Age of Consent

Ever since the Daily Mail first started to report on the nefarious fundraising activities of certain large charities, confusion and contradiction have reigned supreme. We have had fundraising codes of practice confused with the law, constant claims that the ICO has changed the law (which is something they haven’t done, and couldn’t do anyway), and the bizarre spectacle of undertakings being signed publicly by organisations who, according to Wilmslow, haven’t done anything wrong.

One might hope that the General Data Protection Regulation, designed as it is to clarify the mess of DP across the European continent would come to our aid. But no, sadly and inevitably, people are just as determined to misunderstand the GDPR as they are the Data Protection Act.

John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association was speaking at a fundraising event organised by Third Sector magazine, and he passed comment on the apparent confusion over opt-in and opt-out rules on marketing. I don’t know exactly what he said because I wasn’t there. However, he is reported as saying that charities would not need consent for postal and phone marketing, unless a person was on the telephone preference service. The GDPR requirement for unambiguous consent did not change this position. Mr Mitchison also apparently said that he didn’t understand where all the confusion in the charity sector was coming from.

I think I can tell him. Enter Daniel Fluskey, head of Policy and Research at the Institute of Fundraising (yes, the organisation responsible for much of the confusion with their diabolical fundraising code). He wrote an article on the UK Fundraising website following up on Mitchison’s comments, including this statement.

“Our understanding is the same as the DMA’s and what we’ve heard from solicitors – that ‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box. Consent will be able to be given ‘unambiguously’ through an ‘opt out’ mechanism. So, statements that ‘opt in’ is coming in through law seem likely to be misleading – what’s coming in is a requirement that the consent is ‘unambiguous’

Fluskey then invents his own test for unambiguous consent:

To me, ‘unambiguous’ consent seems like a three-stage test:

  1. Did someone give their information freely?
  2. Were they presented with straightforward information so that they had a clear understanding of what marketing/fundraising communications they could expect to receive?
  3. Did they have a clear and easy ability to choose to accept this, or to object if they didn’t want to receive future marketing?
    If the outcome of the engagement leads to these three questions being able to be answered with a ‘yes’ then it would seem very likely that the donor has given ‘unambiguous’ consent. That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.”

This is all – to use a technical term – bollocks.

Mitchison is correct – consent is not necessary for postal marketing and phone-calls to those not on TPS. However, this has nothing to do with the nature of unambiguous consent. The explanation is reasonably straightforward. To use any personal data, you need to meet a condition under the DPA – this is the position now and it remains so under the GDPR. Consent is one of the conditions but not the only one. If an alternative condition can be found, you can forget consent and use the other one instead. The GDPR recognises that the legitimate interests condition can be used to justify marketing, and so this can apply to postal marketing. You don’t need consent because you can use legitimate interests. The opt-out bit is a red herring in this context – the marketer offers an opt-out because  it’s good practice and the subject has an automatic right to opt-out of any marketing anyway. It would be nice if such opt-outs were respected instantly and permanently, but that’s an issue for another time.

Electronic forms of marketing are not just covered by Data Protection. They are also covered by the e-Privacy Directive, implemented in the UK as PECR. PECR adds a layer of rules, and in some cases insists that only consent applies. You can’t rely on legitimate interests for automated calls, email or text marketing, because PECR says that only consent will do.

Live calls straddle both conditions. You can rely on legitimate interests for cold calls to people who are not on TPS, but you need consent for those people who are. Again, this is nothing to do with DP, this is an extra rule laid on by PECR. I hold no brief for Mr Mitchison, but the DMA are usually robust about the effect of marketing law, so my guess is that this is the point he was making.

I haven’t explained completely why I think Mr Fluskey’s comments are bollocks. Permit me to do so now. I suspect he hasn’t even read the Regulation, despite the fact that he is issuing clear (if bogus) advice about it to a sector that has wallowed in ignorance for far too long.

The definition of consent in Article 4 is plain for all to see: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” – indication means active, given means active, clear affirmative action means active. Everything about the definition of consent means that the subject has to do something to consent. It’s obvious that Fluskey hasn’t read the regulation because he happily takes ‘freely given’ out of its context as part of the definition of consent and pretends that it relates to the provision of information. If there was any doubt (there isn’t, but we’re here now), Recital 32 helpfully addresses any possible uncertainty:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Once again, just in case you missed it: “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”  Compare that to what Mr Fluskey says: “‘unambiguous consent’ does not mean there has to be an ‘opt in’ tick box”. They saw him coming. That’s exactly what it does mean, that’s what it says. Consent has to be active, and it has to be demonstrable. Silence or inaction does not mean consent, but that’s exactly what an opt-out model represents – assuming consent from silence or inaction. Under the GDPR, opt-out consent is dead. There’s an argument that this is the case under the current DP as well, but leave that to one side. Nobody who has read the full Regulation can think that opt-out is a valid way to get consent, and only those who have read it should be giving advice to others.

