Category Archives: marketing

April 28, 2023 · 7:09 pm

HMRC sending spam

Have HMRC jumped the gun, and assumed that they can now (in advance of the Data Protection and Digital Information (No.2) Bill being passed) rely on the soft opt-in for email marketing?

In common with many other poor souls, I have in recent years had to submit a self-assessment tax return to HMRC. Let’s just say that, unless they’re going to announce a rebate, I don’t relish hearing from them. So I was rather surprised to receive an email from “HMRC Help and Support” recently, telling me “what’s coming up in May” and inviting me to attend webinars. A snippet of the email is here

This certainly wasn’t solicited. And, at least if you follow the approach of the Information Commissioner’s Office (ICO) was direct marketing by electronic means (“Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations“).

The only lawful way that a person can send unsolicited direct electronic marketing to an individual subscriber like me, is if the recipient has consented to receive it (I hadn’t), or if the person obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient (see regulation 22 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (“PECR”)). But HMRC cannot avail themselves of the latter (commonly known as the “soft opt-in”), because they have not sold me (or negotiated with me for the sale) of a product or service. The ICO also deals with this in its guidance: “Not-for-profit organisations should take particular care when communicating by text or email. This is because the ‘soft opt-in’ exception only applies to commercial marketing of products or services“.

I raised a complaint (twice) directly with HMRC’s Data Protection Officer who (in responses that seemed oddly, let’s say, robotic) told me how to unsubscribe, and pointed me to HMRC’s privacy notice.

It seems to me that HMRC might be taking a calculated risk though: the Data Protection and Digital Information (No.2) Bill, currently making its way through Parliament, proposes (at clause 82) to extend the soft opt-in to “non-commercial objectives”. If it passes, then we must expect much more of This Type Of Thing from government.

If I’m correct in this, though, I wonder if, when calculating that calculated risk, HMRC calculated the risk of some calculated individual (me, perhaps) complaining to the ICO?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Bill, HMRC, Information Commissioner, marketing, PECR, spam

Tagged as ,

March 12, 2023 · 12:49 pm

Where’s the Tories’ privacy notice? (just don’t mention the footballer)

The Conservative Party, no doubt scrabbling to gather perceived support for its contentious immigration policies and measures is running a web and social media campaign. The web page encourages those visiting it to “back our plan and send a message” to other parties:

Further down the page visitors are invited to “send Labour a message”

Clicking on either of the red buttons in those screenshots results in a pop-up form, on which one can say whether or not one supports the Tory plans (in the screenshot below, I’ve selected “no”)

One is then required to give one’s name, email address and postcode, and there is a tick box against text saying “I agree to the Conservative Party, and the wider Conservative Party, using the information I provide to keep me updated via email about the Party’s campaigns and opportunities to get involved”

There are two things to note.

First, the form appears to submit whether one ticks the “I agree” box or not.

Second, and in any case, none of the links to “how we use your data”, or the “privacy policy”, or the “terms and conditions” works.

So anyone submitting their special category data (information about one’s views on a political party’s policies on immigration is personal data revealing political opinions, and so Article 9 UK GDPR applies) has no idea whatsoever how it will subsequently be processed by the Tories.

I suppose there is an argument that anyone who happens upon this page, and chooses to submit the form, has a good idea what is going on (although that is by no means certain, and people could quite plausibly think that it provides an opportunity to provide views contrary to the Tories’). In any event, it would seem potentially to meet to definition of “plugging” (political lobbying under the guide of research) which ICO deals with in its direct marketing guidance.

Also in any event, the absence of any workable links to privacy notice information means, unavoidably, that the lawfulness of any subsequent processing is vitiated.

It’s the sort of thing I would hope the ICO is alive to (I’ve seen people on social media saying they have complained to ICO). But I won’t hold my breath on that – many years ago I wrote about how such data abuse was rife across the political spectrum – but little if anything has changed.

And finally, the most remarkable thing of all is that I’ve written a whole post on what is a pressing and high-profile issue without once mentioning Gary Lineker.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, marketing, PECR, privacy notice, social media, spam, UK GDPR

Tagged as , , , ,

September 7, 2021 · 7:24 am

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

Tagged as ,

August 12, 2020 · 12:26 pm

Some PECR figures in light of a new monetary penalty notice

Presented without comment.

