Less than ideal

Last week, Stephen Lee, an academic and former fundraiser was reported as having attacked the Information Commissioner’s Office for their interpretation of direct marketing at a fundraising conference. It was, he said “outrageous” that the Commissioner’s direct marketing guidance stated that any advertising or marketing material that promoted the aims and ideals of a not-for-profit organisation was covered by Data Protection. According to Lee, only fundraising activities should be considered to be marketing.

[NB: Third Sector articles are sometimes open to all and sometimes limited to subscribers. If the links don’t work, please accept my apologies!]

He is quoted as saying “Who says that’s right? Just the ICO. Who did it consult? No one.” and  went on to say “Why and how and in what way should we be compelled to comply with that proposition?”

Who says that’s right? Who did the ICO consult? Well, let me see now.

1) The Council of Europe

In 1985, the Council of Europe issued a Recommendation on the protection of personal data used for the purposes of direct marketing. The definition of direct marketing includes both the offer of goods or services and “any other messages” to a segment of the population. The recommendation predates the guidance Mr Lee disparages by more than 30 years.

2) The 1995 Data Protection Directive

The Directive makes clear that direct marketing rules apply equally to charitable organisations and political parties as they do to commercial organisations, and emphasises the need for people to be able to opt-out of direct marketing. By redrawing the definition, Mr Lee would contradict this fundamental right.

3) The Data Protection Act 1998

Given that Mr Lee feels qualified to make bold statements about the interpretation of the Data Protection Act, it’s odd that he doesn’t seem to have taken the time to read it. Section 11 of the Act states that the definition of Direct Marketing “the communication (by whatever means) of any advertising and marketing material which is directed at particular individuals”. The important word there is “any” – organisations do not get to pick and choose which of their promotional messages are covered and which are not.

4) The Privacy and Electronic Communications Regulations 2003

PECR sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and TPS for live calls, consent for emails and texts). It does not define direct marketing, but instead says this “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act”. Therefore, the DPA definition applies to PECR.

5) The Information Tribunal (now the First Tier Tribunal)

In 2005, the Information Commissioner served an Enforcement Notice on the Scottish National Party after they repeatedly and unrepentantly used automated calls featuring Sean Connery to promote the party in the General Election. The SNP appealed, and in 2006, the Information Tribunal considered the issue. One of the main elements of the SNP appeal was against the ICO’s definition of direct marketing. Although the case is about a political party, the ICO’s submissions are based on the proposition that charities as well as political parties are covered by the definition of direct marketing, and that the definition cannot be restricted to fundraising alone. The Tribunal accepted the ICO’s view in full, and dismissed the appeal.

6) The charity sector and anyone else who wanted to be consulted

The ICO may have issued guidance in the 1980s or 1990s on the definition of direct marketing, but the idea that promoting aims and ideals is part of it has been their view since 1999. In guidance issued on the precursor to PECR, the ICO stated clearly that direct marketing includes “not just to the offer for sale of goods or services, but also the promotion of an organisations aims and ideals”. They specifically mentioned charities, as they have ever since. Virtually every iteration of the ICO’s guidance on PECR and direct marketing has been subject to public consultation – indeed, the very guidance Lee is talking about was subject to a public consultation.

Here’s the problem. Lee is an Honorary Fellow of the Institute of Fundraising, and has a long association with it. The IoF has been the most consistently pernicious influence on the charity sector’s compliance with data protection and privacy law in the past ten years. Their guidance and public utterances on data protection are often misleading, and they recently had to change their own Code of Practice because it was legally incorrect. At best, they haven’t noticed the ICO position on charities and direct marketing for more than 15 years. At worst, they deliberately ignored it in favour of an interpretation that largely suits fundraisers. Lee complained at the conference about the “appalling” communication between the ICO and charity umbrella bodies, but Richard Marbrow of the ICO summed the problem up all too well:

One of the things the sector asked for was clarity, and I will try and bring you that. The trouble is, if you then say ‘we don’t like that clarity, could we have some different clarity please?’, we’re not going to get on very well.”

