Data firms are facing a major crackdown on their practices after the privacy regulator revealed it is targeting more than 1,000 companies involved in buying and selling consumer names and numbers, demanding to know how they comply with the law.
The companies are all believed to play some role in the compiling and trading of lists of names and numbers used by cold callers.
The Information Commissioner’s Office expects the companies to detail how they adhere to the legislation, including what data they share, how they get people’s consent to share their data, as well as a list of all the companies they have worked with in the past six months.
Commissioner Christopher Graham said: “We already know a lot about this sector. We know that it prompts 180,000 complaints a year from consumers, who take the time to report to us the calls they’re getting.
“That information has helped us to make some big breakthroughs in the nuisance calls business, alongside the intelligence we build up from elsewhere, from whistleblowers for instance, or from the network providers.
“We see clear patterns building up and can identify who would benefit from guidance, and who the truly bad actors are. This enables us to execute search warrants, to drag people before the courts, and to issue fines. We’ve got three fines lined up for this week, and that’ll bring us to a total of £1m worth of penalties in this area over the past four months alone. It’s clear we’re getting the job done.
“But there’s a danger that where we remove one of this Hydra’s head, two grow back in its place. By targeting the illegitimate aspects of the list broking business that fuels this industry, we have the chance to truly strike down this monster.”
The companies being written to have been identified as they are registered with the ICO (as all data controllers must be under law), and their registration indicates they trade or share personal data, some of which may be used for direct marketing purposes.
Details such as how organisations are ensuring they have the proper consent in place to share personal data will inform the regulator’s data protection compliance and enforcement work.
How lists are screened against the Telephone Preference Service, what suppression lists are operated, and the contract terms used when the information is sold will inform compliance and enforcement work under Privacy & Electronic Communication Regulations.
The information will also help to better inform the ICO’s work in providing guidance and education, both to the list broking sector and the companies who buy from it.
Where companies do not respond to the letter, the ICO will look to take action to require the information to be provided. The ICO has the power to issue Information Notices, which legally oblige an organisation to provide the information, with the threat of court action if they do not. One such company was prosecuted in October, fined £2,500 for non-compliance and still forced to hand over the data.
Just last week Graham reiterated his call for powers to oblige companies in the lead generation and list broking sectors to be audited by his office.
Speaking before the Science & Technology Committee last week, he said: “There would be a question of resources to do this, but I think the lead generator and the list broker sector is also one that it would be very logical for there to be powers to compulsory audit.”
The move follows just days are brand owners and agencies were warned that they face fines of up to £500,000 if they are caught buying dodgy data – even if they were unaware at the time.
Brands and agencies face mega fines for dodgy data
Charities using illegal marketing data
Whitaker challenges DM to clean up
Top brands ‘making nuisance calls’
Industry fights pensions data outcry
Data firms fingered in pension claims
ICO raids Hove nuisance call hide-out
Graham: I’ll only spank the bad boys