No easy life for first party data handlers, ICO says

Easylife fine confirms that risk depends on what personal data is processed not who it is processed by.

Last week, the Information Commissioner’s Office (ICO) fined Easylife, a catalogue retailer which sells household items, £1.5 million for using customer health profiles based on purchase history to inform its target marketing. The ICO identified 80 so-called ‘trigger-products’, which, when purchased, would prompt telemarketing calls to promote tailored health-related products. If someone bought a jar opener, Easylife would assume that the buyer suffered from arthritis and so would offer them glucosamine joint patches. [1]  

The ICO decided Easylife’s behaviour breaches data protection law, as the first-party personal data collected as part of a purchase did not have consent for the purposes for which it was subsequently used. 

This is an important lesson for any publisher or advertiser considering the use of first party data or technologies to combine data like clean rooms. It is the harm that matters, not the “how” or “who”. 

Information Commissioner, John Edwards, speaking to BBC Radio 4’s, You and Yours, commented that the critically offensive element of Easylife’s actions was that they were using sensitive information to generate profiles for use in their intrusive telemarketing. In the interview, Edwards describes relatively more or less objectionable examples of medical profiling: whilst some might find targeting arthritis medicine non-intrusive, they might very well have an issue with incontinence products being advertised based on the same process. [2]

The Easylife case and Edwards’s statement answer several important points about advertising: 

Data collection is not all equal: 

Data collection is not the same as the harm’s caused to people. Not all data collection can be treated equally.  Collecting information about an identifiable person’s urinary incontinence is, by Edwards’s measure, arguably, more intrusive than collecting information about someone’s arthritis. Both instances are, however, far more intrusive than using innocuous de-identified data, i.e., information not linked to a specific individual’s identity.  For example, a travel insurance company advertising its products to web browser 782 after that web browser visited a flight booking web site poses far less risk than linking sensitive data to a specific individual’s identity such as an email address. The idea that gradations of risk associated with both identifiers and information, but not related to whether the process is done in house (aka “first party”) or via a partner (aka “third party”), is an important point for regulators to highlight and it is encouraging that it is being raised by the Information Commissioner.  

Easylife is not a case against personalised marketing in general, as the advertising in question relied on “intrusive” telemarketing and used sensitive information linked to specific individual’s identity. All data use should be “open and transparent” and the collection of sensitive personal data, like health information, should require prior explicit consent. However, this is clearly distinguishable from standard interoperable business exchanges of innocuous data not linked to identity. This was evidently not true of Easylife, whose database of sensitive information was linked to specific individuals’ names and telephone numbers.  

It is “What” not “Who” that counts: 

Easylife highlights the false dichotomy often drawn between third- vs first-party regarding user security. The violations in question all occurred on a first party domain, supposedly a safe haven, if Google and Apple are to be believed. Purchasing patterns were analysed by Easylife who used that information themselves to market relevant products. This is a clear demonstration that it is not the “who” or “how” but the “what” that counts when it comes to data protection. This case also illustrates the lack of transparency associated with data processing occurring within a single organisation. In this case, the ICO had to issue information notices forcing Easylife to open their books, a far more laborious and inefficient process than simply monitoring information exchanges across organizations to ensure necessary safeguards are in place to protect users.  

Rejecting the misleading first party “good” – third party “bad” criteria: 

From a user perspective, the oft-repeated line that first-party is “good” and third-party “bad” is simply not true. Ofcom provided research earlier this year which MOW assesses in this article linked here.  

We hope other data protection authorities follow the ICO’s lead in rejecting the misleading criteria internet gatekeepers continue to promote.  

The decision clearly answers some questions, but it also raises others: 

  • A tighter definition of sensitivity is needed. Some medical data handling is concerning. For example, no one wants their medical records to be published. But some medical data handling is helpful. The picture is very different if there are upsides, and it will be important to avoid a blanket ban on all medical cases, so as to take a situational-specific approach. 
  • The role of specific safeguards. Easylife had not used basic safeguards like De-identification, and had married up records with persistent identifiers like telephone numbers. Future cases will need to provide insight on what the expectations are of safeguards that would reasonably handle any risks. 
  • Ensuring compliance by all players. Some large data handlers continue to insist that who handles data rather than what they do is the core risk factor. It will be important for the ICO to continue to clarify that all data handlers, big or small, must meet the same objective standards. 

[1] Catalogue retailer Easylife fined £1.48 million for breaking data protection and electronic marketing laws | ICO

[2] BBC Radio 4 – You and Yours, Easylife Fine; Bogus Bags; Pay As You Can

Header image courtesy of Pexels (licensed for free under the Pexels license)