21,166,574 unsolicited direct marketing messages

£100,000 monetary penalty

Only £1k in the bank at the last filings

Zero chance of recovery?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, marketing, monetary penalty notice, PECR

Tagged as ,

August 8, 2018 · 9:13 am

GDPR doesn’t always mean “opt in”

TL;DR – the law says that when you’re buying something from them companies only have to offer you an opt out from marketing. GDPR hasn’t changed this.

I see a lot of criticism of companies on social media by people who accuse the former of not complying with the General Data Protection Regulation (GDPR). Here’s an example:

But the criticism is generally misguided. GDPR does not itself deal directly with direct marketing (other than to provide for an unqualified right to opt out of it (at Article 21(3)) and a statement in one of the recitals to the effect that the processing of personal data for the purposes of direct marketing may be regarded as carried out for a legitimate interest).

The operative law in the UK regarding electronic direct marketing is, and remains, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (which implement a 2002 European Directive).

These provide that one cannot send direct marketing to an individual subscriber* by unsolicited “electronic mail” (which these days largely boils down to email and SMS) unless the recipient has consented or unless the sender

has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient…the direct marketing is in respect of that person’s similar products and services only…and the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In plain language, this means that when you buy, or enter into negotiations to buy, a product or service from someone, the seller only has to offer an “opt out” option for subsequent electronic marketing. Nothing in GDPR changes this.

*”individual subscriber” means the person who is a party to a contract with a provider of public electronic communications services for the supply of such services- in effect, this is likely to be someone using their personal email address, and not a work one).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, GDPR, marketing, PECR

Tagged as ,

April 14, 2018 · 8:18 pm

The “GDPR consent” email I’d like to receive

“Dear Jon

You know us. We’re that firm you placed an order with a few months ago. You may remember that at the time we took your order we explained we were going to send occasional marketing emails to you about similar products and services, but you could opt out then, and at any subsequent point.

We know that since 2003 (with the Privacy and Electronic Communications Regulations) (PECR) it’s been unlawful to send unsolicited marketing emails except in circumstances like those above.

We’re contacting you now because we’ve noticed a lot of competitors (and other firms) who are either utterly confused or utterly misrepresenting a new law (separate to PECR) called the General Data Protection Regulation (GDPR). They’re claiming it means they have to contact you to reconfirm your consent to receive marketing emails.

GDPR actually says nothing of the sort. It does explain what “consent” means in data protection terms in a slightly more strict way, but for companies like us, who’ve respected our customers and prospective customers all along, it makes no difference.

In fact, the emails you’re getting from those companies, asking you to “reconsent”, are probably actually direct marketing emails themselves. And if the companies don’t already have your consent to send them they may well be breaking the law in sending them. If you think we’re exaggerating, look at the fine the Information Commissioner’s Office (ICO) levied on Honda last year.

In fact, you’d do well to look at the ICO’s website – it’s got some good stuff on this, both for customers like you, and for companies who are confused by this.

It all really boils down to treating customers well, and not assuming you can send direct electronic marketing without actually looking at what the law says.

So yes, this is a marketing email, and yes, it is lawful, and yes, it is more than a little pompous.”

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

12 Comments

Filed under consent, GDPR, Information Commissioner, marketing, PECR, spam

February 6, 2018 · 8:12 pm

Rennard, the facts

Has the former LibDem Campaigns guru been engaging in unsolicited electronic marketing?

If I want to market my product or service to you as an individual, the general rule is that I cannot do so by email unless I have your prior consent informing me that you wish to receive it. This applies to me (if, say, I’m promoting this blog by email), it applies to any business, it applies to political parties, and it also applies to Baron Rennard of Wavertree, when he is promoting his new memoirs. However, a recent media story about the Lord Rennard’s promotional activities suggests he may not be aware of his legal obligations here, and for someone who has held senior roles within the Liberal Democrats, someone renowned as a “formidable and widely respected practitioner of political campaigning”, this is rather concerning.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing (the exception to the general rule is that email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient” and if it is explained to the recipient that they can opt out – this is often known as the “soft opt-in“).

Lord Rennard is reported as saying

I have emailed people from my address book, or using publicly available email addresses, about the publication of a volume of memoirs

But just because one already holds someone’s email address, or just because an email address is in the public domain, this does not justify or permit the sending of unsolicited marketing. The European Directive which the PEC Regulations implement makes clear that people have a right to respect for their correspondence within the context of electronic communications, and that this right is a part of the fundamental rights to respect for protection of personal data, and respect for a private and family life. It may be a lot to expect the average person sending an email promoting a book to know this, but when the sender is someone whose reputation is in part based on his skills as a political campaigner, we should surely expect better (I say “in part” because, of course, the Lord Rennard is known for other things as well).

