Using marketing lists
Whether an organisation is collecting personal data for its own use, or to sell marketing leads on to others, it must always process that data fairly and lawfully.
Controllers buying marketing lists from third parties must make rigorous checks to satisfy themselves that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent.
Controllers must take extra care if buying or selling a list that is to be used to send marketing texts, emails or automated calls. The Unsolicited Communications Regulations 2005 specifically require that the recipient of such communications has notified the sender that they consent to receive direct marketing messages from them.
Indirect consent (i.e. consent originally given to another organisation) may be valid if the organisation sending the marketing message was specifically named. But more generic consent (e.g. marketing ‘from selected third parties’) will not demonstrate valid consent to marketing calls, texts or emails.
Controllers buying in lists must check how and when consent was obtained, by whom, and what the customer was told.
It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence.
Such due diligence might, for example, include checking the following:
- How and when was consent obtained?
- Who obtained it and in what context?
- What method was used – e.g. was it opt-in or opt-out?
- Was the information provided clear and intelligible? How was it provided – e.g. behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
- Did it specifically mention texts, emails or automated calls?
- Did it list organisations by name, by description, or was the consent for disclosure to any third party?
- Is the seller a member of a professional body or accredited in some way?
Controllers wanting to sell a marketing list for use in text, email or automated call campaigns must keep clear records showing when and how consent was obtained, by whom, and exactly what the individual was told (including copies of privacy notices), so that it can give proper assurances to buyers.
Controllers must not claim to sell a marketing list with consent for texts, emails or automated calls if it does not have clear records of consent.
It is unfair and in breach of the first data protection principle to sell a list without keeping clear records of consent, as it is likely to result in individuals receiving non-compliant marketing.