We have all been there, scrolling through the endless marketing spam in our inbox – most of the time not even taking any notice on what we are deleting. Throughout the pandemic organisations have also turned to SMS in order to market their business – equally buying and selling personal data illegally in order to find a new customer bases.
Under the General Data Protection Regulation (‘GDPR’) Article 6 specifies that there has to be a legal basis for processing the data – the article also outlines 6 basis that make the processing legal. These are:
- Consent: the individual has given clear specific informed consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Where organisations are using personal data to send unsolicited marketing emails and messages they may be doing this without consent which therefore breaking the law. Not to mention that these are often annoying and frustrating!
Why is a Legal Basis Necessary?
The first principle of GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.
However the UK Data Protection Regulator the Information Commissioner’s Office (‘ICO’) throughout the pandemic have been having to enforce more and more cases of non-compliance in organisations. For example the ICO reported on the 5th March 2021 they fined two separate companies that sent nuisance text messages during the Covid-19 pandemic have been fined a total of £330,000 by the ICO. Messages from one of the companies prompted a record 10,000 complaints.
The companies in question were Leads Works Ltd and Valca Vehicle Ltd. The ICO fined West Sussex-based Leads Works Ltd £250,000 for sending more than 2.6 million nuisance text messages to customers without their valid consent. These messages, that were sent between 16 May and 26 June 2020, resulted in over 10,000 complaints, the company have also been issued with an enforcement notice by the ICO, ordering it to stop sending unlawful direct marketing messages.
Examples of the text messages include:
“In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.” The ICO’s investigation found Avon did not send or instigate the text messages.
Valca Vehicles Ltd, following complaints from the public to the ICO, the company was found to have sent more than 95,000 text messages from June to July 2020 without the recipients’ permission. The messages referenced the pandemic and were designed to appeal to individuals whose finances have been adversely affected. This, in the Commissioner’s view, was a clear attempt to capitalise on, and profiteer from, the health crisis.
Examples of the text messages:
“*firstname* Affected by Covid? Struggling with finances? lost job /furloughed? Were here to help! Gvnmnt backed support see if you qualify http://www.debtquity.org”. The company, which is currently operating as ‘Debtquity’ to generate leads for debt management products, has also been issued with an enforcement notice by the ICO, ordering them to stop sending the messages.
A Post Pandemic World…
The future, although uncertain, will involve businesses trying to recuperate what was lost to the pandemic – rebuilding and reimagining marketing. However, it is important to note that despite the fact we have been living in unprecedented times, the UK GDPR as implemented through the UK Data Protection Act (‘DPA’) still has to be followed in order for business to operate legally.
So is buying contacts and sending marketing emails and sms texts impossible under GDPR?
NO – this can still be done but it has to be done in a manner consistent with GDPR. An organisation can purchase personal data such as emails or phone numbers and used them for marketing PROVIDED you can demonstrate compliance with one of the 6 bases named above. Poor value data vendors are continuing with the same poor practices that were actually illegal under the pre – GDPR data protection laws, let alone now. Good vendors are providing due diligence documents demonstrating legal basis, and providing the purchaser with evidence to demonstrate compliance, such as records of consent, showing how and when it was given and for what purpose. Any reputable vendor would be easily able to provide this information on request, so the onus falls on the organisation buying the data and doing the marketing – don’t forget your GDPR due dilligence.
*Spam texts and emails, as well as nuisance calls can be reported through the ICO’s website at ico.org.uk/concerns. Mobile phone users can also report spam texts to the GSMA Spam Reporting Service by forwarding the message to 7726.