Home > Analysis
Mind my data Click to visit the homepage

The Marketing Chain of Misery

Do you know how many times your personal information has been traded in the past 12 months? You should do, because it's unlikely that a UK organisation can fairly obtain our personal contact information without them making us aware that they're processing it; unless they're operating only as a data processor under the terms of a contract with a data controller. Thus, if an organisation - acting as a data controller for our information, comes into possession of our personal information, and if that information includes our contact information: an e-mail address, phone number, postal address etc., then that organisation is obligated under the first data principle to inform us that they're a data controller for our information and provide us with a fair processing notice.

Briefly, a data controller is any individual or organisation that makes the decisions about how to process our personal information. A data processor on the other hand, is any individual or organisation that processes personal information on behalf of a data controller and in accordance with the strict terms of a data controller/data processor contract. As a rule therefore, organisations that come into possession of our personal information will likely be acting as a data controller for our information unless they can clearly demonstrate that they're only acting as a data processor on behalf of another data controller. An organisation can come into possession of our personal information by obtaining it from another individual or organisation, by scraping it from a public source, or even by creating it themselves.

There has been a rise in the number of UK data controllers, particularly employment agencies, that spend their days trawling LinkedIn and creating likely e-mail addresses for suitable individuals; based on the information they find on Linkedin. They then use the likely e-mail address to promote their products or services to the individual at their place of work. Not only is this unfair data processing, it's seriously creepy.

For the purpose of this article therefore, when I talk about organisations or companies, I'm referring to data controllers - those organisations that come into possession of our personal information, either directly from ourselves or from another source. At the very minimum, a data controller is obligated to satisfy a condition for processing and comply with the data principles for their processing to be deemed fair. And the first data principle states that the processing will not be deemed fair unless the data controller identifies themselves to their data subjects (us) and provides them with a fair processing notice, or make this information readily available.

Now, when we register directly with a company we are usually given the opportunity to review their fair processing information via their website, in the form of a privacy notice/policy. That's right; a privacy policy is there to satisfy the data controller's obligation to provide us with a fair processing notice; we're under no obligation to read, view, accept or agree to a privacy policy. But what about those data controllers that come into possession of our personal information from a source other than directly from ourselves; we don't know who they are so how do they satisfy the first data principle? How do we see their privacy policy? Well, it's simple; they're expected to actively provide us with a fair processing notice at the point they obtain our information. The relevant law is Schedule 1, Part II 2(1) (b) of the DPA:

In any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).

In any other case refers to a situation where the personal information is not obtained directly from the individual. In other words, if an organisation acts as a data controller for personal information, obtained from a source other than directly from the individual, then they need to identify themselves to the individual and provide a fair processing notice to satisfy the first data principle - so far as practicable. The view of the Information Commissioner is that this should happen at the point the data controller obtains the information.

I sought further clarification from the ICO's Rob Cole, who informed me:

As you can see in Schedule 1 Part II 2(1) (b) in situations where data is not obtained directly from the data subject ‘fair processing’ information should be made available so far as is practicable. It is possible to imagine situations where although it wouldn’t be practicable to provide fair processing information, the processing could still be considered as fair.

However, in situations like the ones you allude to, where information is collected without the individual’s knowledge or expectation from third party sources and particularly ‘scraped from the internet’ specifically for the purposes of list brokering, it is difficult to see how this could be considered fair from a first principle point of view. However it would be useful to see specific real world examples of the situation you describe, to enable us to make a more informed assessment of the processing.

Rob didn't clarify the phrase "so far as practicable" but further analysis suggests that certain factors might mitigate the need for the data controller to actively provide a fair processing notice. An obvious example is if the personal information doesn't actually contain any contact information. It's clearly not possible for a data controller to contact an individual to make them aware that they're a data controller for their information if they didn't obtain any contact information for the individual.

Another mitigating factor to consider is whether a disproportionate effort is required by the data controller to contact the individuals to make them aware that they're a data controller for their information. Section 3.1.7.6 of the Information Commissioner's DPA: Legal Guidance states:

The term "disproportionate effort" is not defined in the Act. In assessing what does or does not amount to disproportionate effort the starting point must be that data controllers are not generally exempt from providing the fair processing information because they have not obtained data directly from the data subject.

What does or does not amount to disproportionate effort is a question of fact to be determined in each and every case.

In deciding this the Commissioner will take into account a number of factors, including the nature of the data, the length of time and the cost involved to the data controller in providing the information. The fact that the data controller has had to expend a substantial amount of effort and/or cost in providing the information does not necessarily mean that the Commissioner will reach the decision that the data controller can legitimately rely upon the disproportionate effort ground. In certain circumstances, the Commissioner would consider that a quite considerable effort could reasonably be expected. The above factors will always be balanced against the prejudicial or effectively prejudicial effect to the data subject and in this respect a relevant consideration would be the extent to which the data subject already knows about the processing of his personal data by the data controller.

Bearing in mind that the Information Commissioner is well aware of the annoyance caused to the millions of us that receive unexpected and unwanted direct marketing every day, I would reasonably expect the ICO to have clear and specific guidance in place for situations where data controllers come into possession of our information, without our knowledge, and subsequently process it to target us with direct marketing.

