Transparency and Consent.
Nearly a year after the GDPR entered into effect we are progressively getting more decisions from Data Protection Authorities around Europe .
The ICO has fined a PPI claims management company £120,000 for sending unlawful spam texts about its services. The facts go back between January and June 2018, therefore ICO applied the Data Protection Act 1998 and the PECR to fine direct marketing sending some 4 million unsolicited messages. The ICO had received more than a thousand of complaints from users trough the 7726 complain messaging to the GSMA.
Although under DPA 1998, the decision clarifies some of the requirements for consent in order to send direct marketing messages.
We have previously discussed the prohibition of bundled consent here and here. The ICO here investigated the source of the personal data : marketers acting on behalf of Hall and Hanley collected data from three websites. Getyaoffers.co.uk, petesdeals.co.uk , myloanoffers.co.uk, and prizereactors.co.uk
1 – The ICO looked at the information provided by these websites collecting data in their privacy notices.
“HOW DO WE COLLECT YOUR PERSONAL INFORMATION?
We collect Personal Information about You in several ways including the following:
- when You enter one of Our competitions or prize draws;
- when You complete one of Our lifestyle questionnaires or surveys;
- when You complete Our unsubscribe form;
- when You submit a Data Protection Enquiry or Subject Access Request (SAR);
- when We purchase or license Your information from other suppliers.
Then in ‘WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH?
Data, like many other products and services can be sold or licensed. When We license data to third parties We call them Clients. We work hard to ensure that We only deal with reputable Clients who like Us operate in accordance with UK Data Protection Law. We enforce this through Our contractual relationships with Our Clients in which they undertake to operate in accordance with the UK Data Protection Law and continue to enforce the rights You have. More information about those rights is set out in this Privacy Notice. Sometimes Our Clients operate in countries outside of the European Economic Area (EEA) who operate under different data protection laws. Where this happens We enforce additional contractual provisions to ensure they provide an adequate level of protection as required by UK Data Protection Law.Here is a list of business categories in which Our Clients operate. Depending on what personal information We hold about You Our Clients may contact You by telemarketing, post or email for direct marketing, debt collection and tracing.For a more detailed list of the types of companies that fall into each business category please click on the category name.
2- Consent and third party sharing personal data
It’s interesting to read that such a vague enumeration of categories of third parties accessing personal data is deemed as insufficient information for the ICO with regard to the balance of proportionality.
Much same observation as for myloanoffers.co.uk there is a list of third party partners that ‘may’ access personal data and an exhaustive list of partners subscribers ‘may‘ receive direct marketing messages from.
In the other two website cases, if H&H namely appeared, there was no active opt in to consent without detrimental consequences to the access to the service.
A reminder that privacy notices require more transparency and clarity. Consent has to be informed and specific and no detrimental to the use of service.
3- H&H is recognised as the instigator of the direct marketing text messages
In the words of the ICO,” ‘similar organisations‘, ‘partners‘ or ‘selected third parties‘ are not sufficient information. When named, organisations need to appear immediately visible to subscribers with options to select who they wish to receive messages from with the specification of the type and method of marketing messages they wish to receive.” These are pre-requisite conditions for free and specific consent. These conditions were not fulfilled in this case.
However, in view of its investigations, the Commissionner considered that H&H did not deliberately contravene regulation 22 of PECR although it could not reasonably ignore its obligations
4- It is not acceptable to rely on assurance given by third party suppliers
This is an important point stated by the ICO. This is as well valid when website owners commission a work to a web designer,. It is there duty to make sure the website is not collecting personal data without transparency and clear affirmative consent.
“H&H ‘opted Data Supply Agreement’ could not ‘absolve [himself] of culpability under data protection legislation by transferring its duties of due diligence in respect of the data to the third party”.
Satisfied that H&H had access to sufficient financial resources to pay the monetary penalty ‘without causing undue financial hardship’, a fine of 120.000 £ was issued. ‘ A fine rather clement in comparison with the maximum fine of 500.000 £ and the 4 million unsolicited messages sent.
A reminder that stating a category of sector or third parties in privacy notices is insufficient to constitute a clear, affirmative act establishing a freely given, specific, informed and unambiguous consent.