Culture, Media and Spam

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Charity letters

I have written a lot recently about the issue of charities and marketing, and especially as I have another post on the boil concerning the same issues, I had intended to keep my head down for a few weeks and talk about something else (or even, as a friend suggested to me today, nothing at all).

However, I have a short update before the next onslaught. A lot has been made about the idea that after the death of Olive Cooke, the Information Commissioner suddenly woke up to the problem of charity marketing, and in the opinion of one charity journalist “moved the goalposts” by requiring charities to change their approach to the TPS in particular, and the Privacy and Electronic Communications Regulations in general. It is to this topic that I intend to return.

Nevertheless, the Information Commissioner, Chris Graham, told the Public Administration and Constitutional Affairs Committee in October that his office had in fact written to 8 major charities, drawing their attention to issues related to PECR and marketing. At least one charity chief executive (Mark Wood of the NSPCC) denied that his charity was among them, but he has now been obliged to reveal that the NSPCC was in fact one of the eight.

At the time, I made an FOI request to the ICO, asking for a copy of the letter and the names of the eight charities. I was intending to sit on the response for another purpose, but the information is clearly destined for the public domain anyway.

The eight charities were: Barnardos, the British Heart Foundation, British Red Cross, Christian Aid, Great Ormond St, Macmillan Cancer, the NSPCC, and Oxfam.

The letter is very straightforward – it does not refer to specific complaints, as complaints were being funnelled towards the Fundraising Standards Board at the time (the same FRSB which now faces abolition). However, the letter clearly draws each charity’s attention to the Information Commissioner’s guidance on Direct Marketing. That guidance is clear, robust, and written in plain English, with none of the hesitancy or fence-sitting that ICO guidance sometimes demonstrates. It is very strong on the need for clear, unambiguous consent. It is explicit that charity’s promotion activities are direct marketing. And one paragraph leaps out at me:

Organisations can make live unsolicited marketing calls, but must not call any number registered with the TPS unless the subscriber (ie the person who gets the telephone bill) has specifically told them that they do not object to their calls. In effect, TPS registration acts as a general opt-out of receiving any marketing calls

If the charities contacted by the Commissioner acted responsibly, they would have immediately sought out the guidance to which the ICO letter referred. It would be remarkable if they did not. If they did, and then did not recognise that the full force of the law did indeed apply to them, it is hard to imagine how. Mr Wood has put his head above the parapet. Oxfam  denied receiving the letter when in front of the Committee (my FOI response confirms that they did). It would be good to hear from the others.

A very bad call

A few weeks ago, I heard someone on the radio talking about why American bankers are prosecuted and imprisoned (sometimes), whereas British bankers almost invariably are not. The commentator said that American banking regulation is rules-based, whereas British banking regulation has historically been principles-based. Therefore, the American system is more black and white and it’s easier to cuff someone, as compared to a system that requires interpretation and analysis.

The same is true of the difference between Data Protection and the Privacy and Electronic Communications Regulations (PECR). Although Data Protection has some concrete rules (accuracy, the need for clear retention schedules), most of them are subject to interpretation. Imagine the delight of people I train when I tell them that there is often more than one correct answer, and all they need to do is explain why they think what they think. They love it.

PECR is different. PECR is rules. There are some areas for argument (for example, what counts as a ‘similar’ product or service when using PECR’s version of the offside rule, the soft opt-in). But most of the direct marketing section of PECR can be boiled down to rules. Texts and emails are opt-in. Phone is opt-out subject to screening against the TPS. Faxes are don’t be so stupid nobody sends marketing by fax these days. There are a lot of misconceptions around PECR; I read in The Times a few weeks ago that the charity exemption from the TPS was to be removed, even though it has never existed. Trawl the forums and comments of marketing websites, and you will find a widespread belief that customers can be considered to have opted in to marketing automatically, even though this is nonsense. However, because of all this hogwash, the application of the PECR rules can cause panic in the marketing world.

This week, I was sent an email that has been circulated to a variety of charity clients by a marketing company that specialises in making fundraising calls. It was sent after the Fundraising Standards Board (FSB), a self-regulating body for fundraisers, recommended changes to the FSB’s code of practice. Bearing in mind that the FSB code is just an industry standard, it’s not a big issue. The Direct Marketing Association’s Code of Practice is actually stricter than the law, and so is an entirely good thing. The tone is generally depressing. Having mentioned the tragic death of Olive Cooke, the email talks of “the continued focus on the treatment of vulnerable people, all of which can be considered valid points to consider improving“. That’s right: the treatment of vulnerable people is a ‘valid point‘ to ‘consider improving‘, but that not what they’re worried about. There are areas of “extreme concern” that they really want to talk about.

