Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Study 12 - Night club – collection of mobile numbers for marketing purpose

There is a noticeable increase in the use of text marketing services as a promotional tool in the retail and leisure sectors. During 2005 a number of such promotions were the subject of complaints to my office and I will focus on one particular example in order to highlight the potential problems.

In the second half of the year an  individual contacted my office to complain about the receipt of text messages on her mobile phone.  These messages promoted a night club in Dublin, but the caller did not live in the locality and had never visited the establishment. The sending of text messages contrary to Regulation 13(1) (b) of Statutory Instrument 535 of 2003 is an offence. That states

"A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication".

As neither the complainant nor any of her family had any association with the night club, I asked the data controller to explain what justification he had to send such messages.  In his reply, the data controller stated that the complainant's number had been obtained during an in-club promotion.  This conflicted with the complainant's account and so I decided to send authorised officers to inspect the night club records.

The inspection found that mobile phone numbers were collected when patrons of the club filled out a form that was passed around on given nights.  This is not a very privacy friendly way of collecting such details.  Aside from the fact that patrons can read details belonging to other patrons, because of the nature of the venue certain patrons might not be in a proper condition to give consent to the use of their personal data.  It is also easy for a patron to accidentally or deliberately write down the wrong number, or for staff to transcribe the number inaccurately onto a marketing database.

The company had already taken some remedial action.  It had removed the complainant's details from its marketing list and had provided a new number for customers to text if they wanted to opt out of future marketing.  I recommended that the company look at replacing the manual form of data collection with an electronic one, such as asking customers to phone/text a number.  In this way a number would be automatically and correctly recorded.  This would prevent inaccuracies relating to numbers.  I further suggested that the data collection should be done at an early stage in the evening, when patrons would be more likely to be aware of the implications of entering a promotion.

This is a classic example of a business being attracted by new technology without making itself aware of its legal responsibilities.  Whilst the legislation doesn't differentiate between the casual marketer and the professional, I was not inclined to prosecute this company.  The company admitted responsibility and took remedial action and I am satisfied that the company will behave in a more responsible manner in future.

This type of behaviour is becoming more common and if the sector continues to ignore its responsibilities, in future I may have no choice but to engage in enforcement action.