Chris Bridges focuses on the impact of the GDPR on one particular data-dependent industry.
For many years, the marketing list industry has operated without much in the way of scrutiny of its compliance with data protection law. However, the game is changing. In October 2015, the Information Commissioner issued his first monetary penalty notice for failure to provide customers with clear information about, or opt-out from, third-party data sharing (see my article for SCL here). And not only is the ICO taking a keen interest in such activities, compliance will become substantially harder in 2018 with the implementation of the GDPR.
Could these two things, coupled with the new maximum fines, mean the end of the marketing list industry?
Where are marketing list brokers currently going wrong?
Presently, marketing list brokers, if they fall short in compliance with their data protection obligations, typically do so by failing to do one or more of the following:
(a) keep lists accurate and up to date;
(b) ensure valid consent is obtained for passing the customer's data to particular third parties, or particular classes of third parties;
(c) obtain consent for a particular purpose;
(d) ensure that consent was obtained sufficiently recently for it to be still valid (what is 'recent' depends on the circumstances); and/or
(e) recording how and when consent was obtained (in order to tell their customers).
Those that buy such lists without conducting proper due diligence are also liable for compliance failures, even where the vendor has provided 'assurance' that the data is compliant (which most do not); in its guidance, the ICO has made clear that it is not acceptable to rely on such assurances. Such due diligence could be as simple as evaluating a vendor's answers to a series of targeted questions. Despite this, many fall short.
Even where proper due diligence has been done, a purchaser may breach his data protection obligations by failing to cross reference the bought list with his own list of persons that have opted-out of correspondence or that have explicitly withdrawn their consent for that organisation to hold their data.
However, until recently, much of the above has been somewhat academic; the Information Commissioner has only recently taken an interest in list brokers, and his powers to fine have been quite limited. Many list brokers will doubtless have considered the risk worth it.
How is compliance about to get harder?
Whilst the GDPR is making changes across the board, the most important changes for the purposes of this article are those on how consent is obtained.
The 1995 Directive
As many readers will know, under the 1995 Directive (the Directive), consent cannot be a condition of accessing a service or completing a transaction, it must relate to a specific act (eg email vs SMS) by a specific person or group of persons, it must be informed (clear what is being agreed to), and a proactive step must be taken to give that consent, for instance by clicking submit with an appropriate 'you are agreeing to…' notice above.
Under the Directive, checkboxes with a default of being unchecked are the ICO's preferred compliant method of obtaining consent. Although the ICO frowns upon pre-ticked checkboxes, they do envisage that consent given by such a method will be valid provided that checkboxes are accompanied by appropriate explanations and a submit button. Of course, under PECR, a box which is checked by default is unlikely to give a valid consent for unsolicited marketing communications by electronic means.
Those brokers that are strictly compliant with both the Directive and PECR, using checkboxes with an unchecked default, I dare say, are likely to have a relatively low hit rate of opt-ins; and thus, you may conclude, may not be particularly competitive compared to others in the marketing list industry.
The GDPR defines consent in a similar way, but introduces 'unambiguous' and 'clear affirmative action' into the mix – Article 4(8).
What does this mean? Recital 25 details examples of actions that would satisfy the test, namely:
· ticking a box when visiting an Internet website;
· choosing technical settings for information society services; or
· by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
Recital 25 goes further, stating '[s]ilence, pre-ticked boxes or inactivity should therefore not constitute consent.' It also provides that, where the data is to be used for multiple purposes, for instance internal use and third-party sales, consent of the same standard must be obtained for each of them.
So, it is quite arguable that, under the GDPR, the only method for validly collecting data for the purposes of passing it to third parties would be to have an unchecked checkbox with a clear description of what the user would be opting into if they checked it.
So, not only will the most commonly used compliant method of obtaining consent no longer be compliant under the GDPR, but Recital 134 provides that existing processing must be brought into conformity with the GDPR within two years of it entering into force - most likely by 2020. Regardless, it is unlikely any consent obtained for third-party data sharing would be considered to last for this period of time without 'updating'.
Is the marketing list industry under threat?
As noted above, those brokers that only collect data in compliance with GDPR are likely to end up with much lower quantities of less useful data than their competitors who are not so conscientious. Can the legitimate marketing list industry really survive on the few that do opt-in? Only time will tell.
Of course, the above only stands if the marketing list industry makes a concerted effort to become compliant. So the real questions are: (a) will brokers continue to take risks by collecting data without compliant consent and (b) will people stop buying lists without carrying out proper due diligence?
Both of these questions will depend on the consequences of non-compliance, and how well informed people are about those consequences. The latter will ultimately depend on how well the ICO communicates the point to data controllers and processors.
New maximum fine
The level of fine should certainly be off-putting. The maximum fine for breaches of the rules on consent, set by Article 79(3a), is the higher of €20,000,000 or 4% of annual worldwide turnover, dwarfing the £500,000 for monetary penalty notices under the current regime. To rub salt into the wound, unlike monetary penalty notices, there are no set criteria to establish before a fine is imposed. Instead, there are simply matters which must be given due regard under Article 79(2a). So not only is the fine higher, fines may well become easier to impose.
Article 77(1) makes clear that compensatory damages may be awarded to a person, whether damage is 'material or immaterial', echoing the Court of Appeal's interpretation of the Data Protection Act 1998, s13 and the Directive in Vidal-Hall v Google, perhaps making the upcoming Supreme Court appeal on this point somewhat academic.
Notably, Article 77(4) and 77(5) provide that where data controllers and data processors, or one or more of each, are involved in the same processing, they will be jointly and severally liable for the entire damage. In the context of marketing lists where both parties are likely to be data controllers, the purchaser will likely be entirely liable for both his and the vendor's breach. Not only could this be detrimental to cash flow, if the list vendor goes insolvent or mysteriously disappears, the purchaser will not be able to obtain any contribution.
Who will take the risk?
Even if list brokers are prepared to take the risk of non-compliance, will list purchasers, given the increase in exposure?
Assuming list purchasers have knowledge of:
1. what is and is not compliant under the GDPR;
2. what constitutes proper due diligence;
3. what the financial consequences could be for failing to comply; and
4. the ICO's increasing interest in marketing lists,
it would seem unwise to take on such a risk. However, many organisations' marketing strategies are largely or completely reliant on the use of bought-in lists. It will be interesting to see where such organisations come down on the risk/reward analysis.
What is clear, however, is that the marketing list industry will come under increasing strain with the coming into force of the GDPR. Coupled with the ICO's relatively new-found interest, it seems its days – at least in its current form - could be numbered.
Chris Bridges is a Trainee Solicitor at Thomas Eggar, a trading style of Irwin Mitchell LLP. Chris is part of the firm's technology sector which comprises both lawyers working with technology-led businesses and IT law specialists.