Organisations buying or renting a marketing list from a list broker or other third party must make rigorous checks to satisfy themselves that the third party obtained the personal data fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that they have the necessary consent. Organisations should take extra care if using a bought-in list to send marketing texts, emails or automated calls. They must have very specific consent for this type of marketing, and in most cases indirect consent (i.e. consent originally given to another organisation) will not be enough.
Organisations must check how and when consent was obtained, by whom, and what the customer was told. It is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence, to demonstrate consent if challenged. Organisations seeking to rely on consent must ensure that consent was validly obtained, that it was reasonably recent, and that it clearly extended to them specifically or to organisations fitting their description.
Reasonable due diligence might include checking the following:
- Who compiled the list? When? Has it been amended or updated since then?
- When was consent obtained?
- Who obtained it and in what context?
- What method was used – e.g. was it opt-in or opt-out?
- Was the information provided clear and intelligible? How was it provided – e.g. behind a link, in a footnote, in a pop-up box, in a clear statement next to the opt-in box?
- Did it specifically mention texts, emails or automated calls?
- Did it list organisations by name, by description, or was the consent for disclosure to any third party?
- Has the list been screened against the TPS or other relevant preference services? If so, when?
- Has the individual expressed any other preferences – e.g. regarding marketing calls or mail?
- Has the seller received any complaints?
- Is the seller a member of a professional body or accredited in some way?
A reputable list broker should be able to demonstrate that the marketing list for sale or rental is reliable, by explaining how it was compiled and providing full details of what individuals consented to, when and how. If the seller cannot provide this information, a buyer should not use the list. It would be prudent for a buyer to have a written contract in place confirming the reliability of the list, as well as making its own checks. The contract should give a buyer reasonable control and audit powers.
Once an organisation has bought the list it should make sure it is prepared to deal with any inaccuracies or complaints arising from its use. If it receives complaints from individuals whose details came from a particular source, this would suggest that the source is unreliable and should not be used. A sampling exercise might help to assess how reliable the list actually is. It is also good practice to inform the individual where their details came from and ask whether they want to withdraw consent from other organisations as well, and if so to inform the source that consent has been withdrawn from all users.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018