At a time when the use of digital data for political campaigning purposes is under intense scrutiny, it will be interesting to see what the Information Commissioner (who is said to be investigating Rennard’s marketing exercise) says. It might not seem the most serious of issues, but it encapsulates a lot.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Information Commissioner, marketing, PECR

Tagged as , , ,

June 23, 2017 · 7:30 pm

Public houses, private comms

Wetherspoons delete their entire customer email database. Deliberately.

In a very interesting development, the pub chain JD Wetherspoon have announced that they are ceasing sending monthly newsletters by email, and are deleting their database of customer email addresses.

Although the only initial evidence of this was the screenshot of the email communication (above), the company have confirmed to me on their Twitter account that the email is genuine.

Wetherspoons say the reason for the deletion is that they feel that email marketing of this kind is “too intrusive”, and that, instead of communicating marketing by email, they will “continue to release news stories on [their] website” and customers will be able to keep up to date by following them on Facebook and Twitter.

This is interesting for a couple of reasons. Firstly, companies such as Flybe and Honda have recently discovered that an email marketing database can be a liability if it is not clear whether the customers in question have consented to receive marketing emails (which is a requirement under the Privacy and Electronic Communications ((EC Directive) Regulations 2003 (PECR)). In March Flybe received a monetary penalty of £70,000 from the Information Commissioner’s Office (ICO) after sending more than 3.3 million emails with the title ‘Are your details correct?’ to people who had previously told them they didn’t want to receive marketing emails. These, said the ICO, were themselves marketing emails, and the sending of them was a serious contravention of PECR. Honda, less egregiously, sent 289,790 emails when they did not know whether or not the recipients had consented to receive marketing emails. This also, said ICO, was unlawful marketing, as the burden of proof was on Honda to show that they had recipients’ consent to send the emails, and they could not. The result was a £13,000 monetary penalty.

There is no reason to think Wetherspoons were concerned about the data quality (in terms of whether people had consented to marketing) of their own email marketing database, but it is clear from the Flybe and Honda cases that a bloated database with email details of people who have not consented to marketing (or where it is unclear whether they have) is potentially a liability under PECR (and related data protection law). It is a liability both because any marketing emails sent are likely to be unlawful (and potentially attract a monetary penalty) but also because, if it cannot be used for marketing, what purpose does it serve? If none, then it constitutes a huge amount of personal data, held for no ostensible purpose, which would be in contravention of the fifth principle in schedule 1 to the Data Protection Act 1998.

For this reason, I can understand why some companies might take a commercial and risk-based decision not to retain email databases – if something brings no value, and significant risk, then why keep it?

But there is another reason Wetherspoons’ rationale is interesting: they are clearly aiming now to use social media channels to market their products. Normally, one thinks of advertising on social media as not aimed at or delivered to individuals, but as technology has advanced, so has the ability for social media marketing to become increasingly targeted. In May this year it was announced that the ICO were undertaking “a wide assessment of the data-protection risks arising from the use of data analytics”. This was on the back of reports that adverts on Facebook were being targeted by political groups towards people on the basis of data scraped from Facebook and other social media. Although we don’t know what the outcome of this investigation by the ICO will be (and I understand some of the allegations are strongly denied by entities alleged to be involved) what it does show is that stopping your e-marketing on one channel won’t necessarily stop you having privacy and data protection challenges on another.

And that’s before we even get on to the small fact that European ePrivacy law is in the process of being rewritten. Watch that space.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, marketing, monetary penalty notice, PECR, social media, spam

Tagged as , ,

February 9, 2017 · 12:55 pm

Why what Which did wears my patience thin

Pre-ticked consent boxes and unsolicited emails from the Consumers’ Association

Which?, the brand name of the Consumers’ Association, publishes a monthly magazine. In an era of social media, and online reviews, its mix of consumer news and product ratings might seem rather old-fashioned, but it is still (according to its own figures1) Britain’s best-selling monthly magazine. Its rigidly paywalled website means that one must generally subscribe to get at the magazine’s contents. That’s fair enough (although after my grandmother died several years ago, we found piles of unread, unopened even, copies of Which? She had apparently signed up to a regular Direct Debit payment, probably to receive a “free gift”, and had never cancelled it: so one might draw one’s own conclusion about how many of Which?’s readers are regular subscribers for similar reasons).

