Culture, Media and Spam

Most of the news and comment I heard about the Queen’s Speech suggested that it was a hole in the air, with the Government wanting to avoid doing anything of any consequence before the resolution of the EU vote in June. It was a surprise, therefore, to see provisions in the proposed Digital Economy Bill that will change the face of direct marketing.

At the moment, the rules for direct marketing are a mixture of Data Protection (for postal marketing) and PECR (for email & texts, live calls, automated calls and fax). PECR breaks down into subsets, with some forms of marketing requiring consent (email & text, automated calls, fax) and some done without consent and with opt-out (live calls, with the ability to opt-out of all calls via the Telephone Preference Service.

But consider this line from the full version of the Queen’s Speech:

Protection for consumers from spam email and nuisance calls by ensuring consent is obtained for direct marketing, and that the Information Commissioner is empowered to impose fines on those who break the rules.

My first reaction to this was that the Department for Culture, Media and Sport were incompetent: PECR already requires consent for email, and the Information Commissioner already has the power to impose fines for breaches of consent. Whatever else, this is still true, and DCMS should explain why they are announcing things that have been in place since 2003 (consent for email) and 2011 (fines) respectively. Nevertheless, it’s impossible to interpret this sentence as meaning anything other than a change in the rules for live calls. It’s not earth-shattering: it’s only lawful to cold-call people who aren’t on TPS and who haven’t directly opted out, which is probably a minority of the overall population. But nevertheless, the proposal as written abolishes the need for the Telephone Preference Service and inverts current practice.

It certainly has the merit of neatness: PECR would make more sense if all electronic direct marketing had to be opt-in. However, it will have consequences far and wide. There are plenty of lead generators and telemarketing companies who still make cold-calls, and they would be dead in the water. I would shed no tears over this (I think the lead generation and list broking industry is fundamentally unlawful, and most of the folk in the call centres would just end up in hopefully less rancid call centres). However, killing off the telemarketing industry is bold.

It will also create an even more stark contrast with the Fundraising Preference Service, which in its current form allows someone to stop all contact with all charities. It’s not even clear whether a person will technically be able to opt-in to individual charities that they do want to hear from if they’re on the FPS. It would be moronic if this situation wasn’t clarified, but people who do moronic things tend to be good at maintaining their standards. Given that the Digital Economy Bill apparently puts all* electronic marketing on an opt-in basis, charities might legitimately argue that the FPS is unnecessary, and they would have a point.

There are other issues. If all email marketing has to be done on the basis on consent, this also presumably kills off the ‘soft opt-in’. The ‘soft opt-in’ allows a company to send email marketing on an opt-out basis, as long as the email address in question has been obtained in the course of a sale, and as long as the products being marketed are their own, and are similar to the one that was originally purchased. Requiring all email marketing to be done on the basis of consent would remove this option (NB: if you think the absence of an opt-out can be interpreted as consent, you are a moron).

Finally, the proposal doesn’t mention texts, hence my * above. Texts are as much of a nuisance for people as live calls or emails, and have been the subject of routine enforcement action by the Information Commissioner since 2011. PECR treats email and text as the same, so it’s entirely possible that the Government are treating them so. It’s equally possible that this is a back of a fag packet proposal to bulk out a weak bill in a thin speech. One indicator that this might be the case is that the Information Commissioner, explicitly mentioned in the proposal, has not reacted to it in any way. There is no press release, and not a single tweet, despite a run of tweets this week about nuisance calls and other PECR related action. One could be forgiven for thinking that they didn’t know about it (I will be doing an FOI to find out).

You might think that spinning 833 words out of a single sentence is overkill, but on the face of it, the proposed change will have a considerable impact. Like me, I hope you will be watching the progress of the Digital Economy Bill with interest.

Charity letters

I have written a lot recently about the issue of charities and marketing, and especially as I have another post on the boil concerning the same issues, I had intended to keep my head down for a few weeks and talk about something else (or even, as a friend suggested to me today, nothing at all).

However, I have a short update before the next onslaught. A lot has been made about the idea that after the death of Olive Cooke, the Information Commissioner suddenly woke up to the problem of charity marketing, and in the opinion of one charity journalist “moved the goalposts” by requiring charities to change their approach to the TPS in particular, and the Privacy and Electronic Communications Regulations in general. It is to this topic that I intend to return.

Nevertheless, the Information Commissioner, Chris Graham, told the Public Administration and Constitutional Affairs Committee in October that his office had in fact written to 8 major charities, drawing their attention to issues related to PECR and marketing. At least one charity chief executive (Mark Wood of the NSPCC) denied that his charity was among them, but he has now been obliged to reveal that the NSPCC was in fact one of the eight.

At the time, I made an FOI request to the ICO, asking for a copy of the letter and the names of the eight charities. I was intending to sit on the response for another purpose, but the information is clearly destined for the public domain anyway.

The eight charities were: Barnardos, the British Heart Foundation, British Red Cross, Christian Aid, Great Ormond St, Macmillan Cancer, the NSPCC, and Oxfam.

