It is fair to say that lead generation companies have never enjoyed the best press coverage, especially as many of the brands which fall foul of the Information Commissioner's Office blame these data suppliers for providing what turns out to be rogue information.
Of course, this has not gone unnoticed at the ICO's offices: last month, the regulator published the latest findings of its mystery shopping exercise - dubbed "Operation Bowler 2" - against those data suppliers it suspects of gathering and using marketing data illegally.
The crackdown, first launched in 2015, was the first time the regulator had proactively hunted down rogue businesses, even though, by its own admission, many firms are unwittingly breaking the law.
In cases where the ICO managed to speak to organisations about how the data had been gathered, they peddled virtually every excuse under the sun, including using sources such as online surveys or competition websites and third-party insurers, with one even saying it could only provide details through a "subject access request".
Although none of the companies was named in the report, an ICO ruling back in February provided clues to what any company in its sights can expect, when list broker The Data Supply Company was fined £20,000 for buying people’s personal details from various sources before selling them on to other companies for marketing.
At the time, the ICO said: “Whether your company is collecting, using, buying or selling people’s personal information, it must be clear and open with them about what it plans to do with their details. Fail to do so and your firm is breaking the law and risking a hefty fine.”
The regulator vowed to come down hard on companies selling marketing lists containing the details of people who have not been told how their information will be used. In the past, data suppliers have routinely escaped censure as it has always has been the responsibility of the company which runs the direct marketing activity to ensure the lists they source are compliant.
One of the places The Data Supply Company acquired personal information was from other firms’ websites, where many of the privacy notices were too general and unspecific to comply with the law. This is an issue which is still plaguing the charity sector: the regulator recently revealed it is investigating 24 companies as part of its inquiry into third-sector marketing, including St Ives-owned business Response One, after it slapped nominal fines on the RSPCA and the British Heart Foundation. Both charities had shared hundreds of thousands of donor records through Response One’s now defunct data pool Reciprocate without gaining adequate permission through their privacy notices.
Meanwhile, an undercover investigation by Which? into legitimate list brokers found that some were selling illegally-gathered sensitive personal and financial information on an industrial scale. Rogue practices included one company issuing an invoice for nearly 500,000 pieces of personal information covering individuals with a household income of £40,000-plus including phone number and address at just 4p each.
Within the wider UK industry, it has been an obsession with getting cheap leads which many argue has seen corners cut and much needed data checks simply ignored. As Sue Nelson, managing director of TPL Media, explains, this is one area where the advent of the General Data Protection Regulation (GDPR) could have a positive effect.
"Clients will need to be wary if the cost of data is too good to be true."
"The drive for quality and compliant data will be from both the companies providing lists and lead generation services, and the end users. Clients will need to be wary if the cost of data is too good to be true. There needs to be a greater appreciation of the investment that lead generation companies should be making if they are to adhere to the GDPR principles, which does not stack up with cheap prices,” she says.
The proliferation of sources that now capture customer data, from digital marketing (websites and mobile web) and sales (retail and e-commerce) to direct customer contact (face-to-face or contact centres) means there is a seemingly limitless supply of customer information. But, with accurate customer data now moving from a "nice to have" to a legal requirement under GDPR, how can brand owners ensure the data they buy-in is legal?
Dene Walsh, head of compliance at Verso Group, believes that all too often the basics are over-looked. He says: "Buying lead generation data requires an overlapping checking protocol to ensure really effective due diligence. The first point, which by no means provides bullet-proof reassurance, is knowing the reputation of the supplier and what professional bodies they belong to, plus any accreditation they may have. This may quickly flag up a warning sign that could save time.”
He adds: ”Compliance checking should then include asking to see opt-in permission wording for the data concerned, whether it is from a script, a website or other source. It must be thoroughly assessed. Part of this process should be the examination of samples to ensure capture was correct. If data purchase is over an extended period, samples should be checked routinely. This is because what is correct initially may slip over time and can catch the unwary buyer out."
Michael Winniczuk, director at The Media Octopus, agrees: "Brand owners can ensure their data is compliant at the initial contract stage, but where did the suppliers get the data from? Mr Smith’s details could have been sold by multiple data companies, but when and how was it opted-in? There are still a lot of blurred lines."
Nelson explains that contractual terms have included data provenance for a long time, but adds: "This now should extend beyond ownership of data, to include specific terms on how consent was obtained.”
She says: ”Ensuring the accuracy of personal data becomes more challenging for online lead generation companies as there is already an existing problem with the quality of leads generated through this method, particularly where data comes from incentivised traffic. Telephone lead generation firms mostly outsource their call centre activity, so ensuring that the call centre is reliable and adhering to compliant and quality processes becomes even more critical."
If in doubt, Walsh says companies should always be prepared to ask the appropriate regulator for advice. Whether it is about the data seller or the process involved in the data capture, regulators provide the last word on compliance assessment. If there are any concerns, ask the relevant authority body for advice. "They are a very useful safety net," he insists.
However, the holy grail of 100% clean data is looking as elusive as ever, says Nelson, as there is no definitive source to cross-check accuracy. She adds: "Industry suppression providers have been actively promoting their files, but even they would agree there is no single-source solution. Given the cost of these data sets and the way companies rely on them, we hope there will be equivalent GDPR data accuracy regulations covering suppressions."
Winniczuk adds: "Data can never be 100% clean. We live in a real-time world, where data changes and decays. People move house, they change telephone numbers. The Telephone Preference Service proves that data can never be 100% clean - one day you’re not on it, but the next day you are."
And, according to some, the future of the lead-generation market could be secured through an unlikely source - the humble telephone. When asked whether gaining leads through telemarketing is past its sell-by date, Nelson says: "On the contrary, telemarketing lead generation, in our opinion, would prove to be one of the most transparent forms of consented data. The purpose of the call and the use of personal data can be clearly explained to the consumer. Call recordings also provide clients with a method of ensuring compliance."
"People celebrating the end of telemarketing as a channel are forgetting the jobs that will be lost as a result."
It is a discpline which Winniczuk also supports. He explains: "The simple fact is that the telemarketing industry provides the UK economy with hundreds of millions of pounds a year, often providing work in impoverished areas. By people celebrating the end of telemarketing as a channel, they are forgetting the jobs that will be lost as a result. The call centre industry employs well over 1 million people in the UK. "
He believes that, all too often, telemarketers are the scapegoats. "Stop the public hanging of people who have inadvertently broken the law and, in most cases, been unaware of the law. Genuine business owners might make a mistake and the powers that be dishing out the fines are high-fiving celebrating another scalp,” he says. "This really annoys me. Yes, I think some people are flouting the law in some cases, but some are genuine mistakes due to lack of knowledge, awareness or complicated rules that are often misinterpreted.”
One thing is sure, however, improving the quality of customer contact data will take an organisation-wide approach. Once data is validated, businesses need formal, continuous data-cleansing and enhancement processes to keep customer information accurate, permissioned and compliant over the long term, whatever the source.
And Walsh is in no doubt where the responsibility for this lies. He concludes: "At no time should the focus shift from due diligence. No margin should be left for error. If, after compliance checks have been carried out, there is not complete satisfaction that data meets all relevant criteria, then an alternative source of supply should be found. There should be no room for compromise."