Direct Marketing – Guidance on buying and using marketing lists

22 December, 2015

The recent case of Optical Express highlighted the problems with trying to use third party marketing lists unless you have directly received from the people on the list their agreement to receiving marketing from you in relation to the particular products or services you are promoting.


There are a number of different laws which regulate sending marketing texts and emails, the main ones being the Data Protection Act 1998 (the DPA) and the Privacy Regulations[1], and this area is legally complex. The key question is what is meant by “consent” to receiving marketing communications under the Privacy Regulations.


Optical Express was stopped (via an Enforcement Notice from the Information Commissioner) from using marketing lists which it purchased, presumably in good faith, from Thomas Cook. The people on the lists had indicated (via a tick box) they were happy to receive marketing communications from third parties, so Optical Express (OE) sent them texts relating to laser eye surgery. A number of people complained to the Information Commissioner (the Commissioner) who investigated, and issued an Enforcement Notice under the DPA for breach of the Privacy Regulations.


The Commissioner’s view was that the customers should have been told at the time their data was collected that it would be passed to OE, and he was unhappy that OE had not provided any direct evidence of consent of the people on the list to third party marketing (through copies of forms, voice recordings or any fair processing notices which named OE for example).   The Commissioner contacted some of the individuals concerned who OE maintained had consented, but of those successfully traced all 3 of them said they had completed a travel survey for Thomas cook but did not consent to OE contacting them. The Commissioner concluded that OE had breached the Privacy Regulations because it had sent unsolicited text messages, and not got the required consent from the recipients.


OE appealed against the Enforcement Notice, but its appeal was refused and the Tribunal[2] issued a judgement which interpreted section 22 of the Privacy Regulations to mean that individuals needed to know the identity of the marketers in order to validly consent. According to the Tribunal, the informed consent required under the Privacy Regulations means the consent needs to be given to the sender in order to be valid. The Tribunal also found that under the DPA a person needs to be told what other products may be marketed to him if they are different from those of the party who originally obtained the consent.  The Tribunal decided it was irrelevant that the recipients had been given the right to opt-out of receiving marketing texts and was unswayed by OE’s suggestion that recipients may simply have forgotten that they opted-in to the communications (both because the Tribunal felt that OE could have checked its records to ensure consent has been obtained and because it had decided that that opt-in consent wasn’t sufficient anyway). The Tribunal emphasised that the complaints received in relation to the marketing campaign indicted that the recipients viewed the texts as unsolicited. Also to note is that the court found that it was for the person sending the marketing communications to prove that the recipients had consented, underlining the importance of keeping accurate records of consent (both by the original service supplier and by the subsequent marketer).


So where does that leave the use of purchased lists? A third party cannot get direct consent itself because it is not permitted to contact recipients to ask for that consent in the first place (unless it has previously provided goods or services to the recipient). There may still be some scope for relying on “indirect consent” (i.e. the list-seller getting consent to your use of the list) as the Commissioner has previously agreed this may be acceptable if “clear and specific”, but this will need to be done very carefully. Even if there is still some scope for legal argument over the Tribunal’s interpretation of consent (on the basis that this is still a lower court), the decision means the use of purchased marketing lists will likely continue to be subject to enforcement action by the Commissioner where the marketing has caused people to complain to him. In the OE case people had noted in their complaints the time of the messages sent (some in the middle of the night) and the fact that the recipients considered them “spam” and “unsolicited”, which reflected the fact that they either had not consented or had forgotten that they had consented.   Recipients may be more likely to forget they have given consent if there is a long time delay between when they have consented and the sending of the marketing communications and if the relationship between the original business and the subsequent marketer is not obvious and/or the connection is not made to them in the marketing communication. Working on reducing the likelihood of people complaining about receiving direct marketing may help keep marketing campaigns off the Commissioner’s radar.


Whilst Optical Express may not have suffered a fine for what it did, it will no doubt have incurred significant costs from defending and appealing the ruling from the ICO and the Tribunal and will have wasted money on buying the marketing lists in the first place, as well as suffering reputational damage from the case. The relevant contractual provisions between Optical Express and Thomas Cook will need to have been carefully drafted in order for OE to be able to get its money back from Thomas Cook.


[1] The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (Privacy Regulations) as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208) from 26 May 2011 together with the Information Commissioner’s guidance.

[2] The First-Tier Tribunal (Information Rights)