The first issue of extreme concern is a proposed change to the FSB code that states that fundraisers cannot call anyone on the TPS unless they have given clear permission to receive calls.  This is because “The Information Commissioner’s Office has confirmed that it is not sufficient to assume that a TPS registered supporter has given consent to receive calls simply due to the fact that they have made a donation.

The marketing agency says in bold type: This potential requirement to TPS, prior to calling, is extremely alarming and could have devastating consequences for the future of telephone fundraising”. Bear in mind, it has been a requirement to screen all marketing calls against the TPS since the regulations came into force in 2003. There is no charity exemption, no existing customer or donor exemption; those words or concepts simply do not appear. The email talks a lot about ‘warm calling’, which is a marketing term that refers to contacting people with whom you have a relationship. Warm calling has no relevance on the PECR rules at all. It is a red herring. If I am on the TPS, you can’t call me unless I have given you consent. Consent cannot be inferred from another action – either I have consented or I have not. You can count me as a sceptic on the issue of tick-boxes and whether people have truly consented in many cases, but to bring in the concept of warm calling strongly suggests the absence of any meaningful consent at all.

The marketing agency has two solutions, one ridiculous and one concerning. The first is to lobby the Institute of Fundraising with “extensive evidence of the damage this would do”. In other words, keep unlawful wording in a non-statutory code to create the illusion that warm calling is legal. The lack of understanding for the legal framework they are working in is remarkable. The code is irrelevant – the fact that an industry code is wrong make no difference to the law.

The second suggestion (again in bold type) is unacceptable: “contact every donor you do not have explicit consent to contact by telephone, whilst we have the opportunity, and get their expressed opt in”. If the charities already have consent to call TPS registered people, they don’t need to call them again. If they don’t already have consent, then calling them to get their consent is in itself a breach of PECR. All of these proposed calls would either be a waste of time or unlawful, and while the agency generously wants to ‘share the cost of these calls’, I doubt that they will be made at a loss.

The second recommendation to cause ‘extreme concern’ to the agency (rather than the misery and inconvenience they might be causing to the people they call) is a recommendation that the industry practice of making three donation requests during the course of a call could constitute ‘pressure’, rather than ‘reasonable persuasion’. The email goes on to set out the success rate of successive asks, with a 50% success rate on the third ask. The idea that the number of times the caller might ask for money during a call might be restricted to just two is anathema: “this would affect the whole of telephone fundraising”. In other words, we’ll lose money if we’re not allowed to pressure people.

The email ends with a touching moment of self-doubt: “We do also appreciate you may believe our email is driven by this agency’s self interests”. That thought didn’t cross my mind. Not even for a second.

There is a legitimate debate to be had about the morality of fundraising tactics, but only within the law. If chuggers are licensed to operate on public streets, then how they act is more about ethics than law. If charities and their agents have consent to call TPS-registered people, or they cold call people who aren’t on the TPS, the techniques that they use are an issue of morality. There is a strain of “end justifies the means” thinking in some charities that, in my opinion, can drag them down to the PPI, accident-that-wasn’t-your-fault level of marketing. How they square this with their charitable aims is a matter for them. I don’t think that charities should pay agencies to use high-pressure sales techniques on vulnerable people, but if it isn’t illegal, that’s just my opinion.

But the law is the law. A charity (and a marketing agency paid by them) cannot call someone registered on the Telephone Preference Service unless they have explicitly said that they (i.e. the specific charity making or instigating the call) can do so. A charity cannot call someone on TPS to obtain consent to call. There is no exemption, no loophole. An industry code of practice is irrelevant to this, whether it is right or wrong. Any charity which goes along with this is not just acting irresponsibly or selfishly: they are breaking the law. Any such calls should be tackled by the Information Commissioner as mercilessly as the spam texts and calls from claims and double-glazing companies that are their usual fodder. Indeed, there is a strong argument that Wilmslow should intervene to prevent any such calls from happening.

