EU GDPR means also tighter regulation of Data Broker (those companies you can find in newspapers for not acquiring always personal data in a transparent manner).
Purchasers of such data need to ask:
- How and when was the consent obtained?
- Who obtained it and in what context?
- What method was used – e.g., was it opt-in or opt-out?
- Was the information provided clear and intelligible? How was it provided – e.g., behind a link, in a footnote, in a pop-up box, or in a clear statement next to an opt-in box?
- Did it specifically mention texts, emails, or automated calls?
- Did it list organisations that would be provided the information by name or by description, or was there consent for disclosure to any third party?
- Is the seller a member of a professional body or accredited in some way?
Moreover, Data brokers:
- Bear responsibility for ensuring that individuals have been adequately informed about how their personal data is handled, and
- Cannot claim to sell lists of individuals who have consented to receive marketing texts, emails, or automated calls from particular organisations unless they have clear records of those consents.