None of the consents reviewed by auditors ... were valid under the GDPR.
These are the same data brokers who you are most likely to get your data from. Experian, Equifax and Callcredit/TransUnion are not foolish, and they do not merely accept the assurances of these data suppliers. The problem is with the way these data brokers are gaining consent, and then how it is being used by the CRAs. You might well ask why aren't the ICO taking action against these data brokers? As section 81 of the Enforcement Notice issued against Experian states:
Other controllers in other or linked industries may also become the subject of regulatory investigation and action on the part of the Commissioner in due course.
So it may just be a matter of time!
Just to clear up a misunderstanding we hear from time to time, when we talk about 'consent' and 'opt-in', they can seem like different things, they aren't. Consent and opt-in are the same thing.
What about the consent gained by these data brokers means it is not fit for purpose?
Validity of consent
For consent to be valid it must be ‘informed’. The ICO has always been clear that this requires the data subject to know who will eventually be using the data, or 'the identity of the controller'. Indeed, in their What is valid consent? webpage, the ICO explicitly states:
If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified.
Most data licensed from a ‘data broker’ will fail to meet the validity test, since your organisation will not have been explicitly named when it was collected.
Be aware, some brokers have tried to include huge lists of every company listed at Companies House, for example, as potential users of the data. This is also not valid, the ICO make it plain that the information must be readily understood by the data subject. In section 53 of the Experian Limited Enforcement Report the ICO explain that notifications can faile to be sufficiently transparent if they are
overly generic ... overly simplistic ... or overly long
If you use data on the basis of ‘consent’ which is not valid, you will have broken the law.
Using data on a different legal basis
You may believe you can use data for direct marketing because of your 'legitimate interest'. This may be true in some circumstances, but using data on the legal basis of ‘legitimate interests’ when it was collected on the basis of ‘consent‘ is also not legal.
The ICO is clear, if data is gained on the basis of consent to direct marketing, then consent is the only basis upon which it may be used for direct marketing, that consent still needs to be valid of course. In fact, Section 3 of the Terms of the Enforcement Notice states that within 3 months Experian must:
Delete any data supplied on the basis of consent which is now being processed on the basis of Experian's legitimate interests.
If you use data on the basis of ‘legitimate interest’ when it was gained on the basis of ‘consent’, you will have broken the law.
How does this matter to you?
Many data brokers claim to be able to provide you data ‘with consent’, or ‘opted-in’ data. The two points above show how this is very unlikely to be the case. If your data broker suggests this, you are probably being misled!
In the past, if things went wrong, you could point the finger at your data broker and suggest they should be responsible. NOT ANY MORE.
GDPR has a core principle of ‘accountability’, meaning you are responsible. The only way you can avoid the blame is by ‘demonstrating you are in no way responsible’. This is a deliberately high bar.
Regulators have had enough of data subject rights violations being dodged by mutual finger-pointing. The law now says everyone involved is responsible, so blaming your data broker doesn’t get you off the hook, you just need a bigger hook, because you are both on it.
Isn’t this all a storm in a teacup?
That used to be one of the prevailing thoughts about GDPR, that nothing would happen, like Y2K. Recent events are shaking that view. The ICO used to be perceived as a weak regulatory body that seldom used the extent of its powers.
The Experian enforcement notice, together with actions against BA, Marriot Hotels and others, tell us those days are long gone. As data subjects, we should be delighted, as marketers, we should be cautious, and diligent.
What can you do about it?
Logic dictates if you use data from a pre-compiled list, it cannot have consent or be opt-in, because the data subject could not have known you would use it when they gave their consent, so it cannot be informed, and thus is not valid.
The only way consent or opt-in can be valid is if it was gained by you, or specifically for you, normally as a specialist research process, or list-build, where your use is mentioned when consent is given.
If any data broker tells you otherwise, don’t use them!
This isn't news
Back in October of 2017, we published our blog item The problem with consent covering exactly this topic in even greater depth. The ICO are now showing our interpretation is correct.
One final thought
In case you didn’t already notice this, the ICO are now seeding ‘publicly available’ data on the web. They currently do this to understand how data is harvested and used, but it would be foolish to imagine this will never be used to identify those flouting the rules.
These sources could be LinkedIn, blogs, websites, social media, in fact any place where personal data could be displayed and harvested.
Undoubtedly the safest bet is to use a reputable data broker for your data needs.