Culture, Media and Spam

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Age of Consent

Ever since the Daily Mail first started to report on the nefarious fundraising activities of certain large charities, confusion and contradiction have reigned supreme. We have had fundraising codes of practice confused with the law, constant claims that the ICO has changed the law (which is something they haven’t done, and couldn’t do anyway), and the bizarre spectacle of undertakings being signed publicly by organisations who, according to Wilmslow, haven’t done anything wrong.

One might hope that the General Data Protection Regulation, designed as it is to clarify the mess of DP across the European continent would come to our aid. But no, sadly and inevitably, people are just as determined to misunderstand the GDPR as they are the Data Protection Act.

John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association was speaking at a fundraising event organised by Third Sector magazine, and he passed comment on the apparent confusion over opt-in and opt-out rules on marketing. I don’t know exactly what he said because I wasn’t there. However, he is reported as saying that charities would not need consent for postal and phone marketing, unless a person was on the telephone preference service. The GDPR requirement for unambiguous consent did not change this position. Mr Mitchison also apparently said that he didn’t understand where all the confusion in the charity sector was coming from.

I think I can tell him. Enter Daniel Fluskey, head of Policy and Research at the Institute of Fundraising (yes, the organisation responsible for much of the confusion with their diabolical fundraising code). He wrote an article on the UK Fundraising website following up on Mitchison’s comments, including this statement.

“Our understanding is the same as the DMA’s and what we’ve heard from solicitors – that ‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box. Consent will be able to be given ‘unambiguously’ through an ‘opt out’ mechanism. So, statements that ‘opt in’ is coming in through law seem likely to be misleading – what’s coming in is a requirement that the consent is ‘unambiguous’

Fluskey then invents his own test for unambiguous consent:

To me, ‘unambiguous’ consent seems like a three-stage test:

  1. Did someone give their information freely?
  2. Were they presented with straightforward information so that they had a clear understanding of what marketing/fundraising communications they could expect to receive?
  3. Did they have a clear and easy ability to choose to accept this, or to object if they didn’t want to receive future marketing?
    If the outcome of the engagement leads to these three questions being able to be answered with a ‘yes’ then it would seem very likely that the donor has given ‘unambiguous’ consent. That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.”

This is all – to use a technical term – bollocks.

Mitchison is correct – consent is not necessary for postal marketing and phone-calls to those not on TPS. However, this has nothing to do with the nature of unambiguous consent. The explanation is reasonably straightforward. To use any personal data, you need to meet a condition under the DPA – this is the position now and it remains so under the GDPR. Consent is one of the conditions but not the only one. If an alternative condition can be found, you can forget consent and use the other one instead. The GDPR recognises that the legitimate interests condition can be used to justify marketing, and so this can apply to postal marketing. You don’t need consent because you can use legitimate interests. The opt-out bit is a red herring in this context – the marketer offers an opt-out because  it’s good practice and the subject has an automatic right to opt-out of any marketing anyway. It would be nice if such opt-outs were respected instantly and permanently, but that’s an issue for another time.

Electronic forms of marketing are not just covered by Data Protection. They are also covered by the e-Privacy Directive, implemented in the UK as PECR. PECR adds a layer of rules, and in some cases insists that only consent applies. You can’t rely on legitimate interests for automated calls, email or text marketing, because PECR says that only consent will do.

Live calls straddle both conditions. You can rely on legitimate interests for cold calls to people who are not on TPS, but you need consent for those people who are. Again, this is nothing to do with DP, this is an extra rule laid on by PECR. I hold no brief for Mr Mitchison, but the DMA are usually robust about the effect of marketing law, so my guess is that this is the point he was making.

I haven’t explained completely why I think Mr Fluskey’s comments are bollocks. Permit me to do so now. I suspect he hasn’t even read the Regulation, despite the fact that he is issuing clear (if bogus) advice about it to a sector that has wallowed in ignorance for far too long.

The definition of consent in Article 4 is plain for all to see: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” – indication means active, given means active, clear affirmative action means active. Everything about the definition of consent means that the subject has to do something to consent. It’s obvious that Fluskey hasn’t read the regulation because he happily takes ‘freely given’ out of its context as part of the definition of consent and pretends that it relates to the provision of information. If there was any doubt (there isn’t, but we’re here now), Recital 32 helpfully addresses any possible uncertainty:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Once again, just in case you missed it: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”  Compare that to what Mr Fluskey says: “‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box”. They saw him coming. That’s exactly what it does mean, that’s what it says. Consent has to be active, and it has to be demonstrable. Silence or inaction does not mean consent, but that’s exactly what an opt-out model represents – assuming consent from silence or inaction. Under the GDPR, opt-out consent is dead. There’s an argument that this is the case under the current DP as well, but leave that to one side. Nobody who has read the full Regulation can think that opt-out is a valid way to get consent, and only those who have read it should be giving advice to others.

