Tag Archives: marketing

Why what Which did wears my patience thin

Pre-ticked consent boxes and unsolicited emails from the Consumers’ Association

Which?, the brand name of the Consumers’ Association, publishes a monthly magazine. In an era of social media, and online reviews, its mix of consumer news and product ratings might seem rather old-fashioned, but it is still (according to its own figures1) Britain’s best-selling monthly magazine. Its rigidly paywalled website means that one must generally subscribe to get at the magazine’s contents. That’s fair enough (although after my grandmother died several years ago, we found piles of unread, unopened even, copies of Which? She had apparently signed up to a regular Direct Debit payment, probably to receive a “free gift”, and had never cancelled it: so one might draw one’s own conclusion about how many of Which?’s readers are regular subscribers for similar reasons).

In line with its general “locked-down” approach, Which?’s recent report into the sale of personal data was, except for snippets, not easy to access, but it got a fair bit of media coverage. Intrigued, I bit: I subscribed to the magazine. This post is not about the report, however, although the contents of the report drive the irony of what happened next.

As I went through the online sign-up process, I arrived at that familiar type of page where the subject of future marketing is broached. Which? had headlined their report “How your data could end up in the hands of scammers” so it struck me as amusing, but also irritating, that the marketing options section of the sign-in process came with a pre-ticked box:

img_0770

As guidance from the Information Commissioner’s Office makes clear, pre-ticked boxes are not a good way to get consent from someone to future marketing:

Some organisations provide pre-ticked opt-in boxes, and rely on the user to untick it if they don’t want to consent. In effect, this is more like an opt-out box, as it assumes consent unless the user clicks the box. A pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user.

The Article 29 Working Party goes further, saying in its opinion on unsolicited communications for marketing purposes that inferring consent to marketing from the use of pre-ticked boxes is not compatible with the data protection directive. By extension, therefore, any marketing subsequently sent on the basis of a pre-ticked box will be a contravention of the data protection directive (and, in the UK, the Data Protection Act 1998) and the ePrivacy directive (in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)).

Nothwithstanding this, I certainly did not want to consent to receive subsequent marketing, so, as well as making a smart-arse tweet, I unticked the box. However, to my consternation, if not my huge surprise, I have subsequently received several marketing emails from Which? They do not have my consent to send these, so they are manifestly in contravention of regulation 22 of PECR.

It’s not clear how this has happened. Could it be a deliberate tactic by Which?  to ignore subscribers’ wishes? One presumes not: Which? says it “exists to make individuals as powerful as the organisations they deal with in their daily live” – deliberately ignoring clear expressions regarding consent would hardly sit well with that mission statement. So is it a general website glitch – which means that those expressions are lost in the sign-up process? If so, how many individuals are affected? Or is it just a one-off glitch, affecting only me?

Let’s hope it’s the last. Because the ignoring or overriding of expressions of consent, and the use of pre-ticked boxes for gathering consent, are some of the key things which fuel trade in and disrespect for personal data. The fact that I’ve experience this issue with a charity which exists to represent consumers, as a result of my wish to read their report into misuse of personal data, is shoddy, to say the least.

I approached Which? for a comment, and a spokesman said:

We have noted all of your comments relating to new Which? members signing up, including correspondence received after sign-up, and we are considering these in relation to our process.

I appreciate the response, although I’m not sure it really addresses my concerns.

1Which? Annual Report 2015/2016

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Directive 95/46/EC, Information Commissioner, marketing, PECR, spam, subject access

Don’t be so soft

What’s behind the increasing practice of electronic receipts?

I’m good at a few things in life, OK at a few more, and pretty terrible at a lot. Into the last category falls car maintenance. Nonetheless, as a safety-conscious person I understand its importance. And so it was that I found myself in a local branch of a major retailer of car parts the other day buying a replacement headlamp bulb, and asking for it to be fitted (by the very helpful Louise – sorry Louise, I won’t be submitting the online customer feedback, for reasons which will probably become clear in this post). I paid for the service, and was then asked

Can I just have your email address to send the receipt?

Er, no.

I’d heard about this practice, but, oddly, this was the first time I’d encountered it. It was immediately obvious to me what was going on, or at least what I assumed was/is going on, but I thought it might be helpful to draw attention to it.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing. As much as this law is regularly flouted, it is both clear and strict. It is, however, subject to an important caveat – email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient”.

