Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Marketing - Be careful when buying databases

PrintMailRate-it

​​​​​​​​​​​​​​​published on 27 May​ 2024 | reading time approx. 6 minutes


In their legitimate effort to broaden their audience through targeted B2B or B2C mailing campaigns, businesses often resort to purchasing personal databases, particularly from brokers.

However, the sale, purchase and use of massive databases is a common yet very delicate practice, particularly for private individuals, where companies frequently overlook GDPR and specific French rules, leading to illegal marketing practices and possible fines and litigation.

The purchase of databases for B2C commercial prospecting purposes

The rules on commercial canvassing of private individuals are strict, and even more stringent when they are not existing customers of the company, but mere prospects acquired in bulk, usually from a data broker.

Sending prospecting emails to existing customers is based on the legitimate interest of businesses to canvass its customers, provided they have been properly informed in advance of such processing and are given the possibility to “opt-out”. In contrast, selling personal data from non-customers as well as canvassing prospects follow the “opt-in” principle, meaning that prior consent has been obtained initially.

Therefore, significant challenges arise when a database of prospects is acquired in bulk from a broker for marketing purposes: did the seller properly informed the concerned individuals been and did he obtain their unambiguous consent (i) to such transfer of their data to a third party and (ii) for marketing processing by said buyer? As a reminder, as to mailing, consent is usually obtained by ticking a box in response to the related information.

Hence, the challenge with databases purchased from a broker (usually online via terse general terms of sale) is that the purchasing company usually knows neither the broker (who is often located abroad), nor the conditions under which the data were initially collected and for what purposes, especially when sold on a large scale.

At the end, it is the responsibility of the buyer, as data controller operating prospection campaigns, to ensure, through detailed checks and negotiations, (i) that the database for sale - and therefore the broker - complies with the  rules on the protection of personal data and (ii) that it will provide the necessary information to recipients, ensure that their consent (and related withdrawal right) is respected. 

On April 4, 2024, the French CNIL fined the company Hubside.Store  Euro 525000 for failing to comply with the GDPR and e-communication regulations. Hubside operated SMS and telephone prospecting campaigns, after purchasing database from various sellers (brokers, publishers of games/contests and product testing sites). The breaches sanctioned were as follows:
  • Brokers failing to correctly obtain the informed and specific consent of individuals for such data transfer and marketing purposes via Hubside; 
  • Failing for the brokers to inform individuals of the legal basis for such marketing processing by Hubside;
  • Failing for Hubside to correctly and exhaustively inform the people canvassed of the details of such marketing processing.

The purchase of databases for B2B commercial prospecting purposes

Under French law, the rules for commercial prospecting are more flexible when targeting professionals. Unlike B2C canvassing, B2B prospection is authorized on the basis of businesses’ legitimate interest in canvassing other professionals, provided (i) it includes and respects an opt-out right, enabling the recipient to object to such communication and (ii) the communications are relevant to the activities of the professionals.

Two distinct regimes are to be distinguished: those targeting generic emails and those concerning personal business emails.

Generic emails like ‘info@company.com’ fall outside the scope of personal data regulation. These non-identifying email addresses may be freely used for prospecting purposes without prior consent or prior information, though rarely relevant to marketing communications. Nevertheless, the communication must provide information about the prospecting company and include an opt-out option, for example by means of a simple, free unsubscribe link in the e-mail. In any event, any opt-out request must be dealt with promptly.

When purchasing database containing such generic emails, the company must at least demand a guarantee from the seller/broker that these contacts have not already opted out (a very theoretical hypothesis, however).

Conversely, emails containing personal data (e.g. name, surname…), through inherently less sensitive than private email addresses, are subject to the more demanding GDPR and e-communication regulations.

As a consequence, when purchasing such emails database, companies must first ensure that:
  1. the seller or broker which collected and sells the personal data duly informed the data subject of such possible transfer, of the considered purpose thereof (i.e. marketing), of the identity of third-party recipients and of their right to opt-out;
  2. none of these professionals came forward to object to this treatment (opt-out).

In practice, to this end, the purchaser can require the vendor (a fortiori broker) to provide positive proof of such information and absence of opt-out, or at the very least require the vendor to provide a guarantee in this respect. This is very rarely the case in contracts for the sale of databases, which are often too brief, the purchaser being satisfied with being able to easily exploit a massive database…despite the risks!

Secondly, once they have ensured that the database they have purchased is lawful, the acquiring company must in turn:
  1. provide prospective customers, in their communication, with information about this data processing for marketing purposes, as for any personal data processing;
  2. give them the possibility of opting out and, in this case, ensure that communications to these people are stopped;
  3. ensure that the subject of its communications pertains to the activities of the targeted professionals.

Failure to comply with such legal requirements, any processing based on such a database carries the risk of complaints, claims, and administrative fines or judicial sanctions. There is also a significant commercial and economic risk, that of displeasing certain very legalistic prospects, which could damage the image of the prospecting company.

The acquisition of prospect databases for marketing purposes presents many risks of unlawfulness, and therefore requires a high level of vigilance, contractual negotiation and compliance with the rules applicable to both personal and professional data.

Faced with sellers or brokers who are often located abroad and only have a presence online, and therefore with the difficulty of effectively taking action against them, it is essential for companies considering acquiring this type of database not to be satisfied with the apparent ease of acquiring massive amounts of data, but to carry out proper checks on the databases for sale and negotiate highly protective contractual clauses with these sellers, so as to ensure that their considered prospecting process is lawful. 

If they fail to do so, they run the risk of being the subject of complaints from recipients (individuals or professionals), of sanctions from the authorities (CNIL) or competent courts, and of developing a negative customer experience.​​​​​

 DATA PROTECTION BITES

author

Contact Person Picture

Frédéric Bourguet

Avocat

Associate Partner

+33 1 8621 9274

Invia richiesta

Contact Person Picture

Raphaëlle Donnet

Avocate

Associate

+33 1 7935 2542

Invia richiesta

 RÖDL & PARTNER FRANCE

​Discover more about our offices in France. Read more »​​
Deutschland Weltweit Search Menu