If nothing else the General Data Protection Regulation (“GDPR”) brouhaha has emphasised the importance of using accurate “clean” personal data. This article looks at the legal aspects of purchasing marketing lists – until recently the 21st century equivalent of horse-trading.
Many years ago the writer changed his email address to a new variant of his old email address. Even now, fourteen years later he gets emails addressed to his old email address. This demonstrates how out of date a lot of the information being used is.
There are two main things that you need to do in the contract with the person selling you the marketing list. First you need to get them to warrant that the personal data has been lawfully obtained by them in full compliance with the GDPR and other relevant regulations. Secondly, you need to get an indemnity from the seller against any loss that you suffer as a result of a breach of that warranty. The worry is that the seller has copied the list from somebody else without permission and you find that it is protected either by copyright or by database right as well as potentially being a breach of the GDPR.
Your obligations as a purchaser of the personal data do not stop there in that you cannot get rid of the responsibility on you simply by having a watertight contract with the seller because they may be misleading you. You also need to carry out your own due diligence in relation to the personal data that you are purchasing to check that it has in fact been properly collected. One way of doing this would be to choose at random a few of the names and ask the seller to demonstrate to you with appropriate paperwork that that personal data was collected properly and can therefore be passed on to you.
As always, when there is a large legislative change such as GDPR there is a “flight to quality”. In the writer’s view, the value of good quality properly collected personal data has gone up considerably as a result of GDPR as the tighter regulations will drive out the backstreet sellers of data.