The problem with the Institute of Fundraising is that their code of practice has created a fog of uncertainty about what is law and what is practice or industry standard. And here they are, doing it again: “That seems very much like achieving the spirit and ethos of ‘opting in’ even if there isn’t necessarily a tick box.” Complying with the regulation isn’t about trying to capture some phantom ethos – it’s clear, and unambiguous. No opt-outs, never again.

Don’t get me wrong. Fundraising companies have a problem. For many years, they have built profitable businesses, employed lots of people, and made lots of money, some of it even for the charities who hire them. The GDPR makes clear what was not clear, emphasises what has been underplayed, and gives new rights to subjects that will directly challenge the business model of some fundraisers. Consent has to be clear and it has to be opt-in. Profiling has be to explained to subjects, and they have significant rights to challenge and object to it. Data sharing cannot be justified on tiny, badly-explained clauses buried in interminable terms and conditions. I can understand that the more they delve into the GDPR, the more fundraising companies may despair.

But denial and confusion is not the answer, and this nonsense must end. The Institute of Fundraising has to stop issuing inaccurate and confusing guidance which, let’s assume coincidentally, has the effect of maximising the number of calls, texts and emails that can be made and sent. Charities have been battered for a while now, some with more justification than others. But they have no hope of emerging from the mess and getting back to where they should be if this endless stream of misinformation continues to be sprayed at them. The problem for some fundraisers is not that the GDPR is confusing. It is that it is not.

Raising hell

One of the irritating things about the introduction of the EU Data Protection Regulation, the timing and final shape of which is still up in the air, is the way in which marketing companies are buzzing around, fearful of what the changes might mean. Most of them fret about the perceived emphasis on unambiguous consent, and what irritates me is that none of these idiots seem to be aware that active consent has been needed for email and text marketing since 2003 (under the Privacy and Electronic Communications Regulations, or PECR). The big change they are worried about happened more than ten years ago.

A slightly different take on the problem is doing the rounds in the charity fundraising sector. An article on the Civil Society News website encapsulates it with a suitably hysterical headline: “EU data protection proposals would kill fundraisers’ mailing lists, says report“. If the regulation contained provisions to ban marketing in general or marketing by charities in particular, this would be true and terrible. Stephen Pidgeon, a “fundraising consultant” and trustee of the Institute for Fundraising is quoted:

“if the EU introduce compulsory ‘opt-ins’ for direct mail then the cold mailing lists that still drive minor donor fundraising will disappear and, with them, millions of pounds”

Full marks for the euphemism ‘cold mailing list’ there, when what Mr Pidgeon means is ‘junk mail’. The author of a report into this nefarious proposal, Andy Taylor, a consultant at a charity marketing agency called ‘The Desired Effect’, is equally scathing:

“There is a balance to be struck between the donor’s right to privacy and our ability to fundraise, and the current draft of the proposals doesn’t get this right.” 

The factual content of the article is awful – it asserts that charities can make marketing calls unless told not to, ignoring the existence of the Telephone Preference Service which applies to charities as it does to everyone else. It also claims that charities can use the ‘soft opt-in’ for email marketing, which allows an organisation to operate a tight opt-out system when marketing similar products to existing customers. PECR clearly refers to the soft opt-in being engaged during a ‘sale’, and the Information Commissioner’s guidance is unambiguous about what that means:

“the ‘soft opt-in’ exception can only apply to commercial marketing of products and services… [not for profit organisations] will not be able to send campaigning texts or emails without specific consent, even to existing supporters” (page 12)

The Civil Society article also complains about the possibility that the Regulation may interfere with a charity’s ability to profile potential donors. What this means is made more explicit in a recent piece published by Fundraising UK, which complained:

“charities would no longer be able to target direct marketing campaigns at specific donor profiles and would severely hamper the ability to build up prospect donor information”

I think some charities’ good works can be diluted by a sense of entitlement (I’ve blogged about the human embodiment of this in the past), and their fund-raising methods can be awful. Few commercial organisations would expect to get away with the antics of chuggers, but charities expect a free pass when hassling unwilling citizens in the street and paying a cut of donations to the companies they employ to do so. The attitude on display by Fundraising UK is even worse – would you be happy if a charity assembled information about you without your consent and then sent unsolicited marketing to you? I’d be fascinated to know if charities that profile ‘prospect donors’ comply with the first Data Protection principle by informing the ‘prospect’ that they were doing so – regardless of consent, there is no exemption from fair processing available.

I hope that those fundraisers agitating against explicit consent for marketing fail. Expecting an organisation to have permission before sending marketing isn’t just a legitimate way of setting up privacy law, it’s basic courtesy. There are already a lot of circumstances where our data is used without consent – many justified, some not. But where there is not some legal or security requirement that makes consent inappropriate, it should be the default for everyone, regardless of the effect on profit, innovation or donation. One vital aspect of privacy is having a right to be left alone, to be able to close your door and not be bothered by anyone else. The position of these fundraisers and consultants is that charities should be able to override that to get their cash. The headline of the Civil Society article is nonsense because explicit consent doesn’t kill charity mailing lists, it just makes them fair. It ensures that those people who are on the lists want to be on the lists. If fundraisers are concerned about the effect of Data Protection on their income, perhaps they should approach their targets with more respect.