Data Protection – Delegating Due Diligence to Others is Rarely Enough

Businesses commonly engage data aggregators and list owners to perform direct marketing campaigns on their behalf. However, as a guideline case showed, such delegation does not relieve them of the obligation to check that recipients of unsolicited messages have given their free and informed consent.

Email notificationThe case concerned a price comparison and technology company which used the email marketing services of two aggregators who in turn engaged a number of list owners to actually send marketing material. An investigation by the Information Commissioner’s Office (ICO) confirmed that, over a period of about 10 months, almost 15 million direct marketing emails sent on the company’s behalf had been received.

The company had placed contractual obligations on the aggregators to comply with all relevant legislation relating to email marketing. However, it had no direct contact with the list owners and delegated to the aggregators the performance of all due diligence required in respect of data used by the list owners.

In finding that the company had committed serious contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003, the ICO noted continuing concerns as to whether consents obtained by the list owners from email recipients were freely given, specific and informed.

The contraventions, whilst not deliberate, were negligent in that the company had failed to take reasonable steps to prevent their occurrence. Had it completed the customer journey and performed its own diligence checks, it would have become apparent that, in some cases, list owners required email recipients to agree to marketing as a condition of service. The company’s contractual arrangements with the aggregators did not, in the circumstances, amount to due diligence.

In response to the investigation, the company had changed its business model and had ceased using the aggregators and list owners for direct marketing purposes. In order to promote compliance with the Regulations, however, the ICO imposed a £90,000 financial penalty on the company. That sum was a reasonable and proportionate reflection of the gravity of the contraventions.