That guidance should require any organisation that comes into possession of personal information indirectly, with the aim of trading that information or processing it for the purpose of of direct marketing, to provide a fair processing notice at the point they obtain the information. Indeed, the notion that list brokers and marketing companies can operate in the shadows, trading in our personal information and profiting from our misery is shambolic! It shouldn't be allowed to happen because in nearly every case the processing will likely be unfair. Do they or do they not need to notify us when they obtain our information or can they remain anonymous and carry on regardless?

It's a disgrace that the ICO has not actively communicated this widespread abuse to the public.

What prompted me to raise this issue with the ICO is Section 85 of their direct marketing guidance, where it states that there is a well-established trade in third party mailing lists for traditional forms of marketing. How does that work then? How can there possibly be a well-established trade in traditional marketing - marketing by post, if data controllers that obtain our information indirectly are obligated to actively contact us when they obtain our postal name and address and provide us with a fair processing notice - before doing anything else with our information? How many companies have contacted you out of the blue in the past ten years to inform you that they're a data controller for your information? I bet it's none! Is the Information Commissioner ignoring the need for data controllers that obtain our information indirectly to provide a fair processing notice because the cost of postage would be a disproportionate effort? That's not what it states above! In the guidance above it states that it should be on a case by case basis but that the Commissioner expects data controllers to go to quite considerable effort.

The only thing that is well-established as far as traditional mailing lists is concerned is that it's likely to be a massive scam, that is actively supported by the ICO's direct marketing guidance. You can find the ICO's direct marketing guidance by Googling it; is there anywhere in that guidance that suggests that those data controllers that come into possession of our personal information should actively contact us? I'll save you the bother... there's isn't. It's been completely, totally and utterly ignored. Is this the result of incompetence or is it deliberate I wonder? Has the ICO deliberately opted to bury the need for commercial organisations to provide a fair processing notice whenever they obtain our contact personal information because they can't cope with the scale of the abuse?

Rob Cole is of the view that data controllers need to provide us with a fair processing notice when they come into possession of our information without our knowledge so why is this not reflected in the direct marketing guidance? If Rob is correct then there cannot possibly be a well-established trade in third party mailing lists for traditional forms of marketing because that trade will ultimately require the blanket abuse of the first data principle. How much is the cost of posting 10,000 letters to individuals' postal addresses obtained from a mailing list by second-class post? How much is the cost of dealing with the follow-up Subject Access Requests as a percentage of those individuals want to know how the organisation obtained their information? Is the organisation able to satisfy a condition for processing bearing in mind that consent only has one iteration? If it's a mailing list company then they'd have to seek indirect consent from the individuals too before they can disclose that information to a third party. In light of this, the trade in mailing lists of personal contact information is highly unlikely to be compliant with the DPA. It's as simple as that. It's an abuse on a massive scale supported by the ICO.

Of course, it's far from ideal to have organisations contacting us out of the blue to inform us that they're a data controller for our information. A far better, and safer, option is to require the companies that we register directly with to specifically name any data controllers that they intend to pass (disclose) our information to. Obviously those organisations who are acting as data processors for non-marketing data processing under contract with the data controller would likely be exempt.

Again, the ICO's direct marketing guidance fails miserably to consider the need to provide a fair processing notice. Section 89 of the ICO's direct marketing guidance states:

However indirect consent could also be valid if the consent very clearly described precise and defined categories of organisations and the organisation wanting to use the consent clearly falls within that description. Consent is not likely to be valid where an individual is presented with a long, seemingly exhaustive list, of general categories of organisations. The names of the categories used must be tightly defined and understandable to individuals. In practice, this means that the categories of companies need to be sufficiently specific that individuals could reasonably foresee the types of companies that they would receive marketing from, how they would receive that marketing and what the marketing would be.

Here the guidance is focussing on the need to obtain consent to satisfy a condition for processing. Remember what I said earlier; that a data controller has to satisfy a condition for processing and comply with the data principles as a minimum requirement for fair data processing. Well, this section of the ICO's direct marketing guidance is explaining how an organisation that we've registered directly with, can obtain our indirect consent so that they can pass it to a third party. That third-party could then possibly rely on the indirect consent to satisfy a condition for processing. Okay, fair enough, this might satisfy a condition for processing but what about the third-party's need to comply with the first data principle - when does this unknown third party data controller provide us with a fair processing notice? Who created this guidance? Why is it deemed important to pass indirect consent to a data controller yet not important at all to ensure that the third-party provides us with a fair processing notice.

If we all accept that it's not good practice for data controllers that come into possession of our personal information to contact us out of the blue and provide a fair processing notice, then a reasonable alternative is to ensure that we're fully aware of who is processing our information. In which case, any company that we register directly with should identify any third party data controller that they want to share (disclose) our information with, seek our consent fairly, and include a link to the third party's privacy policy in the consent statement. This way, whenever a data controller comes into possession of our personal information, if they cannot demonstrate that they obtained our information from a company that we registered directly with - by being specifically named in a consent statement, then they should be deemed to have unfairly processed our information as a rule. This can apply to paper forms too; if they want to share the information then the name of the company should be on the form together with a URL of the third party's privacy policy. This should also include B2B where an individual's e-mail address constitutes personal information.

