Skip to main content

Third party problems

Simon Clayton, chief ideas officer at RefTech, goes down the GDPR rabbithole after receiving a surprise email...


Many event organisers are now using third party tools to encourage visitors to share registrations online and to help them increase registration numbers. But if you use a third party service, are you absolutely sure that you know what they are doing on your behalf?

I recently received an email from a well-known UK retailer – reminding me that I put items into a basket and then abandoned it. I found this a bit creepy because I’d never knowingly given this company my email address and they certainly didn’t have permission to use it for marketing. Emailing a consumer a marketing message without their permission is in violation of PECR (Privacy and Electronic Communications Regulations). Also, their privacy policy made no mention of this so that meant it was a GDPR violation too. I contacted them to report this and to delve a little deeper.

A conversation with the retailer confirmed that they did not have my email address in their database, but that they were using a third party basket recovery system – a separate service that monitors their website and sends a helpful nudge to a wannabe customer if a basket is abandoned. This is often a useful service, but how on earth did they get my email address?

Although they didn’t have my email address, the third party basket recovery service somehow did. After an investigation by the retailer, we discovered that I’d used autocomplete to enter my postcode and this had filled in a newsletter subscription email field on the page automatically. Despite the fact I hadn’t submitted this form, the third party service used it to scrape my data.

The retailer was shocked at this finding – they didn’t know that their supplier was doing this and it went against the agreement that was in place between them and the supplier. The supplier may have thought that it was a great idea and that it would improve their service, but they clearly didn’t realise that this action constituted a breach of both GDPR and PECR. I recommended the retailer report themselves to the ICO, which they have done, and I’m sure the ICO will only offer help and advice.

If you do use third party services, make sure that you read the small print and make sure that their actions are not in violation of PECR or GDPR – because if they are you’ll be the one with the breach on your hands.