LFC B2B standards and principles 6.0 (2020/2021)

​

This document outlines the standards and principles agreed by the Lead fidelity consortium.  Its scope is limited to the collection and trading or data in the B2B data market.  It is anticipated that these principles will be updated in the summer of 2022.

​

​

​

The Standards

 

​​

Lawful processing of data:  Consent

​

The LFC advocates all data being traded with consent. Practices should therefore be consistent with the standards set out by the ICO or local regulatory governing body. Particular attention should be given to:

• The minimum requirement for proof of consent– date, time and URL of consent.

• The requirement for consent to be given with a positive opt-in. (i.e suppliers should not use pre-ticked boxes or any other method of default consent)

• Consent should be specific, concise and should offer options to consent separately to different purposes and types of processing

• Having an ‘unambiguous’ consent policy – meaning that all data subjects will be clear that their data is being captured and shared. 

​

 

 

Lawful processing of data: Legitimate interest

The consortium recognizes that given the size of some databases it may not be practical for suppliers to ask every individual for his/her consent at the point of data collection.  That said, suppliers are expected to have:

• carefully assessed the interests of clients carrying out marketing activities with their data.

• Taken steps to ensure they are only collecting business-relevant data

• Carefully considered the impact of the collection and use of personal data on individuals’ rights. 

• Reasonably concluded that their database contains only business data, which is used to promote business and that such activities are unlikely to affect the fundamental rights and freedoms of individuals concerned.

In these circumstances the supplier will be legitimately processing personal data on the ground of legitimate interest.  This guidance is in keeping with various data protection regulations including GDPR but should not be considered an alternative to any local data regulations. 

• When storing data concerning a data subject under a legitimate interest the data subjects should be notified in accordance with section 14 of GDPR. 

• When a record is sold as a lead it must be sold with explicit consent.  The minimum requirements for consent are outlined in 2.ii 

• The supplier should have a robust process for initiating and recording LIAs and storing them with or associated with records.  (The LFC audit should check this)

 

 

 

Subcontracting and Affiliate networks:

• Subcontracted suppliers should be held to the same standard that the supplier is held to through robust T&Cs

• All subcontractors should have been vetted and the supplier should review the practices of their affiliate network at least annually

• In the event of a data access or right to be forgotten request, suppliers should be willing and able to tell clients which suppliers they have subcontracted

• When a data access request, right to be forgotten or a data challenge / rejection is received from a client, suppliers must be able to trace and enforce the request through their supplier network

• Consent should be specific, concise and should offer options to consent separately to different purposes and types of processing. 

• Any purchasers or controllers (including intermediaries) who will be relying on the consent gathered by the subcontractor / affiliate should be specifically named in the consent language.  

 

 

Exclusivity and data resale

• Suppliers should be open and transparent with purchasers about when leads & records are sold to multiple purchasers.

• An apparently identical record / lead may be created on the same day.  That is to say that the same individual may demonstrate genuine interest in brand A and brand B on the same day.  However, suppliers must be able to demonstrate that each lead was generated in good faith. Several legitimate scenarios exist:

• The data subject engaged with marketing activity for brand A and gave explicit consent for their data to be shared with brand A. On the same day the same data subject engaged with marketing activity for brand B and gave explicit consent for their data to be shared with brand B. In this scenario both leads are genuine and exclusive

• The data subject engaged with marketing activity for brand A and gave explicit consent for their data to be shared with brand A AND other relevant 3rd parties.  In this scenario a legitimate lead has been generated for brand A and B but it is not considered best practice as both brands may believe the lead is more valuable than it is. 

• All leads, including those sold to multiple purchasers must have explicit consent for the data to be shared with the purchaser(s)

• If an advertiser requires a supplier to exclude or deactivate a record from future campaigns for a period that should be included in trading terms. 

 

 

Compliance

• Suppliers will have a robust, documented and up to date GDPR policy (see 2)

• Suppliers will have a named Data Protection Officer and a documented issue resolution process

• Lead data will be gathered using visible, clear, understandable terms and conditions

• The supplier will have a record of any ICO investigations and will make them available to auditors upon request. 

• In the event of a new ICO investigation the supplier will immediately inform the LFC chair (we need a code of conduct for the chair, as this is potentially sensitive information)

 

 

Data validation

• When the purchaser requires it, the supplier must be willing to have their data processed by one or more data validation platforms. 

• The LFC will promote the use of data validation platforms which can demonstrate they meet the required level of data security.

• Members of the LFC must be willing to use any data validation platform that has been selected by the purchaser, unless they can evidence regulatory, security or compliance concerns.

• LFC members must be willing to assist these platforms in fulfilling their functions.