This is known as the “soft opt-in” and it seems clear to me that the practice of sending e-receipts is tied up with the gathering of email addresses for the purposes of sending marketing using the soft opt-in provisions. As much as we might be told how helpful it is for our own records management to have electronic copies of receipts, there is something in it for retailers, and that something is the perceived right to send electronic marketing.

I should add, though, that soft opt-in is subject to further qualifications – the marketing must be in respect of “similar products and services only”, and, crucially, at the point when the contact details are collected, the intended recipient must be given the chance to say “no” to the marketing. (See the guidance from the Information Commissioner’s Office for further details).

I wasn’t given the chance to say “no”, but I chose not to give my details. If I had given those details, and if I had then received email marketing, it would have been sent unlawfully. I would have known that, but a lot of people wouldn’t, and, importantly, it’s quite difficult to prove (or remember) whether one was given “a simple means of refusing” marketing at the time the sale was made. So it’s a relatively low-risk tactic for marketers.

So my advice is to say no to e-receipts, demand a paper one, and if you do want to retain a record, why not just photograph the receipt when you get home?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, marketing, PECR

Shameless

Only very recently I wrote about how the Liberal Democrats had been found by the Information Commissioner’s Officer (ICO) to have been in breach of their obligations under anti-spam laws (or, correctly, the ICO had determined it was “unlikely” the Lib Dems had complied with the law). This was because they had sent me unsolicited emails promoting their party without my consent, in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The ICO told me that “we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals”.

Well, the reminder hasn’t worked: today I went on the Lib Dem site and noticed the invitation to agree that “The NHS needs an extra £8bn”. Who could disagree? There was a box to enter my email address and “back our campaign”. Which campaign did they mean? Who knows? I assumed the campaign to promote NHS funding, but there was no privacy notice at all (at least on the mobile site). I entered an email address, because I certainly agree with a campaign that the NHS needs an extra £8bn pounds, but what I certainly didn’t do was consent to receive email marketing.

Untitled

But of course I did…within eight hours I received an email from someone called Olly Grender asking me to donate to the Lib Dems. Why on earth would I want to do that? And a few hours later I got an email from Nick Clegg himself, reiterating Olly’s message. Both emails were manifestly, shamelessly, sent in contravention of PECR, only a couple of weeks after the ICO assured me they were going to “remind” the Lib Dems of the law.

Surely the lesson is the same one the cynics have told us over the years – don’t believe what politicians tell you.

And of course, only this week there was a further example, with the notorious Telegraph “business leaders” letter. The open letter published by the paper, purporting to come from 5000 small business owners, had in fact been written by Conservative Campaign Headquarters, and signatories  were merely people who had filled in a form on the Conservative party website agreeing to sign the letter but who were informed in a privacy notice that “We will not share your details with anyone outside the Conservative Party”. But share they did, and so it was that multiple duplicate signatories, and signatories who were by no means small business owners, found their way into the public domain. Whether any of them will complain to the ICO will probably determine the extent to which this might have been a contravention, not of PECR (this wasn’t unsolicited marketing), but of the Data Protection Act 1998, and the Conservatives’ obligation to process personal data fairly and lawfully. But whatever the outcome, it’s another example of the abuse of web forms, and the harvesting of email addresses, for the promotion of party political aims.

I will be referring the Lib Dems matter back to the ICO, and inviting them again (they declined last time) to take enforcement action for repeat and apparently deliberate, or reckless, contraventions of their legal obligations under PECR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, privacy notice, spam

ICO finds Lib Dems in breach of ePrivacy law

A few months ago, when I entered my email address on the Liberal Democrats’ website to say that I agreed with the statement 

Girls should never be cut. We must end FGM

I hoped I wouldn’t subsequently receive spam emails promoting the party. However I had no way of knowing because there was no obvious statement explaining what would happen. But, furthermore, I had clearly not given specific consent to receive such emails.

Nonetheless, I did get them, and continue to do so – emails purportedly from Nick Clegg, from Paddy Ashdown and from others, promoting their party and sometimes soliciting donations.

I happen to think the compiling of a marketing database by use of serious and emotive subjects such as female genital mutilation is extraordinarily tasteless. It’s also manifestly unlawful in terms of Lib Dems’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which require specific consent to have been given before marketing emails can be sent to individuals.

