Important implication of the ICO enforcement action against Experian
Posted on 17/11/2020 at 14:56By Corpdata
Why?This comes from the interplay of items that crop up in the Experian case. Validity of consentFirstly, consent is opt-in. They are the same thing. For consent to be valid it must have been ‘i…
Unless you gained ‘consent’, or ‘opt-in’, yourselves, using the data is very likely to land you in trouble.
This comes from the interplay of items that crop up in the Experian case.
Validity of consent
Firstly, consent is opt-in. They are the same thing. For consent to be valid it must have been ‘informed’. The ICO has always been clear that this requires the data subject to know who will eventually be using the data, or 'the identity of the controller'. Indeed, in their What is valid consent? webpage, the ICO explicitly states:
If you buy in ‘consented’ data, that consent is only valid for your processing if you were specifically identified.
Most data licensed from a ‘data broker’ will fail to meet the validity test, since your organisation will not have been explicitly named when it was collected.
Be aware, some brokers have tried to include huge lists of every company listed at Companies House, for example, as potential users of the data. This is also not valid, the ICO make it plain that the information must be readily understood by the data subject. In the Experian Limited Enforcement Report the ICO explain that
notifications fail to be transparent overlong (and risking key transparency information being lost in that length).
It seems likely a list of over 4 million companies will be considered overly long.
If you use data on the basis of ‘consent’ which is not valid, you will have broken the law.
Using data on a different legal basis
Using data on the legal basis of ‘legitimate interests’ when it was collected on the basis of ‘consent‘ is also not legal. The ICO is clear, if data is gained on the basis of consent, then consent is the only basis upon which it may be used, that consent still needs to be valid of course. In fact, Experian must delete all the data they process on the basis of their legitimate interests which their suppliers gained on the basis of consent.
If you use data on the basis of ‘legitimate interest’ when it was gained on the basis of ‘consent’, you will have broken the law.
How does this matter to you?
Many data brokers claim to be able to provide you data ‘with consent’, or ‘opted-in’ data. The two points above show how this is very unlikely to be the case. If your data broker suggests this, you are probably being misled!
In the past, if things went wrong, you could point the finger at your data broker and suggest they should be responsible. NOT ANY MORE.
GDPR has a core principle of ‘accountability’, meaning you are responsible. The only way you can avoid the blame is by ‘demonstrating you are in no way responsible’. This is a deliberately high bar.
Regulators have had enough of data subject rights violations being dodged by mutual finger-pointing. The law now says everyone involved is responsible, so blaming your data broker doesn’t get you off the hook, you just need a bigger hook, because you are both on it.
Isn’t this all a storm in a teacup?
That used to be one of the prevailing thoughts about GDPR. That and it was like Y2K. Recent events are shaking that view. The ICO used to be perceived as a weak regulatory body that seldom used the extent of its powers.
The Experian enforcement notice, together with actions against BA, Marriot Hotels and others, tell us those days are long gone. As data subjects, we should be delighted, as marketers, we should be cautious.
What can you do about it?
Logic dictates if you use data from a pre-compiled list, it cannot have consent or be opt-in, because the data subject could not have known you would use it when they gave their consent, so it cannot be informed, and thus is not valid.
The only way consent or opt-in can be valid is if it was gained by you, or specifically for you, normally as a specialist research process, or list-build, where your use is mentioned when consent is given.
If any data broker tells you otherwise, don’t use them!
This isn't news
Back in October of 2017, we published our blog item The problem with consent covering exactly this topic in even greater depth. The ICO are now showing our interpretation is correct.
One final thought
In case you didn’t already notice this, the ICO are now seeding ‘publicly available’ data on the web. They currently do this to understand how data is harvested and used, but it would be foolish to imagine this will never be used to identify those flouting the rules.
These sources could be LinkedIn, blogs, websites, social media, in fact any place where personal data could be displayed and harvested.
Undoubtedly the safest bet is to use a reputable data broker for your data needs.