The problem with the Institute of Fundraising is that their code of practice has created a fog of uncertainty about what is law and what is practice or industry standard. And here they are, doing it again: “That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.” Complying with the regulation isn’t about trying to capture some phantom ethos – it’s clear, and unambiguous. No opt-outs, never again.

Don’t get me wrong. Fundraising companies have a problem. For many years, they have built profitable businesses, employed lots of people, and made lots of money, some of it even for the charities who hire them. The GDPR makes clear what was not clear, emphasises what has been underplayed, and gives new rights to subjects that will directly challenge the business model of some fundraisers. Consent has to be clear and it has to be opt-in. Profiling has be to explained to subjects, and they have significant rights to challenge and object to it. Data sharing cannot be justified on tiny, badly-explained clauses buried in interminable terms and conditions. I can understand that the more they delve into the GDPR, the more fundraising companies may despair.

But denial and confusion is not the answer, and this nonsense must end. The Institute of Fundraising has to stop issuing inaccurate and confusing guidance which, let’s assume coincidentally, has the effect of maximising the number of calls, texts and emails that can be made and sent. Charities have been battered for a while now, some with more justification than others. But they have no hope of emerging from the mess and getting back to where they should be if this endless stream of misinformation continues to be sprayed at them. The problem for some fundraisers is not that the GDPR is confusing. It is that it is not.

National insecurity

In all the furore over the announcement of the Government’s draft Investigatory Powers Bill, one detail caught my eye. The Daily Telegraph published an article by Peter Wanless, Chief Executive of the NSPCC. Mr Wanless was keen that whatever else, we did not forget about the children:

We have heard plenty from groups extolling privacy principles and spies unveiling foiled terrorist threats, but let’s also hear the voices of thousands of children placed in jeopardy while the trade in abusive images continues to flourish

I don’t doubt Mr Wanless’ sincerity in combating the menace of child abuse and exploitation, but I found this a bit odd. How exactly does an article like this come into being? Did Wanless contact the Telegraph, keen to offer his support for the proposed legislation? Was it the other way around, with the Telegraph searching for an appropriately unimpeachable source to back up Theresa May’s plans? Or was it box number three: is it the Home Office who brought the article about, contacting Wanless and asking him to contribute?

You may disagree, but I find the idea of the Home Office persuading charity bosses to back Government policy in the press – especially without acknowledging it in the article – a deeply unattractive proposition. To find out whether this was the explanation, I made an FOI request four weeks ago to the Home Office, asking for correspondence between the Home Office and Wanless on the subject of the new bill.

A day before the deadline, I received an interesting email from the Home Office’s FOI team:

Although the Act carries a presumption in favour of disclosure, it provides exemptions which may be used to withhold information in specified circumstances. Some of these exemptions, referred to as ‘qualified exemptions’, are subject to a public interest test. This test is used to balance the public interest in disclosure against the public interest in favour of withholding the information. The Act allows us to exceed the 20 working day response target where we need to consider the public interest test fully.”

So far, so not much of a problem: this is an entirely legal move. The deadline can be extended for this reason. The one mistake that organisations often make at this point is not quoting an exemption, as if the public interest test floats free. But this is not what they did:

The information which you have requested is being considered under the exemption in section 23 (1) of the Act, which relate to information supplied by, or relating to, the bodies dealing with security matters.

The first thing to say is that this response appears to confirm that the Home Office has been in correspondence with Mr Wanless about the bill, which is interesting enough in itself (no correspondence, no need for an exemption). However, there are two more interesting elements. On the one hand, the response suggests that the correspondence contains information provided by the security services. Given that Wanless’ article is effectively a PR exercise, this is remarkable, if not scandalous and appalling. On the other hand, Section 23 is not a qualified exemption; it is an absolute exemption and has no public interest test. Either the Home Office don’t understand FOI properly, or they are just spouting legally inaccurate bollocks to avoid responding to my request on time.

Ever keen to help, I emailed the Home Office to point out that Section 23 is an absolute exemption and to enquire whether they in fact meant Section 24 (which applies to national security issues more widely, and does have a public interest test). With remarkable speed, the Home Office replied. I was invited to disregard the original email, and provided with the following explanation:

We apologise for the delay in sending you a substantive response. We always aim to respond to requests within the statutory period under the Freedom of Information Act (FOIA). Unfortunately, due to pressing business and other Ministerial priorities, it is not always possible to do so, and in this instance, we regret that we have not been able to respond within the statutory period.

