Recent UK enforcement actions highlight the risks to companies of relying on third-party providers to obtain marketing consents from individuals on their behalf. A claims management company has been separately fined by both the UK’s Information Commissioner’s Office (ICO) and by its functional regulator, the UK’s Claims Management Regulator (CMR), for improper marketing activities conducted on its behalf by marketing companies. Specifically, the company reportedly engaged several third-party marketing companies to send marketing text messages to UK consumers on its behalf. The company did not, itself, obtain the consumers’ personal data, or their consent, to receive the messages; rather, it relied on the third-party marketing companies to obtain the consumers’ data, and their consent, to receive marketing, and to send the messages on its behalf.[1] This reliance proved unfounded, as the ICO and CMR found that sufficient consents had not been obtained from the consumers, and the company was fined £120,000 by the ICO and £91,000 by the CMR for these violations. Further, in upholding the fine issued by the CMR, the UK’s First Tier Tribunal (FTT) recently identified suggested measures for companies to take in acquiring data from third-party providers for marketing purposes.
What was the contravention?
Hall & Hanley Limited (H&H) was a UK company set up to assist consumers with claiming refunds of mis‑sold Payment Protection Insurance (PPI).[2] H&H allegedly instigated the transmission of over 3.5 million direct marketing messages, which requested individuals to get in touch directly with H&H if they wanted to discuss PPI.
The CMR issued a fine of £91,000 to H&H earlier this year for a breach of the claims management sector regulations that were in place at the time of the contravention (Regulations). The Regulations required regulated firms to take reasonable steps in relation to any arrangement with third parties to confirm that any referrals, leads, or data have been obtained in accordance with the requirements of UK legislation and the Regulations.[3] H&H failed to conduct proper due diligence on the data; had H&H done so, it would have realised that the data had been acquired in breach of the UK’s Privacy and Electronic Communications Regulations (PECR), as the proper consents had not been obtained from individuals.
In a separate investigation in May 2019, the ICO issued H&H a fine of £120,000 for breaching the PECR. The ICO found the company had sent 3.5 million text messages about compensation claims without having the correct consent. As the instigator of the direct marketing messages, the ICO concluded that it was the responsibility of H&H to esure that valid consent to send those messages had been acquired.
What did the FTT say?
Earlier this month, the FTT upheld the fine issued by the CMR for a breach of the Regulations on the basis that the fine was not disproportionate or unjust. Although the FTT’s decision is specific to claims management organisations, it also provides some useful guidance about using data collected by a third party for an organisation’s own purposes:
- FTT’s suggested action steps. The FTT advised that it would not be appropriate to be prescriptive about the steps that should be taken in order to comply with the Regulations. However, the FTT did set out some steps that it considers to be reasonable for organisations with a similar business model to that of H&H to follow, these include:
- Reviewing relevant website privacy policies;
- Reviewing the opt-in mechanisms and checking that all opt-in mechanisms are consistent with the privacy policies of the websites concerned;
- Reviewing an appropriate sample of the data to be supplied before purchase to confirm that appropriate opt-ins had been obtained;
- Putting a degree of responsibility on the part of the supplier to provide compliant data by seeking a warranty from it that all relevant data supplied will be in compliance with the legislation; and
- Seeking guidance from the regulator on points of difficulty or where clarification of the regulator’s approach or policy is needed.
- Contractual assurances alone are not sufficient. The FTT said that the responsibility is on each person in the chain of the transaction to take reasonable steps to ensure compliant use of the data.
- Timing of due diligence. Due diligence should also carried out by the controller of the data before it uses the data for commercial purposes.
- It is not necessary to review all data. The FTT advised that is it not necessary to review all data before use. However, “all reasonable steps” should be taken. Therefore, a process of sampling of data is a reasonable step to take and the question then is whether the sample is large enough to give a reasonable indication of whether substantially all of the data acquired will be compliant.
- Shifting responsibility. A regulated firm cannot shift the responsibility for establishing that data will be used compliantly onto the regulator. The FTT stated that the regulator is under no duty to prescribe to an authorised firm the precise steps that the firm should take to ensure compliance.
What can we learn from this?
The FTT has made it very clear that it is not adequate for companies to rely solely on contractual assurances from a supplier that the data have been supplied in accordance with relevant legislation. Organisations should ensure that they are taking reasonable steps so that they can lawfully engage a third‑party marketing company to send marketing to its own lists.
It is also clear that regulated firms are under additional scrutiny from the UK’s Financial Conduct Authority (FCA) and may even be subject to fines from multiple regulators. It should also be noted that there is a memorandum of understanding between the FCA (which has now taken over the duties of the CRM) and the ICO about how they deal with enforcement issues. We, therefore, expect to see further overlap between these regulators as the awareness of data protection continues to grow.
Final thoughts
The importance of proper due diligence when using data collected by third parties is not just UK-specific. For example, the draft regulations issued under the California Consumer Privacy Act of 2018 (CCPA) would impose due diligence requirements on companies that “sell” personal information that they did not collect directly from the consumers: specifically, the draft regulations would require such companies to confirm that the source of the information provided appropriate privacy notices to the consumers, and also obtain a signed attestation from the source of the information describing how the notice was provided, and including a copy of the notice.[4] Although these draft regulations are not yet final, FTT’s decision in the UK, and the draft CCPA regulations in the U.S., suggests that companies may face heightened expectations to conduct due diligence when acquiring consumer data from third parties.
[1] https://ico.org.uk/media/action-weve-taken/mpns/2614866/hall-and-handley-ltd-mpn-201905.pdf, para. 20.
[2] PPI was designed to cover debt repayments in certain circumstances. It was often sold to UK consumers when they purchased credit arrangements or loan products. After an investigation, the UK’s Financial Conduct Authority (FCA) found that PPI was often mis-sold and, therefore, introduced rules that allowed customers to potentially reclaim the cost of the PPI from banks and other providers.
[3] Principle 2(e) of the Conduct of Authorised Persons Rules 2014.
[4] Draft CCPA regulations at 999.305(d)(2).
[View source.]