Liberal Spamocrats

The Varsity newspaper reports a scandal in academia, as Julian Huppert stands accused of spamming Cambridge’s students with crass emails about revenge porn. As well as reflecting the understandable annoyance of students at the spam and its triggering content, Varsity links Huppert’s spam to a similar incident at Bath University in April. Bath students received unwelcome missives from the outgoing LibDem MP Don Foster (who based on the photo in the Bath Chronicle is presumably stepping down to spend more time running Gringotts Bank).

The question raised by Varsity is whether Huppert, Foster and the LibDems have breached Data Protection and wider privacy law. There is an entirely separate question about election law which I am not qualified to answer, so I won’t. Two piece of legislation could impinge on the LibDem spam – Data Protection and the Privacy and Electronic Communications Regulations. As the emails are plainly marketing, aimed at encouraging students to take the yellow pill, it’s tempting to assume that the more important law is PECR. This is not the case. PECR does require the sender of marketing emails to have consent from the recipient, but only if that recipient is an ‘individual subscriber’. As long as the spam was sent to a student’s university email address (which appears to be the case in both incidents), they are not individual subscribers. The university is a corporate subscriber, and so the requirements of Regulation 22 (which covers email and text marketing) do not apply. So, game over, but only for PECR.

I cannot see a sensible argument that the email addresses that contain a student’s name are not personal data, so even if PECR is off the table, Data Protection is still in play. It’s impossible to tell exactly how the LibDems obtained the addresses in either case, but given that they can’t deny that masses of emails were sent, and there is no suggestion that consent was obtained (which would clear up most of the DP problems at a stroke), I’d be fascinated to hear how Huppert, Foster and their party ensured that the Data Protection requirements were met.

The first Data Protection principle requires that data be obtained fairly, lawfully and according to a set of conditions. If they wanted to harvest the emails for marketing purposes, the LibDems at either university would need to do so fairly. The only hint about how the data was obtained comes in the Bath story, where the LibDems state that the email system was not accessed without university authorisation, and that emails addresses were “all in the public domain”. The public domain issue would be irrelevant if the university had provided the emails to the party, so I assume that the emails were harvested by a LibDem supporting student or staff member from the University address book (any member of the LibDems is welcome to correct me, but only if they’re willing to tell me what happened if this didn’t). The Information Commissioner recently told the Samaritans that data on Twitter was still personal data even though tweets really are in the public domain, but email addresses held in a University address book or similar source are not in the public domain. They’re available to staff and students, but I’m not a Bath or Cambridge student, so I can’t get them. The universities are the Data Controllers for the email addresses, and while I’m sure that it is true that whoever hoovered them up had legitimate access to the system, their use of the data was problematic. Section 55 of the Data Protection Act states that it is a criminal offence for a person to ‘obtain or disclose’ personal data ‘without the consent of the data controller’. I’d be keen to see evidence that the LibDems had consent from the universities to use the emails, and will happily publish it here if it is provided to me.

To use the email address for political marketing is a new purpose, so the LibDems would either need to tell students that their email addresses were being harvested (which they didn’t), they would need an exemption from fair processing (which they don’t have) or they would need to claim that telling students that their email addresses were being harvested for unsolicited marketing purposes involved disproportionate effort (I believe the technical term for that is ‘bollocks’). Moreover, the LibDems would need a condition for processing the email addresses for marketing. They don’t claim that they had consent, so they must think that the use of the email addresses was necessary for a legitimate interest, and their use of the email addresses did not cause any unwarranted prejudice to the rights and freedoms of the students, which is the only available condition. If that’s their argument, they should say so, and be willing to defend it against an equally legitimate argument that sending unsolicited political messages is a breach of students’  privacy. Of course, what I think really happened was that they snorted up the email addresses without any consideration of the DP implications, which is shameful, especially as Huppert claims to be in favour of privacy.

The sense of entitlement here is overwhelming. Cambridge LibDems limply defended their spam with the following: “We have sent a number of emails to students over the last two years to keep them informed of Julian’s activities. All of these have included the appropriate opt-outs“, while the Bath contingent had already said that they would stop sending emails after a previous incident in February. All the political parties are guilty of the same arrogance (although the LibDems have recently been warned off by the ICO, and were the only political party who outright refused to stop sending me marketing). The rules are simple. You cannot obtain personal data and use it for your own purposes just because the data is available or easy to obtain. You have to tell people that you are obtaining and processing their data unless you have an exemption. You cannot send unsolicited marketing to people and justify it purely on the basis that they can opt-out. The subject does not have to do the work: you have to do the work. The sight of political parties who seek to make the law acting as if it does not apply to them is one of the worst aspects of the election season, and whatever happens after May 7th, at least we might enjoy a period of being left alone.