The most important thing about Lee’s outburst is the subtext – if any form of communication is not covered by the definition of direct marketing, then your consent is not required  in the first place and you have no right to stop receiving it. His interpretation is nonsense, but it is also ethically unsound. At its most basic level, privacy means the right to be left alone, the right to have an area of your life which is yours, which others can’t intrude into. Lee seems to want to erode that right. If his view was correct (it’s not), charities could bombard people with phone calls, texts or emails to tell them how marvellous they are, how important their work is, how vital they are for society. As long as they don’t ask for money, the logic of his argument is that people wouldn’t be able to stop them.

Lee’s other question (“Why and how and in what way should we be compelled to comply with that proposition?”) has an easy answer. Ignore it. Carry on breaching the law, ignoring the rules. I went to the cinema last night and saw adverts for two different charities that plainly breached PECR, so that seems to be the plan. Given that the furore over charities began with an innocent person bombarded with unwanted correspondence, it’s remarkable that senior figures in the charity sector are ready for another go, but if Mr Lee wants to drag charities’ reputations deeper into a swamp that they share with PPI scammers and payday loan merchants, he’s welcome.

But the ICO should not listen to their concerns, or open friendly channels of communication with the sector. They should apply the law firmly and regularly until the charities get the message. If this results in more enforcement against charities than other sectors, that will be only because the big charities are among the worst offenders and they haven’t put their houses in order. If charity giving suffers as a result, even amongst the many charities that have not transgressed, they should stop blaming others and look to their fundraisers, their colleagues and themselves.

Charity letters

I have written a lot recently about the issue of charities and marketing, and especially as I have another post on the boil concerning the same issues, I had intended to keep my head down for a few weeks and talk about something else (or even, as a friend suggested to me today, nothing at all).

However, I have a short update before the next onslaught. A lot has been made about the idea that after the death of Olive Cooke, the Information Commissioner suddenly woke up to the problem of charity marketing, and in the opinion of one charity journalist “moved the goalposts” by requiring charities to change their approach to the TPS in particular, and the Privacy and Electronic Communications Regulations in general. It is to this topic that I intend to return.

Nevertheless, the Information Commissioner, Chris Graham, told the Public Administration and Constitutional Affairs Committee in October that his office had in fact written to 8 major charities, drawing their attention to issues related to PECR and marketing. At least one charity chief executive (Mark Wood of the NSPCC) denied that his charity was among them, but he has now been obliged to reveal that the NSPCC was in fact one of the eight.

At the time, I made an FOI request to the ICO, asking for a copy of the letter and the names of the eight charities. I was intending to sit on the response for another purpose, but the information is clearly destined for the public domain anyway.

The eight charities were: Barnardos, the British Heart Foundation, British Red Cross, Christian Aid, Great Ormond St, Macmillan Cancer, the NSPCC, and Oxfam.

The letter is very straightforward – it does not refer to specific complaints, as complaints were being funnelled towards the Fundraising Standards Board at the time (the same FRSB which now faces abolition). However, the letter clearly draws each charity’s attention to the Information Commissioner’s guidance on Direct Marketing. That guidance is clear, robust, and written in plain English, with none of the hesitancy or fence-sitting that ICO guidance sometimes demonstrates. It is very strong on the need for clear, unambiguous consent. It is explicit that charity’s promotion activities are direct marketing. And one paragraph leaps out at me:

Organisations can make live unsolicited marketing calls, but must not call any number registered with the TPS unless the subscriber (ie the person who gets the telephone bill) has specifically told them that they do not object to their calls. In effect, TPS registration acts as a general opt-out of receiving any marketing calls

If the charities contacted by the Commissioner acted responsibly, they would have immediately sought out the guidance to which the ICO letter referred. It would be remarkable if they did not. If they did, and then did not recognise that the full force of the law did indeed apply to them, it is hard to imagine how. Mr Wood has put his head above the parapet. Oxfam  denied receiving the letter when in front of the Committee (my FOI response confirms that they did). It would be good to hear from the others.

