Are you planning to buy data from third parties?

Whether you buy data from a data broker, lead generation business or other third party, you must ensure that the seller obtained the data fairly and legitimately, i.e. made it clear to customers that their details would be passed on for marketing purposes and obtained the necessary consent for doing so. Current legislation obliges businesses to offer prospects the option to receive future correspondence and marketing emails (opt-in) as clarity of consent and third-party sharing were the biggest concerns of consumers in 2016, according to the Direct Marketing Commission.

The default option is not to get any offers and information about products and services, however some businesses confuse visitors by having to make the effort to opt-out of marketing with statements like "please un-tick this box if you do not wish to not receive no further correspondence". Double negatives in writing are not only a nightmare, but also deceptive and will have individuals reading the statement multiple times to understand exactly what it means. Therefore, the consent must be unambiguous, specific, informed and involve a clear affirmative action. Specifically, the ICO (UK's Information Commissioner's Office) points out that pre-ticked opt-in boxes or requirements to opt-out are invalid; consent requests must be separate from other terms and conditions; people should be given the option to withdraw at any time and any third party who will be relying on consumer's consent must be named.

Whilst ignorance is no excuse, if you are planning to buy data you should carry out rigorous checks to ensure the procedures are followed before relying to the consent given to the data broker or third party. Consent is likely to not be valid for all types of communication, including calls, texts, and emails as these require very specific consent. For example, bought-in data for emails can only be used for email communication, not for telemarketing purposes. As far as call data are concerned, it is a legal requirement for businesses making marketing calls to screen call lists against TPS (Telephone Preference Service), says PECR (Privacy and Electronic Communications Regulations). If you ignore individuals' objection to marketing calls or texts or fail to screen calls against the TPS register, you are likely to be fined up to £500,000. Better safe than sorry, right?

Additionally, you should take extra care and undertake proper due diligence to ensure that valid consent is obtained, it is reasonably recent and gives consent to receive marketing from you or clearly define a category which fits your description. For consent to be valid, it must be transparent, comprehensible, and clearly visible so that consumers fully understand what they are consenting to. Specifically, the statement must explain that the action indicates consent to receive marketing messages; specify your business name in the opt-in statement and the method(s) of communication; and be prominent, that is, not hidden in dense policies or in small print.

According to DMA's Data Guide, your designated broker or third party should be able to demonstrate how and when the data was collected, as well as provide full details of what the consumers agreed on. If the seller cannot answer the following questions, it means that the source is untrustworthy and should not be used.

  • When was consent obtained?
  • Who obtained it and in what context?
  • What method was used - eg was it opt-in or opt-out?
  • Was the information provided clear and intelligible? How was it provided - eg behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
  • Did it specifically mention texts, emails or automated calls?
  • Did it list organisations by name, by description, or was the consent for disclosure to any third party?
  • Has the list been screened against the TPS or other relevant preference services? If so, when?
  • Has the individual expressed any other preferences - eg regarding marketing calls or mail?
  • Has the seller received any complaints?
  • Is the seller a member of a professional body or accredited in some way?

If the data broker is selling data or offering marketing services that legally put you in an exposed position, you should not rely on him. Here are 4 things you should always have in mind before attempting to buy data from third parties: consent, quality, accuracy, and responsibility. Obtaining and using individuals' details without clear consent is a criminal offence so protect your company's reputation and avoid large ICO fines by adopting appropriate privacy policies and practices, and staying on the right side of the law when using people's personal information.