In line with its general “locked-down” approach, Which?’s recent report into the sale of personal data was, except for snippets, not easy to access, but it got a fair bit of media coverage. Intrigued, I bit: I subscribed to the magazine. This post is not about the report, however, although the contents of the report drive the irony of what happened next.

As I went through the online sign-up process, I arrived at that familiar type of page where the subject of future marketing is broached. Which? had headlined their report “How your data could end up in the hands of scammers” so it struck me as amusing, but also irritating, that the marketing options section of the sign-in process came with a pre-ticked box:

img_0770

As guidance from the Information Commissioner’s Office makes clear, pre-ticked boxes are not a good way to get consent from someone to future marketing:

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user.

The Article 29 Working Party goes further, saying in its opinion on unsolicited communications for marketing purposes that inferring consent to marketing from the use of pre-ticked boxes is not compatible with the data protection directive. By extension, therefore, any marketing subsequently sent on the basis of a pre-ticked box will be a contravention of the data protection directive (and, in the UK, the Data Protection Act 1998) and the ePrivacy directive (in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)).

Nothwithstanding this, I certainly did not want to consent to receive subsequent marketing, so, as well as making a smart-arse tweet, I unticked the box. However, to my consternation, if not my huge surprise, I have subsequently received several marketing emails from Which? They do not have my consent to send these, so they are manifestly in contravention of regulation 22 of PECR.

It’s not clear how this has happened. Could it be a deliberate tactic by Which?  to ignore subscribers’ wishes? One presumes not: Which? says it “exists to make individuals as powerful as the organisations they deal with in their daily live” – deliberately ignoring clear expressions regarding consent would hardly sit well with that mission statement. So is it a general website glitch – which means that those expressions are lost in the sign-up process? If so, how many individuals are affected? Or is it just a one-off glitch, affecting only me?

Let’s hope it’s the last. Because the ignoring or overriding of expressions of consent, and the use of pre-ticked boxes for gathering consent, are some of the key things which fuel trade in and disrespect for personal data. The fact that I’ve experience this issue with a charity which exists to represent consumers, as a result of my wish to read their report into misuse of personal data, is shoddy, to say the least.

I approached Which? for a comment, and a spokesman said:

We have noted all of your comments relating to new Which? members signing up, including correspondence received after sign-up, and we are considering these in relation to our process.

I appreciate the response, although I’m not sure it really addresses my concerns.

1Which? Annual Report 2015/2016

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Directive 95/46/EC, Information Commissioner, marketing, PECR, spam, subject access

Tagged as , , , ,

November 22, 2016 · 5:49 pm

Don’t be so soft

What’s behind the increasing practice of electronic receipts?

I’m good at a few things in life, OK at a few more, and pretty terrible at a lot. Into the last category falls car maintenance. Nonetheless, as a safety-conscious person I understand its importance. And so it was that I found myself in a local branch of a major retailer of car parts the other day buying a replacement headlamp bulb, and asking for it to be fitted (by the very helpful Louise – sorry Louise, I won’t be submitting the online customer feedback, for reasons which will probably become clear in this post). I paid for the service, and was then asked

Can I just have your email address to send the receipt?

Er, no.

I’d heard about this practice, but, oddly, this was the first time I’d encountered it. It was immediately obvious to me what was going on, or at least what I assumed was/is going on, but I thought it might be helpful to draw attention to it.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing. As much as this law is regularly flouted, it is both clear and strict. It is, however, subject to an important caveat – email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient”.

This is known as the “soft opt-in” and it seems clear to me that the practice of sending e-receipts is tied up with the gathering of email addresses for the purposes of sending marketing using the soft opt-in provisions. As much as we might be told how helpful it is for our own records management to have electronic copies of receipts, there is something in it for retailers, and that something is the perceived right to send electronic marketing.

I should add, though, that soft opt-in is subject to further qualifications – the marketing must be in respect of “similar products and services only”, and, crucially, at the point when the contact details are collected, the intended recipient must be given the chance to say “no” to the marketing. (See the guidance from the Information Commissioner’s Office for further details).

I wasn’t given the chance to say “no”, but I chose not to give my details. If I had given those details, and if I had then received email marketing, it would have been sent unlawfully. I would have known that, but a lot of people wouldn’t, and, importantly, it’s quite difficult to prove (or remember) whether one was given “a simple means of refusing” marketing at the time the sale was made. So it’s a relatively low-risk tactic for marketers.

So my advice is to say no to e-receipts, demand a paper one, and if you do want to retain a record, why not just photograph the receipt when you get home?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, marketing, PECR

Tagged as , ,