In various sectors it is usual practice to buy customer database. However, this may come with unwarranted risks. 

In LAD Media Ltd (LAD) vs ICO, LAD was found breaching the Privacy Legislation on the basis that the third party's privacy notices were insufficiently clear and that they did not, therefore, have the individuals' consent to send the direct marketing texts that it had instigated and it was responsible for the contravention.

The data was purchased by LAD from a third party supplier who had published general privacy notice on their website obtaining individuals’ consent.

The decision highlights the importance of carrying out thorough due diligence when buying third party marketing lists to ensure that the seller has provided sufficient information to individuals to enable them to give the required consent to the use of their personal data for electronic direct marketing purposes.

This is equally important when in acquisitions individual customers database is a material asset. Even if acquisition documents cover extensive warranties in respect of compliance with Data Protection Legislations, it is important to not to overlook such compliance at due diligence stage to avoid monetary penalty and running into reputational risk when penalty notice is published on the ICO website.