Consenting adults

Around two months ago, the Etherington Review into charity fundraising and governance published a series of recommendations about the way the sector should be run. The most eye-catching and ridiculous is the Fundraising Preference Service, which I wrote about at the time. The reaction to the FPS from charities has been almost universally negative, with a series of articles appearing in charity publications and on charity websites, all condemning the idea that the public should be able to stop communications from charities.

There is nothing in Data Protection, the Privacy and Electronic Communications Regulations (PECR) in general or the Telephone Preference Service (TPS) provisions in particular that stops a charity from contacting a person who wants to be contacted. The FPS is non-statutory, and so cannot change it. Since 1995, Data Protection law has been built on a requirement that any contact based on consent requires a freely given, specific and informed indication of the subject’s wishes. That’s what the Directive says, so any claim that somehow the upcoming DP Regulation represents a significant shift in how consent works is exaggerated. The problem for some charities is they have ignored this. When I make a donation, that is a freely given, specific and informed indication of my wish to make that donation. If the charity wants to call me, or text me and rely on consent, they need a freely given, specific and informed indication that I want to be called.

The current practice of charity posters that ask for a quick £3 or £5 text donation for a specific cause are a classic example of how this doesn’t work. Yes, there is minuscule small print on the poster that indicates that further calls or texts will be made and I can opt-out, but unless one has carried a magnifying glass onto the Tube or into the toilet cubicle, the text is impossible to read, and easy to overlook. Many charities using the one-off donation technique seem to be doing so to harvest mobile numbers for fundraising calls. In Data Protection terms, this is unfair and does not represent consent (breach of the 1st principle); in PECR terms, if the number is on the TPS, the charity has not obtained consent and any calls made to a TPS registered number harvested in this way will be unlawful.

An article in Civil Society published shortly after the FPS proposals were first mooted contains this key quote:

The idea is that members of the public would be able to simply and easily add their names to a “suppression list” so they would not be contacted by fundraisers. Rather than rely on charities using the existing mail and Telephone Preference Services, the FPS would allow you to put a stop to all contact with charities.

The TPS already allows you to put a stop to all contact with charities by phone, along with everyone else. Charities are not unfairly discriminated against by the TPS, any more than any other sector might be. The TPS is a blunt instrument, but it is a fair one. The fact that charities see the FPS as being a problem suggests to me that they either don’t understand the TPS (they believe the donation = consent nonsense), or they think they can ignore it. Civil Society reported at the end of October that the Institute of Fundraising (which represents, remember, organisations that make money out of fundraising, rather than charities themselves) was changing its guidance in line with the expectations of the Information Commissioner’s Office. The IoF nevertheless claims that this change (i.e. complying with PECR) “unduly” restricts the ability of charities to “maintain relationships with their supporters“.

Donation = consent isn’t the only myth that has been propagated. Civil Society’s David Ainsworth claimed a few weeks ago that all the blame lies at the door of the ICO (and that’s often a valid argument). The problem is, the story isn’t true. Ainsworth said “In 2010 David Evans, a senior data protection manager at the ICO, explicitly told charities they were allowed to call people registered on the TPS, so long as they received no complaints. Just in case there was any doubt, this was followed up with official guidance which effectively said that the ICO did not intend to apply the law to charities.” I asked Ainsworth on Twitter if he could provide evidence that this is what the ICO said. All he could provide was a note written by the Institute of Fundraising, who are hardly objective. But even that note contradicts Ainsworth’s article, stating the TPS position clearly, with only a little bit of nuance.

TPS regulations ‐ any person registered on the telephone preference service (TPS) cannot be called unless they have advised the calling party that they are happy to receive calls. In practice, a charity might judge that, given the nature of the relationship between them and the supporter, they might be able to make a marketing call to that subscriber despite TPS registration.

