A Data Broker is an organisation that obtains data from a variety of sources and then sells or licenses it to third parties. In 2012, data brokers’ trade in personal data was reported to have generated over $150 billion in revenue. Much of the data is used to support marketing campaign – in print, email, telephone or often as SMS.
The UK data protection regulator (the “ICO”) has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications.
In October 2016, the ICO imposed a £20,000 fine on Rainbow (UK) Limited, a lead generation company, for precisely this reason. In its monetary penalty notice, the ICO set out a suggested list of questions that organisations should ask the data broker in these circumstances:
- How and when was the consent obtained?
- Who obtained it and in what context?
- What method was used – e.g., was it opt-in or opt-out?
- Was the information provided clear and intelligible? How was it provided – e.g., behind a link, in a footnote, in a pop-up box, or in a clear statement next to an opt-in box?
- Did it specifically mention texts, emails, or automated calls?
- Did it list organisations that would be provided the information by name or by description, or was there consent for disclosure to any third party?
- Is the seller a member of a professional body or accredited in some way?
It summarised this in the current penalty notice by
“Data controllers buying marketing lists from third parties must make rigorous checks to satisfy themselves that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent.”
However, on 27 January 2017, the ICO imposed an additional £20,000 fine directly on the data broker, The Data Supply Company Ltd, for selling the personal data to Rainbow (UK) Limited. In the monetary penalty notice, the ICO noted that UK data protection law also places independent obligations on data brokers to ensure that they handle personal data “fairly and lawfully,” and explained that, amongst other things, this means:
- Data brokers are also responsible for ensuring that individuals have been adequately informed about how their personal data is handled – e.g., that the data broker is selling it to particular organisations for particular purposes; and
- Data brokers must not claim to sell lists of individuals who have consented to receive marketing texts, emails, or automated calls from particular organisations unless they have clear records of those consents.
Under the GDPR, compliance with the transparency principle and ensuring a legal basis for the use of personal data in this context will become top priorities for regulators. In practice, this means providing a sufficiently clear, comprehensive, and future-proof notice when data is collected from individuals. In terms of consent, now more than ever, the emphasis will be on giving individuals a genuinely free option and evidencing their choice.
The decision to proceed against both the data broker and its customer is a departure from previous cases, which have tended to focus on the customer. This suggests that the ICO may be shifting its enforcement strategy in this area. Considering that, from May 2018, the ICO will be empowered to impose fines of up to 4% of annual worldwide turnover, both data brokers and their customers are advised to take note of the ICO’s stated expectations.
So is this the end of the Data Broker business model?
Obviously the ramifications of this new departure by the ICO will be felt right throughout the data industry and in particular data brokers. Realistically it seems to mean that brokers need to inform their customers up front that they will be selling their data to “Company X” for the purpose of marketing – either by text, email telephone or letter. However if they wish to sell on to another company not included in the list when they originally got the customers’ permissions, they will then have to contact them again before selling on their data. And when you consider the size of the transactions (this one was over 500,000 records), this will probably prove too onerous to allow the broker to generate any profit.