On the lawfulness point I am pleased to say the Information Commissioner’s Office (ICO) agrees with me. Having considered my complaint they have said:

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

Great. I’m glad they agree – casual disregard of PECR seems to be rife throughout politics. As I’ve written recently, the Labour Party, UKIP and Plaid Cymru have also spammed my dedicated email account. But I also asked the ICO to consider taking enforcement action (as is my right under regulation 32 of PECR). Disappointingly, they have declined to do so, saying:

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

It’s also disappointing that they don’t say why this is their decision. I know they cannot take enforcement action in every case reported to them, which is why I requested it in this specific case.

However, I will be interested to see whether the outcome of this case changes the Lib Dems’ approach. Maybe it will, but, as I say, they are by no means the only offenders, and enforcement action by the ICO might just have helped to address this wider problem.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 Comments

Filed under consent, enforcement, Information Commissioner, marketing, PECR, spam, Uncategorized

Information Tribunal increases monetary penalty for company which made spam calls

The trouble with asking for a second opinion is it might be worse than the first one. Reactiv Media get an increased penalty after appealing to the tribunal.

In 2013 the First-tier Tribunal (Information Rights) (“FTT”) heard the first appeal against a monetary penalty notice (“MPN”) imposed by the Information Commissioner’s Office (“ICO”). One of the first things in the appeal (brought by the Central London Community Healthcare NHS Trust) to be considered was the extent of the FTT’s jurisdiction when hearing such appeals – was it, as the ICO suggested, limited effectively only to allowing challenges on public law principles? (e.g. that the original decision was irrational, or failed to take relevant factors into account, or took irrelevant factors into account) or was it entitled to approach the hearing de novo, with the power to determine that the ICO’s discretion to serve an MPN had been exercised wrongly, on the facts? The FTT held that the latter approach (similar to the FTT’s jurisdiction in appeals brought under the Freedom of Information Act 2000 (FOIA)) was the correct one, and, notably, it added the observation (at para. 39) that it was open to the FTT also to increase, as well as decrease, the amount of penalty imposed.

So, although an appeal to the FTT is generally a low-risk low-cost way of having the ICO’s decision reviewed, it does, in the context of MPNs served either under the Data Protection Act 1998 (DPA) or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), potentially carry the risk of an increased penalty. And this is precisely what happened when a direct marketing company called Reactiv Media recently appealed an ICO MPN. Reactiv Media bad been held to have made a large number of unsolicited telephone calls to people who had subscribed to the Telephone Preference Service (“TPS”) – the calls were thus in contravention of Reactiv Media’s obligations under regulation 21 of PECR. The ICO determined that this constituted a serious contravention of those obligations, and as some at least of those calls were of a kind likely to cause (or indeed had caused) substantial damage or substantial distress, an MPN of £50,000 was served, under the mechanisms of section 55 of the DPA, as adopted by PECR.

Upon appeal to the FTT, Reactiv Media argued that some of the infringing calls had not been made by them, and disputed that any of them had caused substantial damage or distress. However, the FTT, noting the ICO’s submission that not only had the MPN been properly served, but also that it was lenient for a company with a turnover of £5.8m (a figure higher than the one the ICO had initially been given to understand), held that not only was the MPN “fully justified” – the company had “carried on its business in conscious disregard of its obligations” – but also that the amount should be increased by 50%, to £75,ooo. One presumes, also, that the company will not be given a further opportunity (as they were in the first instance) to take advantage of an early payment reduction.

One is tempted to assume that Reactiv Media thought that an appeal to the FTT was a cheap way of having a second opinion about the original MPN. I don’t know if this is true, but it if is, it is a lesson to other data controllers and marketers that, after an appeal, they might find themselves worse off.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

 

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR

The Lib Dems’ digital rights bill – an empty promise?

On the 11th of April the Liberal Democrats announced that they would introduce a “Digital Rights Bill” if they were to form part of a coalition government in the next parliament. Among the measures the bill would contain would be, they said

Beefed up powers for the Information Commissioner to fine and enforce disciplinary action on government bodies if they breach data protection lawsLegal rights to compensation for consumers when companies make people sign up online to deliberately misleading and illegible terms & conditions

