DWF logo


DWF logo

            Direct marketing and third party lists – ignorance is no defence

            We look at a recent Information Commissioner case to explain how contractual terms may not protect you from regulatory action when using using third party lists in direct marketing and the checks companies should carry out to reduce the risk.

            Date: 16/11/2016

            The Information Commissioner ("the IC") has taken a tough stance against organisations that breach direct marketing regulations. In a recent decision against Nouveau Finance Limited ("the Company"), the IC not only issued an enforcement notice (ordering the Company to take specific steps to comply with the law) but also issued an £70,000 fine to the Company. This case should be of particular interest to businesses due to the fact that it involved the use of third party marketing lists – and that the IC emphasised it is insufficient for companies to simply rely on contractual terms.

            The facts

            In short, the Company is a loan broker that generates leads via direct marketing.  Between 1 August 2015 and 10 January 2016, the Company contracted with a third party to send 2.2 million direct marketing text messages.  The Company had also contracted with a third party data provider ("the Data Provider") to obtain lists of individuals for the purpose of sending direct marketing text messages.

            Between 1 August 2015 and 10 January 2016, 92 complaints were made to the GSMA Spam Reporting Service, and the IC decided to take action against the Company.

            Why did the Company face action from the IC?

            The IC found that the Company had breached the Privacy and Electronic Communications (EC Directive) Regulations 2003 (known as "PECR") in two different ways.

            First, the IC found that the Company had failed to obtain the consent of the individuals in the Data Provider's direct marketing lists.  For valid indirect consent (i.e. where an individual provides consent to one party for another party to contact them), that consent needs to be clear and specific.  The Company had provided some example wording from the Data Provider where individuals were asked to consent to direct marketing, but the IC felt there was no evidence that the Data Provider had actually obtained consent that was clear and specific in relation to direct marketing carried out by the Company.  As a consequence, the Company had breached regulation 22 of PECR.

            Second, the IC found that the Company had sent direct messages without clearly identifying who the message was from - a breach of regulation 23 of PECR.  The IC has taken a hard line on businesses disguising their identity (even for comedic or viral effect).  Business must provide an easy way to opt out (e.g. by replying STOP to the text) and clearly identify the organisation that has commissioned the text.

            Why did the Company receive a fine?

            It is important to note that the Company received an enforcement notice (requiring it to follow certain steps or face prosecution) and a fine. To fine the Company, the IC had to establish that the breach of PECR was serious and was either a result of deliberate or negligent behaviour by the company.  The IC found that the Company was negligent in its actions for two key reasons:

            1. The Company was heavily reliant on direct marketing, and the IC had provided detailed and significant guidance on direct marketing.  Therefore, the Company knew (or ought to have known) that there was a risk of breaching PECR.
            2. Secondly, and most importantly, the Company could not prove that it had carried out appropriate due diligence when acquiring the lists of individuals from the Data Provider.  The IC refers to the need for "rigorous checks" and that it is simply "not acceptable to rely on assurances of indirect consent without undertaking proper due diligence".  Therefore simply including a line within a contract stating that the Data Provider held all necessary consents did not satisfy the Company's obligations.

            What should businesses take from this case?

            Just as businesses are expected to conduct due diligence on their supply chain, they should ensure that its marketing supply chain is also rigorously checked.  The inability of the Company to prove it had carried out even basic checks on the lists of individuals supplied by the Data Provider resulted not only in a breach of regulation 22 but also resulted in the IC declaring that they were negligent in their actions.

            Businesses should ensure that when they acquire direct marketing lists or contract with firms to conduct direct marketing on their behalf, they ask (at least) the following questions:

            • Where and how was the consent obtained?
            • Who obtained it, and in what context was it obtained?
            • Was the explanation clear and intelligible, and how was it presented (e.g. was it a clear statement, or was it in a link or a footnote?)
            • How much detail did the explanation go into?  Did it specifically mention texts, emails or calls?
            • Did the explanation describe the type of third party that would be able to contact the individual, or was the consent just for any third party?

            Whilst contractual provisions are not by themselves sufficient, businesses should ensure that any contracts that involve direct marketing and third party lists should have reference to the IC's guidance on direct marketing and include warranties stating (at least):

            • everyone on the marketing list has provided consent;
            • this consent has been provided relatively recently; and
            • the individual's consent clearly extended to a company fitting their description of the purchaser.

            Finally, businesses should keep in mind that they will be held ultimately accountable for the actions of their agents and marketing firms. A £70,000 fine may not bankrupt a blue chip company, but the damage to its reputation may be priceless. 

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Learn More

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies


            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.