B2C Data – Complaint about direct marketing
The Direct Marketing Association had asked the Commission to consider the circumstances around the buying and selling of alleged sensitive financial data by B2C Data Ltd. This followed articles in The Daily Mail which alleged that B2C Data Ltd was selling data on the pension and financial details of thousands of people without knowing the source of data the company was sourcing from third parties and without checking on the identity or plans of those to whom data was sold.
The investigation looked at B2C Data Ltd’s arrangements, how they source and gather their data, and how they ensure any data supplied is in line with regulations and collected with the appropriate consents. It also looked at the arrangements that the member had in place for selling the data to third parties and any due diligence that is undertaken.
B2C Data Ltd co-operated with the DMC investigation. They were however unable or unwilling to disclose the sources of the data supplied to them to the Commission and though they provided a number of sample consent forms from their suppliers, many of these were found to be vague and not compliant with recent guidance from the Information Commissioner’s Office.
In some cases the suppliers were running web based services where anyone using the service had, in effect, to give consent to their data being shared with third parties simply and automatically by virtue of being on the site. Additionally, there was insufficient evidence to substantiate the B2C Data claim that they did screen their data every 28 days against the Telephone Preference Service as claimed and as required in the DMA Code. Commissioners therefore upheld a breach of the Code rule 3.11 which states when buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned. In this case the member company breached parallel requirements: failing to ensure their data suppliers provided adequate consent and for not substantiating that they had checked this data against the TPS before offering it to third parties.
The Commissioners also found a breach of the Code rule 4.4 which states that members acting as an agency or supplier for a non-member’s one-to-one marketing activity must advise the non-member to act within the Code. The Commission found no evidence that this was included in correspondence or contract terms.
The Commission believe companies should be more aware of the types of data they are trading and when these might be perceived as ‘sensitive’ by consumers. They see a risk to the public and to public trust if data with this “potential” is sold without the suppliers having any knowledge of the purchasers or the purposes for which the data would be used.
Whilst there was no evidence to show that the data in this case constituted details of a highly personal nature or sensitive personal data as defined by the ICO there was a concern that the member had not been alert to the potential issues of data with quite apparent sensitivities. The agreement and contract did not reflect any limited uses and or any unacceptable uses or purposes for the data. Had this been in place, the Commission would have been more assured as to the member’s due diligence on its buyers.
This company however, has now ceased trading following an insolvency action and the issue is therefore closed. However, should B2C Data Ltd have remained in DMA membership, given the seriousness of the Commission’s findings, the decisions are likely to have resulted in calls for significant change and evidence of change for their membership to continue.
This case again highlighted broader issues for the industry where businesses are unwilling or unable to provide information on the sources of data and the nature of the consents given by individuals to the use of their data. The use of non disclosure or confidentiality agreements is a barrier to buyers and sellers satisfying themselves that the data is safe to use. Alongside this, the selling and buying of data of a ‘sensitive’ nature and permission statements which may not reflect industry guidance can have serious effect when they are used across an extended value chain and result in the public frustrations we are seeing with increasing frequency. The DMC will be exploring these issues with the Direct Marketing Association.