No

The rules about marketing are often presented as complex and confusing. When an organisation is punished under the Privacy Regulations by the Information Commissioner, they sometimes claim that they have been foxed by the pettifogging complexity of the rules. Amber Windows received a £50,000 civil monetary penalty from the Information Commissioner’s Office under PECR at the start of April. The Managing Director, Ben Roberts, told his local paper that Amber would appeal as “we always try our best to work within the law, which is constantly changing“. The rules for live calls – the issue that Amber was fined for – haven’t changed since 2003. These rules are very clear.

Data Protection gives everyone a universal opt-out from all direct marketing. No matter what previous relationship exists, what previous agreements or consents are in place, Section 11 says that the subject can require any direct marketing to cease. The only difficult element is a practical one – Section 11 also allows a person to require an organisation “not to begin” direct marketing. This can put the organisation in the awkward position of having to keep the person’s details solely so that they know not to market to them, but it’s not difficult to understand in the abstract. Either way, Data Protection allows a person to say to any data controller that they don’t want marketing.

PECR is more complex, but only because it does not have a single simple rule. But the rules themselves are straightforward:

  • LIVE PHONE CALLS: you can call anyone you like, as long as they are not registered with the TPS, and as long as they have not told you specifically not to call them. In summary, it’s OPT-OUT.
  • TEXT and EMAIL: you need consent from the recipient of the marketing. You cannot rely on an opt-out unless you have obtained their details as part of a sale or negotiations for a sale (which pretty much rules out charity and public sector messages). If you buy the person’s details from someone else, you will need evidence that they consented to hear from you. In summary, it’s OPT-IN.
  • AUTOMATED CALLS: you need specific consent for automated calls – consent for marketing in general or live calls is not enough. There is no option for the so-called ‘soft opt-in’ mentioned above. In summary, it’s OPT-IN

The fact that the target of the marketing has made an enquiry, or is a current or previous customer is irrelevant. The above rules always apply. There are no exemptions.

As I say, the rules are not complicated. The problem is that some organisations that want to do marketing don’t like the rules, because they all give the customer a choice. As an illustration of how little respect some marketers have for the rules, yesterday I received PECR and DP breaching emails from three different organisations. Both Cineworld (of whom I am an Unlimited Card customer) and Expedia (with whom I have previously booked hotels) emailed me with the same concern. Both companies wanted to point out that I have not opted in to receive their marketing emails, and both wanted to offer me the option of receiving them. Look at these wonderful things you’re missing out on, they said. Don’t you want to change your mind?

Both Cineworld and Expedia’s emails were direct marketing. They were designed to promote free screenings and special offers. Telling me what I am missing out on is just another form of direct marketing – as the ICO’s own Direct Marketing guidance sets out in paragraph 66. I suspect the companies think that this is a clever wheeze, but there is no PECR loophole to exploit here – they’ve breached the regulations and been discourteous and patronising to an existing customer into the bargain. Even as marketing, it’s terrible.

With Cineworld and Expedia, I have simply set my email preferences a certain way, and they have tried to get around that. Experian is different. As an experiment to see what they would do, I sent a Section 11 notice to Experian in 2013, requiring them to cease or not begin to process my data, including my email address, for the purposes of marketing. They acknowledged and accepted my request. And yet, I received an email telling me how I can get a free credit check on a company of my choosing. There’s the small problem that I have absolutely no interest in the service, but there’s the larger problem that they have breached both PECR (in sending an unsolicited email without consent) and Data Protection (in ignoring my Section 11).

At this point, you might think, so what? Receiving three unwanted emails is not the end of the world. It isn’t, in itself. I could delete all of them with three clicks. It’s a matter of seconds. But that’s not the point. All three organisations have apparently decided that their need to sell me stuff is more important than my clearly expressed, legally-sanctioned right to be left alone. It’s discourteous to me and disdainful of the law. They probably calculate that this minor breach is trivial and they’ll get away with it. Organisations that ignore marketing law will probably nevertheless get a bit of custom out of doing so. This creates an uneven marketplace, and acts as a disincentive, however small, for others to comply, which will only get bigger as time goes on. The mosquito whine of a few illegal emails will build to a time-consuming and distracting crescendo as more marketers jump on the bandwagon.

Besides, we should all be concerned about Experian. Experian are commonly described as a credit reference agency, but this is a bit like saying that Tesco is a purveyor of children’s clothes. Experian is a multinational data broker. They obtain, combine and sell personal and business data across the world to a huge range of customers, including business, government and law enforcement. One unnecessary email from anyone is annoying, but the idea that Experian don’t take data laws seriously would be a significant issue for us all. What other rules do they forget about or ignore?

The rules on marketing are simple. I don’t believe that companies don’t understand them. Many (most?) comply with them, but those that don’t should be named and shamed, shunned and punished. I occasionally have rather daft arguments with enthusiasts on Twitter who think that the complexities of the internet and social media mean that we have to find new ways of consenting and transacting that go beyond tick boxes and privacy policies. To them, and to Cineworld, Expedia and Experian, I say this: Bollocks. Bollocks to all of you. Yes is yes, no is no. I have a right to choose. You might want to hawk your products, but the law is the law and it applies to all.

Clear enough?

Comments

  1. Your comments about Experian are thrown into sharp focus when one remembers that a “lapse” in the US allowed an ID Theft service to access 200 million customer records. This is big data in the truest sense.

    The problem is, what does one do about these minor irritations? Yes, the ICO can take enforcement action, but will only do so in the most egregious cases, involving lots of people and complaints. What about the cases where a company *waves at Harbour Hotels* continues to send marketing emails over a number of years, despite having received a s11 notice, simply because someone once stayed in one of their bloody hotels? I don’t have the time or energy to pursue legal action, and the ICO is unlikely to do more than send them a polite compliance unlikely message.

    What else?

%d bloggers like this: