UK Tribunal rules against third-party consent. Marketing consent must be informed and unambiguous.

HM Courts and Tribunals (the Tribunal) has delivered the most robust and complete judgement against marketers who “harvest” marketing lists from third-parties.

To save you skipping to the end, here is the key point:

“when a data subject gives consent they must be informed about the processing to take place, including who by and what for. In no other way can consent be said to be ‘informed’”.

“If the data subject doesn’t know what products might be marketed then how can he exercise his right to object?”

Using very detailed reasoning and robust language it was ruled that businesses harvesting lists from third-parties will not have consent to market to those individuals, even when they actually ticked a box (or failed to untick a box) somewhere, unless the third-party marketer and/or the products to be marketed were made clear.

It is worth reading the full decision because it is the single most complete explanation about what does and does not constitute consent for marketing. But here is my summary:

Optical Express v Information Commissioner (EA/2015/0014).

The ICO issued an Enforcement Notice against Optical Express in December 2014 after thousands of people had complained about SMS marketing messages sent by Optical Express.

Optical Express appealed against the enforcement because the messages were sent after people had opted-in to third-party mailing.

Specifically, Optical Express had obtained a list of contacts from Thomas Cook. Thomas Cook customers had filled in travel surveys and had ticked a third-party marketing box, but when consent was obtained the types of products to be marketed were not mentioned and at no point was it made known that Optical Express would obtain or process the personal data.

The appeal was rejected for a number of reasons; but summarised as follows:

“If the point at which the recipient ticks a box to opt-in (in other words, consents) does not give details of the actual sender's name and contact details, how can he or she be said to be fairly informed? An opt-in issued by a company intending to sell-on the personal data it collects in this way is, in effect, only valid so far as marketing which itself sends and no other party.”

“When a data subject gives consent they must be informed about the processing to take place, including who by and what for. If there was any doubt about this it is clarified by Article 10 ( of 95/46/EC, The EU Data Protection Directive, brought into UK law by the Data Protection Act) which says that in order to ensure that the processing is fair you must tell the data subject (a) who is going to process the data, (b) what it will be processed for and (c) anything else at all to ensure fairness, such as, to whom the data might be passed and any applicable rights which the data subject has in relation to the processing (e.g. the right to object to direct marketing under Article 14(b)).

In More Detail

In a lengthy and detailed judgement, the Tribunal pulled together PECR and the Data Protection Act in such a precise and well-reasoned manner, it leaves very little room for manoeuvre:

It is clear from Article 2(f), Directive 2002/58/EC (the “PECR Directive”) that consent means:

(f) "consent" by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC;

Article 2(h) of Directive 95/46/EC (The Data Protection Directive) says:

"(h) 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."

Which must be read alongside Article 7, which provides conditions for the processing of personal data (the first condition is relevant):

"Member States shall provide that personal data may be processed only if:

the data subject has unambiguously given his consent; or..."

Directive 95/46/EC Article 10 must also be observed and this requires that:

"Information in cases of collection of data from the data subject Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a) the identity of the controller and of his representative, if any;

(b) the purposes of the processing for which the data are intended;

(c) any further information such as

- the recipients or categories of recipients of the data,

- whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

- the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject."

In summing up, the Tribunal stated:

Consequently, when a data subject gives consent they must be informed about the processing to take place, including who by and what for. In no other way can consent be said to be “informed”. If there was any doubt about this it is clarified by Article 10 which says that in order to ensure that the processing is fair you must tell the data subject (a) who is going to process the data, (b) what it will be processed for and (c) anything else at all to ensure fairness, such as, to whom the data might be passed and any applicable rights which the data subject has in relation to the processing (e.g. the right to object to direct marketing under Article 14(b)).

Summary

This isn’t a one-off. The courts, regulators and government have assumed a robust stance against the misuse of data for marketing since the Nuisance Calls and Texts Task Force in 2014 determined that the data industry needed higher standards and consumers needed more control of their personal data.

If it was ever in question, you should no longer view informed, unambiguous and provable consent as best practice; but your minimum standard.