ICO v. Emailmovers Limited

Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.

The ICO (Information Commissioner's Office) found that the privacy policy of the organisation that collected the personal data was not specific enough. While the policy stated that an individual's personal data would be shared with third parties for marketing purposes, it did not clearly name the third party recipients. This lack of specificity can lead to confusion and concern among individuals whose personal data is being shared which can be classified into the deceptive pattern of hidden and misleading information. The ICO emphasised the importance of clear and transparent communication when it comes to the handling of personal data, and recommended that the organisation update their a policy accordingly. It is essential for organisations to be clear about how they collect, use, and share personal data to foster trust and maintain their reputation. 
The ICO emphasises the requirements for consent, which must be “specific and informed”. It clarifies that consent for purchased “consented” data is valid only if the purchaser is identified at the time the data is collected (i.e., when consent is given). Therefore, EML could not have lawfully purchased the data based on valid consent, as it was not identified as a potential buyer to individuals. The use of these deceptive patterns meant that individuals were not fully aware of the nature of the data collection and how their personal data would be used for marketing purposes. This violated several provisions of data protection regulations, including Article 5(1)(a) of the GDPR, which requires that personal data shall be processed lawfully, fairly and transparently.