In truth, what Evans said is a line I have heard many times from different ICO people – if a data controller thinks it has consent, acts on that consent, and crucially, the ICO doesn’t receive any complaints, then they probably had consent. In other words, the ICO won’t act on complaints it hasn’t received. The ICO did not give charities an exception. Should any charity have bothered to investigate, they would have found that ICO has no power to do so. The problem was, as Christopher Graham told Parliament last month, there were thousands of complaints about charity direct marketing, but they were all going to the Fundraising Standards Board, a self regulatory body that regulates the Institute for Fundraising’s code. The FRSB did not pass any of the complaints on to the Information Commissioner.

**UPDATE: originally, this blog said that the Fundraising Standards Board was ‘run by‘ the Institute for Fundraising, which was poorly worded shorthand, treating the IoF as if they are the embodiment of fundraisers and charities. The FRSB is a membership body, paid for by its members (who are charities and fundraisers), and its role is to act as a self-regulator for the Code of Fundraising Practice drawn up by the IoF. I don’t believe that the FRSB is properly independent of the Institute for Fundraising not least because they ‘enforce’ a code written by the IoF, and which was legally inadequate. I’m not the only person who thinks this: post-Etherington, the FRSB is being abolished, and responsibility for the Fundraising Code is being transferred to a new regulator. The IoF’s Chief Executive welcomed the new regulator’s creation (tacitly welcoming the abolition of the FRSB), and recognised that moving the Code from the IoF to the new regulator was necessary to avoid the perception of a ‘conflict of interest‘.**

The biggest barrier to charities accepting legal reality – either by complying with the TPS, or with some workable version of the FPS if such a thing is possible – may be the fact that some in the sector don’t really believe in consent at all. Matthew Sherrington, a consultant writing in Third Sector this week, wasn’t exactly subtle: “The awkward truth, which is difficult for charities to argue publicly, is that the generous public (the UK is the most generous in Europe, as it happens) do not give off their own bat, but need to be asked” (my emphasis). The same argument was made by Ian MacQuillin, blogging on behalf of Rogare, a fundraising think tank: “Everyone knows that most people give because they are asked to do so” and later on “I suspect that the FPS would be used not just by people who really are on the receiving end of such a deluge of fundraising material that it was making their lives a misery; but more by people who want to spare themselves the difficult choice of deciding how to respond to a donation request, and the guilt and cognitive dissonance that results when they say no“. The thinking that runs through both articles, and others, is that fundraisers must be able to ask, that the potential donor / prospect / target (which is what we all are to the fundraiser) should not be allowed to opt-out of being asked. We should have to listen to the pitch, and should be forced into the awkward, embarrassing (or in MacQuillin’s word) guilt-ridden option of saying no. There is, in this world, something inappropriate, even immoral in having a choice about whether to be approached in the first place.

**UPDATE: I have had a long Twitter conversation with Matthew Sherrington. He hasn’t put a comment on the blog (which he and anyone is welcome to do) but he thinks I have misrepresented what he said about consent and marketing, and I think that I should mention this. I stand by my comments above, but I’m linking to his article again here so you can read it and make up your own mind about what he says.**

It’s possible that fundraisers and consultants genuinely don’t understand the TPS, don’t understand that it’s already supposed to be possible to opt-out of every marketing phone call, or that texts and emails are opt-in in the first place. Fundraisers see widespread abuse of PECR and Data Protection, so assume that it’s all fine and that daft proposals like the FPS represent unfair singling out of the charity sector. At this point, it is fair to criticise the Information Commissioner for their generally insipid enforcement. I think there is also a sense of entitlement among charities (which is one thing, as most charities have a clear public interest objective), but also among fundraisers (who are, in the main, just private businesses making a profit). There are no exemptions. There is no charity carve-out or defence. The European Data Protection Directive, from which everything in UK DP and PECR law is derived, makes clear that charities are included along with everyone else. It’s in article 30, if you’d like to check.

