The Information Commissioner’s guidance on ‘Using marketing lists’ is clear: “As a general rule, you can only sell your marketing list if you have the consent of the listed individuals to do so”.

The Privacy and Electronic Communications Regulations (‘PECR’), when read in light of the UK GDPR, require that the explicit, informed consent of the recipient be obtained prior to sending email marketing (unless the so-called soft opt-in under Regulation 22(3) PECR applies).

In a distressed M&A transaction, there may be the option to negotiate for the purchase of either shares in the company or individual assets. In customer data rich industries like retail and hospitality, assets such as CRM databases are attractive to purchasers to support profiling and personalised advertising, and potentially lucrative for the administrators and creditors of such companies. Complying with the letter of the law (and guidance) would suggest that the only lawful way to gain control of another data controller’s marketing database and to use those email addresses for marketing would be to buy the shares of the company, and to take on both its assets and liabilities wholesale.

But there are circumstances in which the Information Commissioner’s responsibility for monitoring and enforcing the provisions of the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations gives way to the interests of “controllers and others and other matters of general public interest” and the Information Commissioner essentially turns a blind eye to – and even explicitly endorses – infractions of the law and its own guidance.

The most recent statistics published by the Insolvency Service reveal that in August 2024 the number of company insolvencies remained much higher than those seen both during the COVID-19 pandemic and between 2014 and 2019, with the average monthly number of corporate insolvencies across 2024 being similar to 2023, which saw the highest annual number since 1993. 16% of corporate insolvencies were driven by companies in the ‘Wholesale and retail trade; repair of motor vehicles and motorcycle’ and 15% from companies engaged in ‘Accommodation and food service activities’. Insolvencies raise the prospect for potential rescues of failing businesses through administration, administrative receivership or company voluntary arrangements (CVAs), and these types of company are likely to hold extensive CRM databases of personal data. Matchesfashion, The Body Shop, Ted Baker… several high street brands have succumbed to challenging market conditions in recent years, and in a number of cases a risk-based approach to compliance has been adopted whereby, instead of buying the shares of the company to gain control of its assets while the data controller of the data remains the same, marketing lists have been purchased as assets and transferred to a third party data controller, sometimes under the wider heading of intellectual property rights (IPR).

To give a relatively recent example, on the morning of 31 January 2023, Aspen Phoenix Newco Limited, better known by its trading name Paperchase, the stationery retailer ubiquitous on the British high street, collapsed into administration. Joint administrators were appointed from the firm Begbies Traynor, and the same day they published a statement that “there has been significant interest in the Paperchase brand and attendant intellectual property”. Later that day, it was confirmed that Tesco had purchased Paperchase’s brand and related intellectual property in a pre-pack administration deal.

Just over 5 weeks later, on 09 March 2023, Paperchase customers received an email from Tesco informing them that “following an agreement with Paperchase, certain information about Paperchase products, services and customers have been transferred to Tesco. This means Tesco now holds the data you provided to Paperchase”.

Paperchase’s privacy policy had stated that “we do not sell any personal information to third parties” and had made no provision for the sale of the business or its assets. Recital 47 to the UK GDPR provides that in determining whether legitimate interests provides a lawful basis for processing requires a balancing exercise which includes “whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing”. That the reasonable expectations of a data subject could lead to their interests, rights or freedoms outweighing the legitimate interests of a controller or third party was confirmed by the CJEU in Case C‑252/21 Meta Platforms Inc. & others v Bundeskartellamt.

Customers were directed to the Tesco privacy policy for further information, but no reference was made in that document to transferred data of customers of the Paperchase brand. No information was provided to customers in that email of their rights as data subjects, such as the right to object to processing or to opt out of the receipt of direct marketing communications. Tesco subsequently confirmed that the “principle customer records that were acquired in the deal were Paperchase Customers Records Management (CRM) System and their loyalty scheme records. Payment and other sensitive financial information was not included”. It also stated that “the vast majority of the CRM records are not being used as they… are not usable by Tesco (e.g., Paperchase marketing position)”. In response to the question of how, if Tesco could not use the vast majority of the records it purchased it was necessary and proportionate to acquire and retain them, Tesco asserted that “our lawful basis for processing the data is that it is in our legitimate interests as a commercial business to understand our customers better to ensure that the products and services we offer them remain relevant and of interest. We would also stress without looking at and identifying each customer, we would not have been able to meet both our immediate and ongoing legal responsibilities”. Similarly, the administrators asserted that “The Company effected the transfer of the customer database to Tesco on the basis that it was necessary for the purposes of the legitimate interests pursued by Tesco and the Company’s creditors”.

The Information Commissioner’s position was that “it is our view that Tesco Stores Limited has complied with its data protection obligations in this instance… Tesco Stores Limited have obtained … information as parted of the acquisition of Paperchase, and the legislation does not deem this to be an infringement“ (sic) and “In situations like this, we take the view that the buyer should contact the data subjects affected as soon as reasonably possible in order to advise them of the situation and give them the opportunity to exercise their right of erasure”.

More recently, purveyor of fair trade and cruelty free gift sets and assorted body care and cosmetics, The Body Shop International Limited trading as The Body Shop, fell into administration on 13 February 2024. Dozens of stores have subsequently closed and hundreds of head office and store staff made redundant. FRP Advisory was appointed as administrators. After a company Voluntary Arrangement was not accepted by creditors, in May 2024 FRP Advisory announced that they had commenced “a sale process for the underlying business and assets of TBSI”. While The Body Shop International Limited’s privacy notice states that “We do not sell your Personal Data or your Sensitive Personal Data”, it also states “We may share or transfer your Personal Data in the course of any direct or indirect reorganization process including, but not limited to, mergers, acquisitions, divestitures, bankruptcies and sales of all or part of our assets. Your Personal Data may be shared following the completion of such transaction and/or during the assessment pending transfer (subject to confidentiality requirements). If transferred, your Personal Data will remain subject to this Privacy Notice or a policy that, as a minimum, protects your privacy to an equal degree as this Privacy Notice unless you otherwise consent”.  Of course, the recipient is not identified.

On 09 September, customers were notified that The Body Shop’s assets had been purchased by a new company, The Body Shop Group Limited, but that this company would shortly change its name to The Body Shop International Limited.  The notice continued “As part of this asset acquisition, your data will be transferred to this new legal entity” but that “There will be no material change to the processing of your data (including the purpose, legal basis, means or methods of processing, etc.) other than this transfer to this new company” and “While the brand has been acquired by the Auréa Group, you will only receive communications (including marketing) from The Body Shop and can unsubscribe from these emails at any time”.

Notwithstanding the Information Commissioner’s current laissez-faire approach, the obtaining of personal data in such circumstances presents an issue of consumer trust and brand reputation which should inform not only the acquisition of data, but the timing and manner of communication with affected individuals, the extent to which the content of emails informs individuals of, or directs them to information explaining, their data subject rights, as well as the subsequent use of the data. 

If you require support in determining the lawfulness of the sale or purchase and subsequent use of marketing lists, or in implementing appropriate risk mitigations, please contact us.

Find out more about our data protection and data privacy services.