Whoops!

Yesterday, after at least a year of pondering it, the Information Commissioner asked the Universities and Colleges Admissions Service (UCAS) to sign an undertaking, agreeing to change the way in which they obtain consent to use students’ data. The data is obtained as part of the application process and subsequently used for marketing a variety of products and services, and UCAS has agreed to change its approach. It’s important to note that this is an undertaking, so UCAS has not been ordered to do anything, nor are there any direct consequences if they fail to do what is stated in the undertaking. An undertaking is a voluntary exercise – it is not served, it does not order or require, it simply documents an agreement by a Data Controller to do something.

Aspects of the story concern me. The ICO’s head of enforcement is quoted as saying: “By failing to give these applicants a clear option to avoid marketing, they were being unfairly faced with the default option of having their details used for commercial purposes” but given that the marketing was sent by text and email, the opportunity to “avoid” marketing is not what should have been in place. If UCAS wanted to sell access to university and college applicants, they needed consent – which means opt-in, not opt-out. As the undertaking itself points out, consent is defined in the EU Data Protection Directive as freely given – an opt-out cannot constitute this in my opinion. If you think that an opt-out does constitute consent, try transposing that thinking into any other situation where consent is required, and see how creepy your thinking has suddenly become. Consent should be a free choice, made actively. We should not have to stop commercial companies from texting and emailing us – the onus should be on them to make an attractive offer we want to take up, not on consumers to bat away their unwanted attentions.

It’s entirely possible that the ICO’s position on consent is better expressed in the undertaking itself, but here we have a little problem. At least when it was published yesterday, half of the undertaking was missing. Only the oddly numbered pages were published, so presumably the person who scanned the document had a double-sided original and didn’t notice that they had scanned it single-sided. The published document also included one page of UCAS’ covering letter and the final signed page of the undertaking, which the ICO never normally publishes. This mistake reveals some interesting nuggets that we wouldn’t normally know, from the trivial (the Chief Executive of UCAS signed the undertaking with a fountain pen, something of which I wholeheartedly approve) to the potentially significant (the covering letter sets out when UCAS might divert resources away from complying with the undertaking).

But that’s not the point. The point is that the ICO uploaded the wrong document to the internet, and this is not the first time it has happened. I know this because on a previous occasion, I contacted the ICO to tell them that they had done it, and many people on my training courses have also seen un-redacted enforcement and FOI notices on the ICO website. The data revealed in the UCAS case is not sensitive (although I don’t know how the UCAS Chief would feel about her signature being published on the internet), but that’s not the point either. The ICO has spent the last ten years taking noisy, self-righteous action against a variety of mainly public bodies for security slip-ups, and the past five issuing monetary penalties for the same, including several following the accidental publication of personal data on the internet.

The issue here is simple: does the ICO’s accidental publication of this undertaking constitute a breach of the 7th Data Protection Principle? They know about the risk because they’ve done it before. Have they taken appropriate technical and organisational measures to prevent this from happening? Is there a clear process to ensure that the right documents are published? Are documents checked before they are uploaded? Does someone senior check whether the process is being followed? Is everyone involved in the process properly trained in the handling of personal data, and in the technology required to publish documents onto the web? And even if all of these measures are in place, is action taken when such incidents are identified? If the ICO can give positive answers to all these questions, then it is not a breach. Stuff happens. But if they have not, it is a breach.

There is no possibility, no matter how hilarious it would be, that the ICO will issue a CMP on itself following this incident, although it is technically possible. What should happen is that the ICO should quickly and effectively take steps to prevent this from happening again. However, if the Information Commissioner’s Office does not ask the Information Commissioner Christopher Graham to sign an undertaking, publicly stating what these measures will be, they cannot possibly speak and act with authority the next time they ask someone else to the same. Whether they redact Mr Graham’s signature is entirely a matter for them.

UPDATE: without acknowledging their mistake, the Information Commissioner’s Office has now changed the undertaking to be the version they clearly intended to publish. One wonders if anything has been done internally, or if they are simply hoping that only smartarses like me noticed in the first place.