What to make of it? Is it still reasonable to assume that the Home Office did put Mr Wanless up to it? Am I the first person to receive the phoney Section 23 letter? If they are going to delay replying, doesn’t the Home Office care enough to at least pick an exemption with a PI test, or just go for the old Dransfield Vexatious routine? At the very least, I think it is reasonable to assume that the Home Office is not really considering the use of an exemption, and is merely stalling on what might be an embarrassing answer. If there was a genuine exemption at play, they would have corrected their mistake in the follow-up. If they really did think Section 23 applied, I would have got a refusal.

Whatever happens next, reader, I have a feeling it will be worth looking out for.

Charity letters

I have written a lot recently about the issue of charities and marketing, and especially as I have another post on the boil concerning the same issues, I had intended to keep my head down for a few weeks and talk about something else (or even, as a friend suggested to me today, nothing at all).

However, I have a short update before the next onslaught. A lot has been made about the idea that after the death of Olive Cooke, the Information Commissioner suddenly woke up to the problem of charity marketing, and in the opinion of one charity journalist “moved the goalposts” by requiring charities to change their approach to the TPS in particular, and the Privacy and Electronic Communications Regulations in general. It is to this topic that I intend to return.

Nevertheless, the Information Commissioner, Chris Graham, told the Public Administration and Constitutional Affairs Committee in October that his office had in fact written to 8 major charities, drawing their attention to issues related to PECR and marketing. At least one charity chief executive (Mark Wood of the NSPCC) denied that his charity was among them, but he has now been obliged to reveal that the NSPCC was in fact one of the eight.

At the time, I made an FOI request to the ICO, asking for a copy of the letter and the names of the eight charities. I was intending to sit on the response for another purpose, but the information is clearly destined for the public domain anyway.

The eight charities were: Barnardos, the British Heart Foundation, British Red Cross, Christian Aid, Great Ormond St, Macmillan Cancer, the NSPCC, and Oxfam.

The letter is very straightforward – it does not refer to specific complaints, as complaints were being funnelled towards the Fundraising Standards Board at the time (the same FRSB which now faces abolition). However, the letter clearly draws each charity’s attention to the Information Commissioner’s guidance on Direct Marketing. That guidance is clear, robust, and written in plain English, with none of the hesitancy or fence-sitting that ICO guidance sometimes demonstrates. It is very strong on the need for clear, unambiguous consent. It is explicit that charity’s promotion activities are direct marketing. And one paragraph leaps out at me:

Organisations can make live unsolicited marketing calls, but must not call any number registered with the TPS unless the subscriber (ie the person who gets the telephone bill) has specifically told them that they do not object to their calls. In effect, TPS registration acts as a general opt-out of receiving any marketing calls

If the charities contacted by the Commissioner acted responsibly, they would have immediately sought out the guidance to which the ICO letter referred. It would be remarkable if they did not. If they did, and then did not recognise that the full force of the law did indeed apply to them, it is hard to imagine how. Mr Wood has put his head above the parapet. Oxfam  denied receiving the letter when in front of the Committee (my FOI response confirms that they did). It would be good to hear from the others.

FPS FFS

Following some fine investigative work, the Daily Mail was today content to declare “VICTORY” in its battle against rogue fundraisers and their equally shameless charity employers. The Mail’s apparent triumph is the publication of a government approved review by the National Council for Voluntary Organisations and chaired by Sir Stuart Etherington, the NCVO’s Chief Executive. There are a variety of recommendations about the regulation of charities, but as I am not an expert, I don’t know whether they improve matters. One eye-catching notion is very much on my territory, and if I wanted to be unkind, I would suggest that it was an outrageously opportunistic stitch-up.

The review suggests the creation of a Fundraising Preference Service, which would allow participants to “reset” their relationship with all charities. Anyone signed up to the ‘FPS’ could not be contacted by charities, thus finally lancing the boil of charity pestering. The report observes “At the moment there is no way to ‘opt-out’ of being approached by fundraisers other than contacting the organisation concerned directly and relying on their good will to unsubscribe an individual.” This statement is so wilfully incorrect, one might almost call it a lie.

The Telephone Preference Service applies to any organisation – including charities – who wants to call any person for marketing purposes. Exactly the same model proposed for the Fundraising Preference Service already applies to the TPS – nobody can call you unless you specifically tell them that they can. Some large charities routinely ignore the TPS, but there is the possibility of a civil monetary penalty under the Privacy and Electronic Communications Regulations (PECR) for breaching the TPS requirements. Moreover, no opt-out is required for email or text, because marketing can only happen by those methods on an opt-in basis.