In amongst all of the anger and self-justification available in the charity press, one article in Civil Society also caught my eye: “Trust in charities is at its lowest point since 2007, with charities now less trusted than supermarkets“, according to a survey carried out by npfSynergy. Some might blame the Daily Mail and Camila Batmanghelidjh, but purely anecdotally, on every training course about direct marketing that I have run in the past five years, the main examples people come up with for poor quality, persistent, sometimes rude marketing calls are either PPI or charities. Fundraisers and charities alike need to ask themselves if they want to be in company with spivs and spammers. Rather than try to rewrite history, or the law, or continue to adopt an approach based on pestering and guilt, perhaps the big charities should look at a business model that is bringing them into disrepute. There is a real question about how they raise funds without marketing calls and other contacts to people who don’t want to receive them but the only solution to this is to get PECR and the DPA amended to remove charities from the marketing requirements, but as this would deprive the public of their existing rights and mean that the UK is in direct breach of EU law, I doubt they’ll get very far. I still think the Fundraising Preference Service is unnecessary in the light of existing provisions, but if it is implemented in some meaningful form, and finally gets the message across to the most unrepentant of charity spammers, maybe I’m wrong.

King Canute famously stood in the waves and ordered back the sea, but only to show that his powers were limited. Some charities and fundraisers are up to their necks in water, but think that they have the ability and the right to turn the tide of history. If they don’t wise up, they will drown.



Following some fine investigative work, the Daily Mail was today content to declare “VICTORY” in its battle against rogue fundraisers and their equally shameless charity employers. The Mail’s apparent triumph is the publication of a government approved review by the National Council for Voluntary Organisations and chaired by Sir Stuart Etherington, the NCVO’s Chief Executive. There are a variety of recommendations about the regulation of charities, but as I am not an expert, I don’t know whether they improve matters. One eye-catching notion is very much on my territory, and if I wanted to be unkind, I would suggest that it was an outrageously opportunistic stitch-up.

The review suggests the creation of a Fundraising Preference Service, which would allow participants to “reset” their relationship with all charities. Anyone signed up to the ‘FPS’ could not be contacted by charities, thus finally lancing the boil of charity pestering. The report observes “At the moment there is no way to ‘opt-out’ of being approached by fundraisers other than contacting the organisation concerned directly and relying on their good will to unsubscribe an individual.” This statement is so wilfully incorrect, one might almost call it a lie.

The Telephone Preference Service applies to any organisation – including charities – who wants to call any person for marketing purposes. Exactly the same model proposed for the Fundraising Preference Service already applies to the TPS – nobody can call you unless you specifically tell them that they can. Some large charities routinely ignore the TPS, but there is the possibility of a civil monetary penalty under the Privacy and Electronic Communications Regulations (PECR) for breaching the TPS requirements. Moreover, no opt-out is required for email or text, because marketing can only happen by those methods on an opt-in basis.

The water is slightly more murky for postal marketing which is not covered by the stricter rules of PECR, but only if a charity is not a member of the Direct Marketing Association, which requires its members to be members of the Mailing Preference Service. The MPS is imperfect, but it already exists.

A person does not need to rely on the “goodwill” of a fundraiser or charity if they demand an opt-out from marketing. Section 11 of the Data Protection Act gives every person the right to demand that marketing cease or not begin – to ignore such a request is unlawful. Goodwill does not come into it, although Section 11 is not mentioned anywhere in the review.

It gets worse. Rather than the maximum £500,000 civil monetary penalties or enforcement notices backed by the threat of prosecution available under PECR for breaches of the TPS, the Etherington Review press release offers this terrifying alternative “Charities which seriously or persistently breach the rules would be named and shamed and could be forced to halt their fundraising until problems are resolved.” They may even be sent to bed early without any pudding. The review suggests an unnecessary addition to the existing framework, with weaker penalties for transgressors.