I found this interesting because the Lib Dems have recently shown themselves particularly unconcerned with digital rights contained in ePrivacy laws. Specifically, they have shown a lack of compliance with the requirement at regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). This regulation forbids the sending of direct marketing by email unless the recipient has notified the sender that she consents to the email being sent. The European directive to which PECR give effect specifies that “consent” should be taken to have been given only by use of

any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website

And the Information Commissioner’s Office (ICO), which regulates PECR, explains in guidance [pdf] that

the person must understand what they are consenting to. Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious. Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find, difficult to understand, or rarely read will not be enough to establish informed consent…consent must be a positive expression of choice. It does not necessarily have to be a proactive declaration of consent – for example, consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out. But organisations cannot assume consent from a failure to opt out

But in July last year I began conducting an experiment. I put my name (actually, typed my email address) to a statement on the Lib Dem website saying

Girls should never be cut. We must end FGM

I gave no consent to the sending of direct email marketing from the Lib Dems, and, indeed, the Lib Dems didn’t even say they would send direct email marketing as a result of my submitting the email address (and, to be clear, the ICO takes the, correct, view [pdf] that promotion of a political party meets the PECR, and Data Protection Act, definition of “marketing”). Yet since October last year they have sent me 23 unsolicited emails constituting direct marketing. I complained directly to the Lib Dems, who told me

we have followed the policies we have set out ion [sic] our privacy policy which follow the guidance we have been given by the ICO

which hardly explains how they feel they have complied with their legal obligations, and I will be raising this as a complaint with the ICO. I could take the route of making a claim under regulation 30 of PECR, but this requires that I must have suffered “damage”. By way of comparison, around the same time I also submitted my email address, in circumstances in which I was not consenting to future receipt of email marketing, to other major parties. To their credit, none of the Conservatives, the SNP and the Greens have sent any unsolicited marketing. However, Labour have sent 8 emails, Plaid Cymru 10 and UKIP, the worst offenders, 37 (there is little that is more nauseating, by the way, than receiving an unsolicited email from Nigel Farage addressing one as “Friend”). I rather suspect that consciously or not, some political parties have decided that the risk of legal or enforcement action (and possibly the apparent ambiguity – although really there is none – about the meaning of “consent”) is so low that it is worth adopting a marketing strategy like this. Maybe that’s a sensible act of political pragmatism. But it stinks, and the Lib Dems’ cavalier approach to ePrivacy compliance makes me completely doubt the validity and sincerity of Nick Clegg’s commitment to

enshrine into law our rights as citizens of this country to privacy, to stop information about us being abused online

And, as Pat Walshe noticed the other day, even the Lib Dems’ own website advert inviting support for their proposed Digital Rights Bill has a pre-ticked box (in non-compliance with ICO guidance) for email updates. One final point, I note that clicking on the link in the first paragraph of this post, to the Lib Dems’ announcement of the proposed Bill, opens up, or attempts to open up, a pdf file of a consultation paper. This might just be a coding error, but it’s an odd, and dodgy, piece of script.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, spam

Attend ICO DP conference, get unsolicited marketing from a hotel…

I greatly enjoyed yesterday’s (2 March 2015) Data Protection Practitioner Conference run by the Information Commissioner’s Office. I was representing NADPO on our stand, and the amount of interest was both gratifying and illustrative of the importance of having a truly representative body for professionals working in the field of information rights. NADPO were at pains – in running our prize draw (winners picked at random on stage by Information Commissioner Christopher Graham) – to make sure we let participants know what would or would not happen with their details. Feedback from delegates about this was also positive, and I’m pleased at least one privacy professional picked up on it.  Therefore the irony of the following events is not lost on me.

I’d stayed overnight on Sunday, in a Macdonald hotel I booked through the agency Expedia. Naturally, I’m not one to encourage the sending to me of direct electronic marketing, and as the unsolicited sending of such marketing is contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 I didn’t expect to receive any, either from the agent or the hotel. Yet yesterday I did receive some, from the hotel group. So I’ve sent them this complaint:

I booked the hotel through your agent, Expedia.co.uk. As a professional working in the field of privacy and data protection I always make sure I opt out of any electronic marketing. Hence, when making my booking, I checked the Expedia box which said

“Check the box if you do not want to receive emails from Expedia with travel deals, special offers, and other information”.

However, I also consulted their privacy policy, which says:

“Expedia.co.uk may share your information with [suppliers] such as hotel, airline, car rental, and activity providers, who fulfill your travel reservations. Throughout Expedia.co.uk, all services provided by a third-party supplier are described as such. We encourage you to review the privacy policies of any third-party travel supplier whose products you purchase through Expedia.co.uk. Please note that these suppliers also may contact you as necessary to obtain additional information about you, facilitate your travel reservation, or respond to a review you may submit.”

