient's contact details during a previous sale (or negotiation for sale), you are marketing your own similar goods or services and you gave the recipient an opportunity to opt out both at the time you obtained his or her details and again in all subsequent marketing messages (e.g. via an "unsubscribe" link).

One of the key problems in the present case was that the recipients of the texts had probably never heard of the sender, let alone agreed to receive marketing texts from them. The sender, an online broker specialising in loans and credit cards, had obtained the contact details from a third party and was therefore seeking to rely on the marketing consent given to that third party when the information was first collected.

Whilst there doesn't appear to be much scope for indirect, or third party, consent in Regulation 22, the ICO accepts that it might be valid in certain scenarios, if sufficiently clear and specific. Indeed, buying in third-party marketing lists is a commonly used way of obtaining customer leads and building a database quickly. However, the buyer of that list needs to be very clear about what consents have been given by those whose details are on the list.

Surprisingly, many buyers never consider this at all, which is problematic if their right to use the data is ever challenged. The risk is heightened when dealing with electronic marketing, because the rules imposed by PECR are stricter than those which apply to non-electronic (and therefore less intrusive) forms of marketing, such as post.

The latest ICO decision makes it clear that the onus is on the sender of the marketing to ensure they have adequate consents in place. This means the sender conducting its own due diligence, not simply relying on contractual assurances from the third party who sells them the data.

According to the ICO decision, a number of questions should be considered, including: how and when was the consent obtained? Who obtained it and in what context? What method was used – opt-in or opt-out? Did it mention texts, emails and automated calls? Crucially, did it list organisations by name or by description, or was the consent for disclosure to any third party?

The ICO said the consents relied on in the present case were inadequate because they were "not clear and specific enough" and did not "name or clearly describe" the sender.

The oft-made reference to "carefully selected third parties"offering "products and services which may be of interest to you" is too vague because such third parties could be anybody and their products and services could be anything. Even when setting out specific categories of third party to whom contact details might be given, care needs to be taken to ensure that such categories are narrow enough to give the recipient a realistic idea of what they might receive from whom.

The ICO has already issued detailed guidance on indirect consent and, in this latest decision, emphasises the need for marketers to read and understand that guidance or risk significant fines.

The ICO currently has the power to issue fines of up to £500,000 so, whilst significant, the £130,000 fine in the present case could have been worse. However, with the EU's new General Data Protection Regulation due to come online in 2018, it almost certainly will be in the future, with the current cap rising to the higher of 4% of global annual turnover and €20 million – incentive enough to dust off and start reviewing those consents!