No version of the Fundraising Preference Service makes any sense. Assume for a moment that existing laws are left entirely as they are – charities and fundraisers would be obliged to screen against both the TPS and the FPS, as well as the MPS if they are DMA members. I have no problem with this if that’s what they want to do, but in reality, I suspect many of the charities who currently ignore or pay lip-service to the TPS would use the new system as an excuse to forget it altogether.

But what if it was worse? Couldn’t the charities argue that with their brand new preference service, clearly designed to prevent the menace of unwanted charity marketing, these other blunter tools were not required? What would be the point of charities doing double or triple-screening? If the Fundraising Preference Service gets any traction, I guarantee that somewhere along the way, the suggestion will come that charities should be exempted from the TPS and the MPS. Why not cut out the unnecessary bureaucracy? Once charities were exempted, there would be a bonanza, an orgy of calls and contacts to everyone not registered, all perfectly justified, so long as the charities can find a minister daft enough to believe that PECR should be amended to reflect their new system.

*Harry Hill look to camera*

If the FPS is to to exist, I can only think of two ways in which it could work fairly. The first is that everyone who is already registered on the TPS or the MPS should be automatically migrated onto the FPS. If people really don’t want to be contacted by other organisations, but do want to hear from charities, they only need to tell their favourite good cause this good news. Alternatively, the FPS could be an opt-in list of people who actively do want to hear from charities, and everyone else must be left alone. But I don’t think the FPS should exist at all. At best, it is a massively ill-informed gimmick, and at worst, a Trojan Horse for one last delirious orgy of spam. Much simpler alternatives exist within the current law, and I can set out very easily how the problem can be solved.

  1. The rogue charities finally stop pretending that they do not understand the law. They accept that cannot call someone who is on the TPS, even if the person has donated, even if they are regular donors. Charities cannot call them unless they say, explicitly and without any persuasion or prior contact, that they actively want the charity to contact them, and they specify the method by which they want to be contacted by. This opt-in can only be obtained by the charity, and not by any agent or contractor. In the absence of a freely given opt-in, charities never contact anyone on TPS again. They find ways to generate income that do not breach the law.
  2. The Mailing Preference Service – which already exists after all – is made statutory for charities (in fact, it should be made statutory for all organisations).
  3. The Information Commissioner identifies a few high profile charity miscreants. To avoid the outcry that might (only might) result from a monetary penalty that hoovers up charity donations, they use the Enforcement Notice method. Force the chosen few to respect the TPS, or mail opt-outs, or require them to get explicit consent before sending texts. Make it clear that if the notices are breached, as far as possible, Section 61 of the Data Protection Act will be used to prosecute the senior officers of the charities as well as the charities themselves. Alternatively, bite the bullet and issues some CMPs. Let the targets howl, ride the inevitable bleating of the fat cats, then see what happens afterwards. If charities had to explain why their fundraising tactics resulted in large donations to the Treasury, I suspect those tactics would end.

The problem of charity marketing would never have become so out of control if the Information Commissioner had ever taken any action to stop it. But nearly all of the ICO’s DPA enforcement is on procedural or security issues – they almost never challenge something that is core to an organisation’s business model. They have done this under PECR, but only for the shady PPI and Cold Call Blocking merchants. PECR enforcement on the charities will cost them money, and I fear that the ICO lacks the nerve. The wayward charities have operated with impunity and their unlawful activities have generated income. The FPS is a self-serving wheeze that is not the answer – any charity that will not voluntarily comply with the existing system will happily flout this new one. Before the Fundraising Preference Service goes any further, the ICO has to act firmly and decisively, or the problem of rogue charity marketing may get worse.

