The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.
The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties. This had led to at least 21,045 unsolicited text messages and 174 complaints.
Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of