I then consulted Macdonald Hotels’ privacy policy, but this seems to relate only to your website, and is silent on the use of clients’ data passed on by an agent.

Accordingly, I cannot be said to have consented to the sending by you to me of electronic marketing. Yet yesterday at 13.07 I received an email saying “Thank you for registering with Macdonald Hotels and Resorts…As a member of our mailing list you will shortly start to receive [further unsolicited electronic marketing].”

Ironically enough, I was in Manchester to attend the annual Data Protection Practitioners’ Conference run by the Information Commissioner’s Office (ICO). As you will be aware, the ICO regulates compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Before I raise a complaint with the ICO I would appreciate a) your removing me from any marketing database b) not receiving any further unsolicited marketing, and c) receiving your comments regarding your apparent breach of your legal obligations.

Each instance of unsolicited marketing is at best one of life’s minor irritants, but I have concerns that, because of this, some companies treat compliance with legal obligations as, at best, a game in which they try to trick customers into agreeing to receiving marketing, and at worst, as unnecessary. It may be that I received this particular unsolicited marketing from Macdonald Hotels by mistake (although that in itself might raise data protection concerns about the handling of and accuracy of customer data) but it happens too often. The media have rightly picked up on the forthcoming changes to PECR which will make it easier for the ICO to take enforcement actions regarding serious contraventions, but, sadly, I don’t see the lower level, less serious contraventions, decreasing.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

What’s happening with changes to anti-spam laws?

In October last year the Department for Culture Media and Sport (DCMS) announced a consultation to lower, or even remove, the threshold for the serving financial penalties on those who unlawfully send electronic direct marketing. I wrote at the time that

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge

The Information Commissioner’s Office (ICO) and DCMS both seemed at the time to be keen to effect the necessary legislative changes to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) so that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, either a serious contravention alone of PECR, or a serious contravention likely to cause annoyance, inconvenience or anxiety, could give rise to a monetary penalty without the need to show – as now – likely substantial damage or substantial distress.

However, today, the Information Commissioner himself, Christopher Graham, gave vent to frustrations about delay in bringing about these changes:

Time and time again the Government talks about changing the law and clamping down on this problem, but so far it’s just that – talk. Today they are holding yet another roundtable to discuss the issue, and we seem to be going round in circles. The Government need to lay the order, change the law and bring in a reform that would make a real difference

So what has happened? Have representatives of direct marketing companies lobbied against the proposals? It would be interesting to know who was at today’s “roundtable” and what was said. But there was certainly an interesting tweet from journalist Roddy Mansfield. One hopes a report will emerge, and some record of the meeting.

One wonders why – if they are – marketing industry bodies might object to the proposed changes. The financial penalty provisions would only come into play if marketers failed to comply with the law. Spammers would get punished – the responsible companies would not.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

Labour’s “HowManyOfMe” – legitimate use of the electoral register?

Is Labour’s shiny new web widget “HowManyOfMe” compliant with the party’s obligations under electoral and ePrivacy law?

Regulations 102 and 106 of the Representation of the People (England and Wales) Regulations 2001 (as amended)mean that registered political parties can apply for a copy of the full electoral register, but they can only supply, disclose or make use of the information therein for “electoral purposes”. As far as I can see “electoral purposes” is nowhere defined, and, accordingly, I suspect it permits relatively broad interpretation, but, nevertheless, it clearly limits the use to which a political party can make use of electoral registration information.

With this in mind, it is worth considering whether the apparent use of such information by the Labour Party, in a new website widget, is a use which can be described as “for electoral purposes”. The widget in question invites people to submit their name (or indeed anyone else’s), email address and postcode and it will tell you how many voters in the country have that name. Thus, I find that there are 393 voters who have the name “Christopher Graham”. The widget then encourages users to register to vote. In small print underneath it says

in case you’re interested, this tool uses an aggregate figure from the electoral register and we’ve taken steps to protect the privacy of individuals

Well, I am interested. I’m interested to know whether this use of the electoral register is purely for electoral purposes. If it is, if its purpose is to encourage people to register to vote, then why does it need an email address? The widget goes on to say

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point. You can see our privacy policy here.