Optical illusion

It’s a horrible week for news, and even if you ignore that, it’s a horrible week for Data Protection news, with charities up to their usual tricks, WHSmith and HMRC spraying their correspondents with other people’s correspondence, and in the middle of it all, the unforgivable mishandling of sensitive personal data at a sexual health clinic. Nevertheless, despite all of this, the First Tier Tribunal has delivered a little bit of good news which should gladden the heart of anyone who cares about Data Protection.

Last year, the Information Commissioner served an Enforcement Notice on Optical Express under the Privacy and Electronic Communications Regulations. Optical Express were ordered to send marketing emails and texts only to those who had directly given consent. As the appeal makes clear, Optical Express were relying on vague permissions obtained years in the past by different companies. They claimed that if a person has ever consented to marketing from anyone, anywhere, any marketing received from Optical Express was solicited and therefore lawful. This is bollocks, although somehow the Tribunal found different words to rebuff the argument. Optical Express lost, and must now appeal or start actually getting consent from real people before hawking their wares.

I’ve been waiting for the decision ever since the appeal was announced. In late Spring, I started to receive unsolicited emails from a variety of dodgy sounding companies – funeral planners, solar panel vendors, claims management companies, the usual parasites. Although my personal data is spread far and wide because I enter a lot of competitions, I’m as pedantic with T&Cs and tick boxes as you would expect me to be. The only spammer that could remotely count as a household name was Optical Express. They caught my eye (BOOM!) because of the Enforcement Notice and appeal, but also because Optical Express were the only ones to send me texts as well.

I contacted Optical Express to ask them where they had obtained my personal data from, as I have never had any dealings with them, nor have I ever consented for my data to be passed to them.

I don’t know whether Optical Express actually hold my email address because they won’t tell me and in any case, they seem to be using an affiliate marketer. The affiliate model is a marriage of convenience between a company who wants to advertise and a spammer or network of spammers with a list of email addresses. The spammers send the spam, but they’re hard to track down. The companies often don’t hold the data, and get plausible deniability when the recipient complains. Under PECR, the advertiser is still the instigator and is legally responsible, but until there is a clear ICO or court case involving affiliates, the spamming will not stop.

My own enquiries have led me to believe that Optical Express are using a Moroccan-based affiliate marketer called Youssef Zarouk, although for many months they have refused to tell me why I received their emails or who sent them, despite many emails to their customer service department and a letter to their Chief Executive. Optical Express are welcome to deny and disprove this if they finally have the good manners to answer my questions about the matter. I emailed Mr Zarouk to ask how he got my email address, after I obtained his address from an outfit called ‘Plan My Funeral’ (who are everything you might imagine them to be). He didn’t reply.

One thing Optical Express were willing to tell me is that they bought my mobile number from a company called Interactive Prospect Targeting, which is surely what a company that harvests personal data for marketing purposes would be called in a cartoon. Perhaps in recognition of how needlessly explicit their company name is, IPT is now called MyOffers, which was previously just the name of the competition website they use to hoover up personal data. Long, long ago, I used to enter competitions on MyOffers website, but I haven’t used the site for many years, and in 2013, I exercised my rights under Section 11 of the Data Protection Act to prevent IPT / MyOffers / Whatever They’re Called from processing my data for marketing purposes. This includes selling my data for marketing purposes.

I contacted MyOffers. After the traditional delay requiring me to contact them a second time which appears to be a list-broking industry standard, MyOffers informed me that I had rejoined their service in December 2014, after I allegedly filled in a survey hosted by another company called EDR, where they claim I opted in to receive calls from nPower and offers from MyOffers. MyOffers do not have any evidence of this, and could only provide me with a sample survey that I had never seen before and had not filled in. Weirdly, despite the claim that I consented to receiving marketing from nPower, they have never been in touch.

