“Profiling” under the GDPR can be associated with the complicated adtech ecosystem: a network of publishers and vendors pooling hundreds of data points collected by cookies, pixels and fingerprinting.
But last week’s £1.48m fine against catalogue retailer Easylife, issued by the UK’s data protection regulator the Information Commissioner’s Office (ICO), suggests that “profiling” can be a much simpler activity.
The Easylife fine shows how some companies may be engaged in profiling without realising. The decision reminds us of the dangers of carelessly processing health data and demonstrates the important interaction between the GDPR and direct marketing laws.
Profiling Based on Jar Openers and Dinner Trays
“A healthy lifestyle means more than just finishing your peas and carrots,” says Easylife on its website, which markets a range of products ranging from walking sticks to prostate cancer tests.
The company’s Health Club catalogue allows customers to order over 120 products designed to make life easier for those with limited mobility or health conditions.
According to the ICO, 80 of these catalogue items were designated by Easylife as “trigger products”. When a customer purchased a “trigger product”, Easylife would infer information about the person’s health condition from this transaction.
For example, jar openers and dinner trays were treated as “trigger products” that suggested the customer had arthritis, prompting a potential sale of glucosamine joint patches used to treat the condition.
Under Article 4(4) of the UK GDPR, “profiling” includes “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person…” including their health.
“When Easylife used that transactional data to influence its decisions on which customers to subject to telemarketing, this constituted profiling,” the ICO said in its monetary penalty notice (MPN).
The ICO also noted that Easylife customers ”were not informed by Easylife that their information would be used for profiling them”—a requirement specifically required under the GDPR’s transparency obligations.
No Lawful Basis for Processing Health Data
The ICO noted that the inferring of information about customers’ health conditions constituted the processing of “special category data”, making Easylife’s GDPR violations more serious.
When processing personal data about a person’s health, controllers require a lawful basis under both Articles 6 and 9 of the GDPR.
Easylife argued it had a lawful basis under Article 6, namely “legitimate interests”. When relying on legitimate interests, controllers must conduct a “legitimate interests assessment” (LIA) to weigh individuals’ rights against the interests it (or a third party) is pursuing.
Rather than carrying out an LIA in relation to the direct marketing campaign in question, Easylife re-used an old LIA that was drawn up in relation to a previous direct marketing campaign that did not involve profiling.
The company also did not carry out a data protection impact assessment (DPIA), which the ICO claims it should have conducted.
Because Easylife failed to properly asses its legitimate interests, the ICO concluded that the company did not have a lawful basis for processing under Article 6. Furthermore, the company failed to establish a lawful basis for processing special category data under Article 9.
“The only circumstances in which Easylife could have engaged in processing of special category data in the context of its Health campaign was consent. Easylife did not collect consent…” the MPN states.
Easylife attempted to argue that it had obtained consent for processing health data. The company supposedly achieved this by notifying its customers that Easylife might contact them about products that could be “of interest” to them. The ICO did not accept this argument.
These GDPR violations, including illegitimate, “invisible” profiling and the failure to establish a lawful basis for processing, earned Easylife a fine of £1.35m—the bulk of its £1.48m total penalty, with the rest of the amount attributable to direct marketing violations.
‘Predatory’ Direct Marketing Calls
After the “trigger product” had been purchased, Easylife’s call handlers (known as “Health Advisors”) were instructed to phone the customer and attempt to sell them additional products.
The ICO’s MPN contains extracts from Health Advisors’ call scripts, which prompt the caller to ask customers about whether they suffer from arthritis or an injury and then suggest treatment with glucosamine joint patches.
The ICO states that Easylife made 1,345,732 such “predatory direct marketing calls”, for which it received a fine of £130,000.
Remember that direct marketing is covered by the Privacy and Electronic Communications Regulations (PECR), which operates a less severe penalty regime than exists under the GDPR, with maximum fines capped at £500,000.
But note that the PECR regime is due to be overhauled. The Data Protection and Digital Information Bill (DPDIB), which awaits a second reading in Parliament, would raise the PECR fine ceiling so that it is in line with the GDPR (£17.5 million or 4% of annual worldwide turnover).
The DPDIB’s status is uncertain since the newly-appointed Secretary of State for Digital, Culture Media and Sport (DCMS) Michele Donelan’s suggested the reforms could be scrapped at the Conservative Party Conference earlier this month
But raising the PECR fine ceiling is reasonably likely to remain in any new version of the proposals, given the public’s (reasonable) dislike of illegal direct marketing calls. This means such penalties could be much higher under this proposed new privacy framework.