Thanks for
comments Anne,
However the
key issue here is that the list is provided to you from another company so all
you get is a contractual warranty over their right to trade in the data assuming
you played safe. You have nothing
in your possession apart from the email addresses you purchased/obtained. Such
a list by itself is I believe is debateable as personal data. If you accept the email address alone is
personal data the best you can do is to notify the individual via email of the
information a data controller is required to provide under section 2(1)(b) and
offer them the possibility of deleting it. Opt out lists in this situation appear pointless as they
would only hold the same entry as the email list purchased
Also technically
under the phrasing of the Acts Section11 and the definition given to processing
in Section 1(1), creating an opt out list does not work as the right an
individual has in Section 11 is to opt out of any ‘processing for the purposes
of direct marketing’. When operating an opt out list it appears a controller
can never comply with Section 11 as they must always ‘process’ personal data when
utilising an opt out list even where the opt out list itself does not contain
personal data.
I assume however
the Commissioner will not pursue or support any arguments that a breach of
Section 11 occurs simply by running an opt out process.
Data is
processed fairly if you meet a schedule 2 processing condition (in this case
legitimate processing) and have not already received a prior notice asking you
not to process the email address. This is hardly likely as a person does not
yet know you have their email address unless the seller has told them.
Not sure
giving two opt out boxes works if challenged given the right is to opt out of
all processing for any direct marketing so why should I have to tick two opt
outs.
Opt in works
better in this scenario. The Direct Marketing opt out right is not necessarily
an opt out from a controller passing a list to a third party this only appears to
work if the purpose of passing the data is that defined by the direct marketing
definition in Section 11. I wonder if anyone else has a view on this point.
As ever with
the drafting of this legislation everything is not quite as it seems at first
glance.
David
Wyatt
-----Original
Message-----
From: Anne Kipling
[mailto:[log in to unmask]]
Sent: 14 November 2000 15:22
To: Dave Wyatt;
[log in to unmask]
Subject: Re: Email marketing
Dave
> If they then send a marketing email to the
email address they
> have been supplied with which they clearly collected with the
> intention of targeting marketing.
Before using the list, the company should check on the wording of the opt- out
clause which was used when the data was collected. One of the clauses put
forward at a data protection conference, as a good example, read something
like:
"We will not pass your name and address to other departments within [the company]
or to other companies for marketing purposes without
your consent. By signing this application form you are giving us your consent, unless you tick this box."
On one of our forms, we give two opt-out opportunities, one relating to the
passing of details to our marketing department and another relating to the
passing of details to external, relevant organisations and societies.
If the individuals on a mailing list had signed a form with a very general
clause ("I agree to my details being used for marketing purposes"), I
would say they had been given insufficient information (Prin 1) to justify the
passing on of their details to a third party. When I read a DP clause asking me
for permission for direct marketing, I assume (perhaps naively) that the
company will use it for their own marketing purposes only.
Anne
Anne Kipling
Information Security Officer
Oxford Brookes University