Direct Marketing Commission warns of ‘worrying issues’ around data consent


The Direct Marketing Commission received 230 complaints for the year ending 30 June 2016 – largely as a result of complex supply chain and consent issues.

data-breachCompanies aren’t taking enough care with their direct marketing activities, particularly when it comes to getting consent to share customer data and maintaining consent when data is shared via a complex supply chain.

This is the message coming out of the Direct Marketing Commission’s (DMC) latest annual report, where Chief Commissioner George Kidd said that there were “recurring and worrying issues that need to be addressed”.

The DMC is the body which oversees and enforces the Direct Marketing Association’s code, which is intended to give effective protection to recipients, users and practitioners of direct marketing. Direct marketing is common practice for many businesses and has grown in popularity with the ever increasing availability of digital channels.

However, for the year between 1 July 2015 and 30 June 2016 the DMC received 230 complaints. During the year in question, the Commission Board formally investigated six businesses, four of which were found to be in breach of the Direct Marketing Association’s code.

DM Commissioner George Kidd said:

We have seen a number of recurring and worrying issues that need to be addressed and these continue to revolve around the clarity of the consents that businesses believe they have when marketing by telephone, text or e-mail and the extent to which these consents are given – or claimed – by some third-party suppliers of data.

In almost every case the Commission considered we found ourselves looking at lengthy supply chains that resulted in messages and calls to people who had made clear they did not want these and had not agreed to them.

We found e-mail marketing businesses relying on affiliates and then sub-affiliates to supply data or to carry out marketing on a delegated basis. This resulted in a situation where the marketing company and the brand being marketed had no idea as to the number and nature of affiliates pushing their product and no way of knowing whether the messages were being doctored or people being contacted without have given consent for this marketing.


The report provided detailed examples of the cases investigated to outline to other businesses how not to make similar mistakes.

For example, a complainant had been receiving unwanted text messages over the Christmas period last year, offering the opportunity to place bets with a gambling company. The lengthy supply chain which resulted in this text messages involved three companies and centred on the supplier of data of over 2 million consumer records.

The complainant was certain that he had not consented to receive the messages and had uncovered a lengthy supply chain over which his data was passed. The messages received were also mis-matched to an incorrect name.

The DMC found that the companies involved had breached rules that ensure data is properly sourced, permission and cleaned and that they act decently, fairly and reasonably.

The report states:

Where there is some form of value chain and where the member is using suppliers for a service to provide opted-in data to an explicit channel and sector, the Commission looks for assurance that sufficient due diligence is undertaken to show that supplier arrangements are compliant. Given the high volume of records required for this order, the ‘sensitive’ nature of gambling and the requirements for the provision of clearly opted-in data, each member in the supply chain had a responsibility to undertake adequate controls and checks.

Another example, saw a complainant receive unwanted calls from a telemarketer fundraising on behalf of a cancer charity. It transpired that the data had been sourced form a telemarked in India. The telemarketer had conducted a telephone survey designed to create ‘opt-in’ leads for a variety of charities and commercial companies but the member had not been aware that it had relied on another sub-contractor to provide a database of UK numbers to call.

security-lock-in-cloudThe member knew little of the sub-contract arrangements, had not visited the Indian telemarketer and did not seem, at the time, to have arrangements in place to effectively test whether the processes they had set were being followed. The report states that the DMC was also concerned about the overall vagueness of the information given to those who were called in terms of what consent they were being asked to give in agreeing to receive future marketing calls as a result of answering survey questions.

The Commission found four breaches of the code rules relating to the buying and renting of personal data in this case.

DMC Commissioner Kidd said:

What struck us in these and other situations is that we were dealing with businesses which are in the business of generating leads, securing consents and using data responsibly. That is what they do. It is all they do.

It’s never OK to break laws, ignore regulations and not follow industry codes. But there are times when this might happen when a business is only briefly engaged in securing consents for some kind of marketing campaign.

But its far harder to understand why some businesses that are in the “data business” don’t have the processes, the checks and balances, the audit arrangements and the simple good sense and sense of responsibility to who is supplying their data, to know how the data was generated and to understand what it can and cannot be used for.

My take

It’s amazing how quickly companies forget the responsibility they hold to protect a customer’s data. Most customers are willing to be marketed at, if they feel like it’s being done fairly and proportionately.

Companies that hand off data and don’t seek consent throughout their supply chain are taking advantage of customer trust. Processes, checks and controls should be in place and companies should be enforcing them regularly. Without that, customer loyalty can quickly dissipate.

Image credit - Data breach concept image with business icons and © ar130405 -; Digital safety blue concept © Sergey Nivens -