Views:

Misuse of personal information by marketing agencies and the data breaches that follow

Marketing agencies, advertisers and data brokers handle large volumes of personal information – names, email addresses, phone numbers, postal addresses, online identifiers and profiling data. When that information is collected or used unlawfully, it is a misuse of personal data and it frequently leads to data breaches that harm the public. This article explains the rules, what goes wrong, the consequences, and how to protect yourself.

The rules that apply to marketing

Two sets of rules work together:

  • UK GDPR and the Data Protection Act 2018 – require a valid lawful basis to process personal data, transparency about how data is used, data minimisation, accuracy, and appropriate security.
  • Privacy and Electronic Communications Regulations (PECR) – set specific rules for electronic marketing by email, text, phone and similar channels, including when consent is required.

Common forms of misuse

  • Buying or selling marketing lists without valid consent – using bought-in data where people never agreed to receive marketing from the organisation contacting them.
  • Using data brokers without due diligence – relying on third-party data without checking it was collected fairly and lawfully.
  • Ignoring opt-outs – continuing to contact people who unsubscribed or registered with the Telephone Preference Service.
  • Excessive profiling and tracking – combining data sources to build detailed profiles people are unaware of.
  • Lack of transparency – failing to tell people who their data will be shared with.

How misuse leads to data breaches

A personal data breach is a security incident that leads to the accidental or unlawful loss, destruction, alteration, unauthorised disclosure of, or access to personal data. Misuse in the marketing chain commonly causes breaches such as:

  • Unsecured marketing databases being exposed, hacked or leaked online.
  • Personal data shared with third parties who were never authorised to receive it.
  • Emails that disclose recipients’ addresses to each other (for example using “To” or “Cc” instead of “Bcc”).
  • Profiles and contact lists sold on without people’s knowledge, fuelling spam, nuisance calls and scams.

Consequences for organisations

The ICO can investigate and take enforcement action, including reprimands, enforcement notices requiring changes, and substantial monetary penalties. Organisations that send unlawful marketing or fail to protect data can be fined and named publicly, and they must report serious personal data breaches to the ICO within 72 hours of becoming aware.

How to protect yourself

  • Be cautious about who you give your details to and read privacy notices before consenting.
  • Use your right to object to direct marketing – organisations must stop when you ask.
  • Register with the Telephone Preference Service to reduce unwanted sales calls.
  • Make a subject access request to find out what an organisation holds about you and where they got it.
  • Report unwanted marketing or suspected misuse to the ICO.

Where to get more help

See the ICO’s direct marketing guidance at ico.org.uk or contact the ICO helpline on 0303 123 1113.

Source: Information Commissioner’s Office (ico.org.uk). Contains public sector information licensed under the Open Government Licence v3.0.

Keywords: marketing misuse, personal information, data breach, data brokers, PECR, UK GDPR, consent, direct marketing, opt-out, ICO enforcement