The ICO has fined a pensions advisor £40k for sending nearly 2m spam emails. So far, so nobody-cares-about-PECR[i]. In fact the fine is pretty low for an infringement of this size. Why? Because the Grove Pension Solutions checked their proposed marketing scheme with a “recognised specialist data protection consultancy” and an “independent data protection solicitor” before proceeding. Both signed off on the plan, which is disappointing. So far, so pay-peanuts-get-monkeys[ii].
What’s important is why the ICO judged the scheme to be in breach of the law. Grove were using a marketing agency to execute the email campaign. The agency bought email addresses in from list vendors who were advertising “GDPR-compliant”[iii] lists. These lists had been compiled from respondents to a variety of hideous online surveys including “www.testing12free.co.uk”, “www.soaboxsurvey.co.uk” and “www.prizereactor.co.uk”. You’d perhaps be forgiven for thinking that anyone subscribing to any of those deserves what they get, but hey, that’s why we have laws to protect people.
These list-building sites sought consent from respondents to share their details with “third parties”. No details of the third parties were given – obviously, since this was speculative list building – and as a result the ICO has judged that this infringed the requirement that emails cannot be sent on the basis of indirect consent. Which is how pretty much all these lists work. Or rather, now, they don’t.
Despite the advice, and despite the marketing agency and the list builders being in the processing chain, the ICO found Grove liable for the infringement. Their judgement includes a slightly snarky comment that “a simple review of the customer journey would have exposed the issue”. So there’s no ducking your responsibility as a controller – although I’ll bet there are some really interesting conversations going on between Grove and the unnamed consultancy and solicitor.
Much more importantly, if your marketing also relies on “GDPR-compliant”
bought-in lists, you might want to do some customer journey reviews yourselves.
Based on this judgement, all of these lists are fruit of the poisoned tree.
[i] The Privacy and Electronic Communication Regulation 2003 which governs the sending of unsolicited commercial emails and texts to individuals, as well as dealing with telesales and telemarketing. Come on, keep up at the back.
[ii] No, I don’t know the identity of either firm. I’m just being rude.
[iii] Yes, yes, I know, they should have been “PECR-compliant”. Don’t shoot the messenger.