At the end of the day an organisation that we register directly with does not have an inherent right to make money out of trading our information with unknown third-parties. They too need to put fairness at the heart of their data processing and recognise that by disclosing personal information to an unknown third-party they're effectively contributing towards unfair data processing. Why shouldn't the organisations that we register directly with take some responsibility for this?

The organisations that contribute to the marketing chain of misery do so in the following ways:

1. Data controllers that obtain information from a public source. This is likely to be a failure to satisfy a condition for processing and a failure to comply with the first data principle: you don't have my consent and you've failed to provide me with a fair processing notice.

2. Data controllers that obtain information from social media and create a likely e-mail address for the individual at their place of work. This is likely to be a failure to satisfy a condition for processing and a failure to comply with the first data principle: you don't have my consent and you've failed to provide me with a fair processing notice. It's also really creepy and stinks of desperation so I would never do business with such an organisation anyway. Indeed, it simply serves to demonstrate just how unprofessional the organisation is. The ICO has recently upheld a number of complaints that I've submitted against organisations that scraped my profile from LinkedIn, created a likely e-mail address for me at work and used it to promote their services to me.

3. Data controllers that we register directly with that claim to obtain our consent to disclose our personal information to unknown third party data controllers from their privacy policy or terms and conditions. This is highly unlikely as both are way too complex to constitute a valid third-party consent statement. Furthermore, consent must be obtained fairly and the individual must be given genuine choice over whether or not to give their consent. And of course, any contract that attempts to bind us to a privacy policy will likely be void as there's no Consideration. A UK organisation must comply with the ICO's interpretation of the DPA or challenge it and there's nothing that they can do to negate this. As such, how will we ever benefit from entering into a contract that attempts to bind us to an organisation's own interpretation of the DPA? Where's the consideration? A contract is void without it unless it's a deed of assignment. Oh, and let's not forget that Regulation 27 of the PECR will void any term that attempts to obtain consent contractually.

4. Data controllers that obtain personal information from a non-UK source. This is likely to be a failure to satisfy a condition for processing and a failure to comply with the first data principle: you don't have my consent and you've failed to provide me with a fair processing notice. Consent for direct marketing is only valid if obtained in accordance with UK laws and Regulations. Bearing in mind that LinkedIn, Facebook etc., are non-UK data controllers, I fail to see how UK data controllers can reasonably obtain consent when they purchase a mailing list from non-UK data controllers. And of course, even if they did, they'd still need to satisfy a condition for processing for their processing to be deemed fair.

I discovered recently that a UK data controller had obtained my information from some guy in the US who admitted to scraping my profile from LinkedIn, creating a likely e-mail address for me and adding it to his own mailing list. The UK data controller sold my information to another UK data controller and they used it to promote their products and services to me. It's an abuse at every step. This is a typical example of the marketing chain of misery. The ICO is currently investigating all of the UK companies involved.

5. Data controllers that can legitimately rely on the indirect consent obtained from another company to satisfy a condition for processing. They still need to comply with the first data principle. Unless they actively provide a fair processing notice then they'll likely be failing to comply with the first data principle. Rob's confirmed it above but we need more guidance.

6. Data controllers that operate mailing lists. Ha, they're unlikely to obtain indirect consent and even if they do that consent can only be used to promote their own mailing list services to the individual. If they want to pass the information to a third party then they'll need to obtain indirect consent directly and fairly from the data subject. According to the Information Commissioner, consent only has one iteration. Mailing list data controllers do not work under UK law so I don't know why the Information Commissioner thinks they do.

7. Data controllers that feed into mailing list companies. These companies should be named and shamed. Unless they make it clear that they're going to disclose personal information to a mailing list data controller or list broker (operating as a data processor) then they'll likely be misleading their data subjects and that's unfair data processing. According to the Information Commissioner, the adequacy of any consent or purported consent must be evaluated. For example, consent obtained under duress or on the basis of misleading information will not be a valid basis for processing.

8. Data controllers that purchase mailing lists. The well-known stores that serve to propagate the massive abuse won't obtain consent to satisfy a condition for processing from a mailing list data controller because consent only has one iteration. They only way that they would obtain valid consent is if they obtain the information from the same company that the individual registered directly with. For example, if I register with Company A and agree to let them disclose my information to Company B for the purpose of direct marketing, then Company B might be able to rely on the indirect consent to justify their data processing but before they use the personal information for any other purpose, Company B will need to contact the individuals and provide a fair processing notice.

As it stands, if any UK organisation comes into possession of your personal information and processes it to target you with direct marketing at home or at work, it's likely that they'll be unfairly processing your information and you might want to think about submitting a complaint to the ICO. Your argument is that they've failed to satisfy a condition for processing and failed to comply with the first data principle.

I'll look to add a few articles in 2017 about the companies that buy mailing lists. I'm currently waiting to hear from GAME as to whether they purchase third-party mailing lists - I saw them listed on a list broker's website as a client.

Added: 02.01.2017