The water is slightly more murky for postal marketing which is not covered by the stricter rules of PECR, but only if a charity is not a member of the Direct Marketing Association, which requires its members to be members of the Mailing Preference Service. The MPS is imperfect, but it already exists.

A person does not need to rely on the “goodwill” of a fundraiser or charity if they demand an opt-out from marketing. Section 11 of the Data Protection Act gives every person the right to demand that marketing cease or not begin – to ignore such a request is unlawful. Goodwill does not come into it, although Section 11 is not mentioned anywhere in the review.

It gets worse. Rather than the maximum £500,000 civil monetary penalties or enforcement notices backed by the threat of prosecution available under PECR for breaches of the TPS, the Etherington Review press release offers this terrifying alternative “Charities which seriously or persistently breach the rules would be named and shamed and could be forced to halt their fundraising until problems are resolved.” They may even be sent to bed early without any pudding. The review suggests an unnecessary addition to the existing framework, with weaker penalties for transgressors.

No version of the Fundraising Preference Service makes any sense. Assume for a moment that existing laws are left entirely as they are – charities and fundraisers would be obliged to screen against both the TPS and the FPS, as well as the MPS if they are DMA members. I have no problem with this if that’s what they want to do, but in reality, I suspect many of the charities who currently ignore or pay lip-service to the TPS would use the new system as an excuse to forget it altogether.

But what if it was worse? Couldn’t the charities argue that with their brand new preference service, clearly designed to prevent the menace of unwanted charity marketing, these other blunter tools were not required? What would be the point of charities doing double or triple-screening? If the Fundraising Preference Service gets any traction, I guarantee that somewhere along the way, the suggestion will come that charities should be exempted from the TPS and the MPS. Why not cut out the unnecessary bureaucracy? Once charities were exempted, there would be a bonanza, an orgy of calls and contacts to everyone not registered, all perfectly justified, so long as the charities can find a minister daft enough to believe that PECR should be amended to reflect their new system.

*Harry Hill look to camera*

If the FPS is to to exist, I can only think of two ways in which it could work fairly. The first is that everyone who is already registered on the TPS or the MPS should be automatically migrated onto the FPS. If people really don’t want to be contacted by other organisations, but do want to hear from charities, they only need to tell their favourite good cause this good news. Alternatively, the FPS could be an opt-in list of people who actively do want to hear from charities, and everyone else must be left alone. But I don’t think the FPS should exist at all. At best, it is a massively ill-informed gimmick, and at worst, a Trojan Horse for one last delirious orgy of spam. Much simpler alternatives exist within the current law, and I can set out very easily how the problem can be solved.

  1. The rogue charities finally stop pretending that they do not understand the law. They accept that cannot call someone who is on the TPS, even if the person has donated, even if they are regular donors. Charities cannot call them unless they say, explicitly and without any persuasion or prior contact, that they actively want the charity to contact them, and they specify the method by which they want to be contacted by. This opt-in can only be obtained by the charity, and not by any agent or contractor. In the absence of a freely given opt-in, charities never contact anyone on TPS again. They find ways to generate income that do not breach the law.
  2. The Mailing Preference Service – which already exists after all – is made statutory for charities (in fact, it should be made statutory for all organisations).
  3. The Information Commissioner identifies a few high profile charity miscreants. To avoid the outcry that might (only might) result from a monetary penalty that hoovers up charity donations, they use the Enforcement Notice method. Force the chosen few to respect the TPS, or mail opt-outs, or require them to get explicit consent before sending texts. Make it clear that if the notices are breached, as far as possible, Section 61 of the Data Protection Act will be used to prosecute the senior officers of the charities as well as the charities themselves. Alternatively, bite the bullet and issues some CMPs. Let the targets howl, ride the inevitable bleating of the fat cats, then see what happens afterwards. If charities had to explain why their fundraising tactics resulted in large donations to the Treasury, I suspect those tactics would end.

The problem of charity marketing would never have become so out of control if the Information Commissioner had ever taken any action to stop it. But nearly all of the ICO’s DPA enforcement is on procedural or security issues – they almost never challenge something that is core to an organisation’s business model. They have done this under PECR, but only for the shady PPI and Cold Call Blocking merchants. PECR enforcement on the charities will cost them money, and I fear that the ICO lacks the nerve. The wayward charities have operated with impunity and their unlawful activities have generated income. The FPS is a self-serving wheeze that is not the answer – any charity that will not voluntarily comply with the existing system will happily flout this new one. Before the Fundraising Preference Service goes any further, the ICO has to act firmly and decisively, or the problem of rogue charity marketing may get worse.