But if they are using the electoral register to encourage people to give up email addresses which may then receive political marketing, surely this is stretching the use of “for electoral purposes” too far? Moreover, and despite the small print privacy notice, and the almost-hidden link to a generic privacy policy, any emails received by individuals will be likely to be sent in contravention of Labour’s obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which give effect to the UK’s obligations under Directive 2002/58/EC. This is because regulation 22 of PECR prohibits, in terms, the sending of electronic direct marketing (and promotion of a political party constitutes such marketing) without the prior consent of the recipient. Consent, the Directive tells us, must be “a freely given specific and informed indication of the user’s wishes”.  A vague description, as the widget here gives us, of what may happen if one submits an email address, and a statement about unsubscribing, do not legitimise any subsequent sending of direct marketing.

The email address I used is one I reserve for catching spammers; I’ve not received anything yet, but I expect to do so. I would be prepared to argue that any email I receive cannot be said to relate to the electoral purpose which permit use of the electoral register, and will be sent in contravention of PECR.  As I said recently, one of the key battlegrounds in the 2015 general election will be online, and unless action is taken to restrain abuse of people’s personal information, things will get nasty.

1The legislation.gov.uk doesn’t provide updated (“consolidated”) versions of secondary legislation, so there’s no point in linking to their version of the regulations.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under consent, Data Protection, marketing, PECR, privacy notice

Data protection implications of sale of Tesco Clubcard company

 

News that Tesco is considering selling its loyalty card business Dunnhumby raises questions about what might happen to cardholders’ personal data

In 1995 the then Chairman of Tesco, Lord MacLaurin, reportedly said to the creators of the Tesco Clubcard scheme

What scares me about this is that you know more about my customers after three months than I know after 30 years.

Since then the sophistication and power of data analytics have increased exponentially and Dunnhumby claims it analyses data from 770 million-plus customers, about 16.5 million of whom are – it seems – Tesco Clubcard members. Dunnhumby, as a data processor for Tesco, processes the personal data of those millions of members, so what happens if the business is sold? Does the customer database also get sold? If so, what are the data protection implications?

Sales of customer databases can be effected lawfully and in compliance with the Data Protection Act 1998 (DPA), as the Information Commissioner’s Office explains in helpful guidance

When a database is sold, the seller must make sure that the buyer understands that they can only use the information for the purposes for which it was collected. Any use of this personal information should be within the reasonable expectations of the individuals concerned. So, when a database is sold, its use should stay the same or similar. For example, if the database contains information obtained for insurance, the database should only be sold to another insurance-based business providing similar insurance products. Selling it to a business for a different use is likely to be incompatible  with the original purpose and likely to go beyond the expectations of the individuals.

The operative words there are, I suggest “expectations of the individuals concerned”. “Reasonable expectations” are strongly linked to the first principle in Schedule One of the DPA, which requires that “personal data shall be processed fairly and lawfully…”. The interpretative provisions in Part II of Schedule One explain that broadly, for processing to be fair, data subjects should be told who is doing the processing, and why. These provisions are the genesis of the “privacy notices” and “privacy policies” which so few of us take the time to read. But their Clubcard privacy policy is where things might become problematic for Tesco in the event that they propose to sell Dunhumby and cardholders’ data. As twitter user @NoDPISigma points out, the Customer Charter says

We would like to reassure you that your personal details are safe with us and will never be released to companies outside the Tesco Group for their marketing purposes

and the separate Privacy and Cookies Policy also says

Your personal information is safe with us and will never be released to companies outside the Tesco Group for their marketing purposes

Although at first blush it is difficult to see that as anything other than an unequivocal promise that cardholders’ personal data will never be sold, the rub is in the phrase “for their marketing purposes”. If the sale of Dunnhumby and cardholders’ data is to another company in order that that other company can continue to operate the Clubcard scheme on behalf of Tesco then, as long as that was all that the data continued to be used for, I don’t think it would be a release of personal data to a company for that company’s marketing purposes. If, however, the purchasing company intended to use the data for its own marketing purposes, then the sale might be a breach of the charter promise – and, in that event, it would be strongly arguable that the sale could give rise to a serious contravention of Tesco’s obligation (at section 4(4) of the DPA) to comply with the fairness principle.

And among those 16.5 million Clubcard holders there are likely to be some awkward so-and-sos who might bring legal challenges in those circumstances.

[This post was edited because in its first draft it failed properly to consider the issue of data controller/processor. Thanks to Rich Greenhill for prompting me into a redraft]

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, marketing