Having received the data from EDR (who are now trading as Progressive Digital Media), MyOffers sold my number to Optical Express, the Claims Advisory Group, Experian (of whom more later) and Digitonic, a text marketing company based on Scotland. Both CAG and Digitonic were very helpful when I approached them and keen to reassure me that they would neither use or sell my data on. However, they should look at the quality of data that they are buying, and who from, especially in the light of what Experian told me. Experian is inaccurately described as a credit reference agency; credit checking is only one part of its massive data capture and selling activities, which is why I sent Experian a Section 11 in 2012, and they were happy to tell me that it still stands. Experian told me that MyOffers provided my mobile number appended to a postal address that I moved out of in 2001. How this fits with MyOffers claim on its website that “MyOffers Data Rental is the UK’s leading source of fresh lifestyle data for direct marketing campaigns” is not something I can explain. Retaining and selling personal data for 14 years after it is out of date is clearly a breach of the 4th Data Protection principle, but I will leave that between MyOffers and their customers.

MyOffers did not explain to me why their purchase of my data from a third party negated my Section 11 with them. They did not contact me at the time to ask whether I wanted to withdraw the Section 11 or decide to respect it when they received my data. They simply assumed (on the basis of no evidence) that I had given my consent to a third party and they were entitled to sell my data again. The best MyOffers could offer me is that I am now on their ‘do not contact’ list, which will apparently mean that my data will be genuinely suppressed. They have, despite my asking them, not explained why I was not put on this ‘do not contact’ list in 2013. The compliance officer’s approach to due diligence and consent went no further than the claim that the company had bought 155 surveys from Progressive Digital Media, and nobody else had complained. This is the same compliance officer who signed my Section 11 response in 2013. He’s also a director of the company.

I contacted Progressive Digital Media. They held some data on me going back to 2007 which appeared to be from a guarantee I had filled out in 2005, but my mobile number had been obtained on their behalf by a company called Data Marketing and Research (DM&R), who apparently ran a survey hosted on the competitions section of the What’s On TV website. What’s On TV is owned by Time Inc, and their privacy policy describes DM&R as “a supplier engaged by Time Inc. (UK) Ltd to provide a selection process for winners in competitions entered on the site and the provision of prizes”. Whether this adequately covers DM&R running surveys on behalf of PDM on behalf of MyOffers so that personal data can then be sold to Optical Express is a question that I will leave for you to answer.

The response I received from DM&R was long but incoherent. Registration on the What’s On TV website includes a very clear section allowing users to sign up to enter competitions but opt out of any marketing either from Time Inc. itself, or from “carefully selected third parties”. It should be opt-in really, but there is no question that the registration form, and the text that appears if you sign up via an individual competition is very clear. I definitely did sign up to the What’s On TV site in 2012 to enter a competition, but not even DM&R claim that I opted in to receive marketing when I registered and when I checked, my marketing permissions are still set to nothing from anyone.

DM&R are the true source of the claim that I (or someone using my details) opted in to receive marketing from MyOffers and nPower.  The problem is that I didn’t fill in any nPower survey, not least the one that MyOffers showed me. DM&R’s sole piece of evidence that I consented is an IP address which means nothing to me and doesn’t match the one my Mac currently uses. When I asked them to provide the wording that I had allegedly signed up to or real evidence that I had consented, DM&R said they needed to wait for their Data Protection officer to come back from holiday. I’m still waiting.

This is how Optical Express obtained my mobile number: through a congealed, undignified mess of agents and brokers operating with all the finesse of a dodgy garage welding together smashed up cars. When they claim to be sending solicited marketing, this is what they mean.

Type ‘list broker’ or ‘affiliate marketing’ into your search engine of choice (anyone for Ecosia?) and what you get is a swamp. Data is bought and sold from any and every source. Much of it is obtained unfairly and without consent, and then flogged to anyone willing to pay. The Data Protection Act is routinely flouted in pursuit of the bottom line. I would normally use this as an excuse to attack the Information Commissioner for not tackling the problem, but today, that is the wrong line to take. The ICO has done good work here, and the Commissioner’s statements about consent this week in relation to the scandalous case of Samuel Rae are very welcome. The only thing to say is that I would like to see more of it.