So, what’s happened? The UK Information Commissioner’s Office (the “ICO”) has fined a company which runs Emma’s Diary—a popular mother-and-baby website—£140,000 for allegedly unlawfully selling personal data about new and expecting mothers and their babies for use in political marketing.
What did Emma’s Diary do? The ICO found that in May 2017, Emma’s Diary sold over 1 million records about mothers and young children (including names, addresses and children’s birth dates) to Experian Marketing Services, acting on behalf of the UK Labour Party. Experian ostensibly bought the data to help the Labour Party target political marketing communications to people with young children in the run-up to the 2017 General Election.
Where did Emma’s Diary go wrong? From the ICO’s findings, Emma’s Diary appears to have made two mistakes. First, it apparently didn’t have a lawful basis on which to share the personal data with Experian or the Labour Party. Second, the ICO found that Emma’s Diary’s privacy notices did not tell users that their personal data might be used or shared for political marketing purposes. The ICO therefore considered that Emma’s Diary had breached its obligation to process its users’ data fairly and lawfully, and to be transparent with users about how their data was used.
How could Emma’s Diary have avoided this? Based on the ICO’s findings, when users signed up to Emma’s Diary, it could have told them that their personal data might be shared with third parties for political research and targeting purposes, and then asked for their consent to such data sharing.
What can we learn from the fine? The fine was issued under the pre-GDPR regime as the alleged misconduct happened before 25 May 2018. Nevertheless, businesses can still learn from it as the same concepts and requirements apply under the GDPR; in fact, the GDPR’s consent requirements are even more onerous. The ICO would, therefore, have reached the same outcome had the violations taken place today.
The fine shows that businesses can expect the ICO to treat data-protection failings very seriously if they put commercial interests above individuals’ rights and reasonable expectations. While £140,000 might not sound a lot, it equates to almost 10 percent of Emma’s Diary’s 2016 profit and just under 2 percent of turnover.
The fine also highlights the need to operationalise data protection by embedding it in decision-making processes. This was apparently the first and only time Emma’s Diary sold data for political purposes. If it had “thought data protection” when considering the opportunity, it might have avoided the violation and subsequent fine. In short: Businesses should have procedures to ensure they have a valid legal basis for how they use (or want to use) personal data and are fully transparent with individuals about what they use it for.