The letter is very straightforward – it does not refer to specific complaints, as complaints were being funnelled towards the Fundraising Standards Board at the time (the same FRSB which now faces abolition). However, the letter clearly draws each charity’s attention to the Information Commissioner’s guidance on Direct Marketing. That guidance is clear, robust, and written in plain English, with none of the hesitancy or fence-sitting that ICO guidance sometimes demonstrates. It is very strong on the need for clear, unambiguous consent. It is explicit that charity’s promotion activities are direct marketing. And one paragraph leaps out at me:

Organisations can make live unsolicited marketing calls, but must not call any number registered with the TPS unless the subscriber (ie the person who gets the telephone bill) has specifically told them that they do not object to their calls. In effect, TPS registration acts as a general opt-out of receiving any marketing calls

If the charities contacted by the Commissioner acted responsibly, they would have immediately sought out the guidance to which the ICO letter referred. It would be remarkable if they did not. If they did, and then did not recognise that the full force of the law did indeed apply to them, it is hard to imagine how. Mr Wood has put his head above the parapet. Oxfam  denied receiving the letter when in front of the Committee (my FOI response confirms that they did). It would be good to hear from the others.

Consenting adults

Around two months ago, the Etherington Review into charity fundraising and governance published a series of recommendations about the way the sector should be run. The most eye-catching and ridiculous is the Fundraising Preference Service, which I wrote about at the time. The reaction to the FPS from charities has been almost universally negative, with a series of articles appearing in charity publications and on charity websites, all condemning the idea that the public should be able to stop communications from charities.

There is nothing in Data Protection, the Privacy and Electronic Communications Regulations (PECR) in general or the Telephone Preference Service (TPS) provisions in particular that stops a charity from contacting a person who wants to be contacted. The FPS is non-statutory, and so cannot change it. Since 1995, Data Protection law has been built on a requirement that any contact based on consent requires a freely given, specific and informed indication of the subject’s wishes. That’s what the Directive says, so any claim that somehow the upcoming DP Regulation represents a significant shift in how consent works is exaggerated. The problem for some charities is they have ignored this. When I make a donation, that is a freely given, specific and informed indication of my wish to make that donation. If the charity wants to call me, or text me and rely on consent, they need a freely given, specific and informed indication that I want to be called.

The current practice of charity posters that ask for a quick £3 or £5 text donation for a specific cause are a classic example of how this doesn’t work. Yes, there is minuscule small print on the poster that indicates that further calls or texts will be made and I can opt-out, but unless one has carried a magnifying glass onto the Tube or into the toilet cubicle, the text is impossible to read, and easy to overlook. Many charities using the one-off donation technique seem to be doing so to harvest mobile numbers for fundraising calls. In Data Protection terms, this is unfair and does not represent consent (breach of the 1st principle); in PECR terms, if the number is on the TPS, the charity has not obtained consent and any calls made to a TPS registered number harvested in this way will be unlawful.

An article in Civil Society published shortly after the FPS proposals were first mooted contains this key quote:

The idea is that members of the public would be able to simply and easily add their names to a “suppression list” so they would not be contacted by fundraisers. Rather than rely on charities using the existing mail and Telephone Preference Services, the FPS would allow you to put a stop to all contact with charities.

The TPS already allows you to put a stop to all contact with charities by phone, along with everyone else. Charities are not unfairly discriminated against by the TPS, any more than any other sector might be. The TPS is a blunt instrument, but it is a fair one. The fact that charities see the FPS as being a problem suggests to me that they either don’t understand the TPS (they believe the donation = consent nonsense), or they think they can ignore it. Civil Society reported at the end of October that the Institute of Fundraising (which represents, remember, organisations that make money out of fundraising, rather than charities themselves) was changing its guidance in line with the expectations of the Information Commissioner’s Office. The IoF nevertheless claims that this change (i.e. complying with PECR) “unduly” restricts the ability of charities to “maintain relationships with their supporters“.

Donation = consent isn’t the only myth that has been propagated. Civil Society’s David Ainsworth claimed a few weeks ago that all the blame lies at the door of the ICO (and that’s often a valid argument). The problem is, the story isn’t true. Ainsworth said “In 2010 David Evans, a senior data protection manager at the ICO, explicitly told charities they were allowed to call people registered on the TPS, so long as they received no complaints. Just in case there was any doubt, this was followed up with official guidance which effectively said that the ICO did not intend to apply the law to charities.” I asked Ainsworth on Twitter if he could provide evidence that this is what the ICO said. All he could provide was a note written by the Institute of Fundraising, who are hardly objective. But even that note contradicts Ainsworth’s article, stating the TPS position clearly, with only a little bit of nuance.

TPS regulations ‐ any person registered on the telephone preference service (TPS) cannot be called unless they have advised the calling party that they are happy to receive calls. In practice, a charity might judge that, given the nature of the relationship between them and the supporter, they might be able to make a marketing call to that subscriber despite TPS registration.

In truth, what Evans said is a line I have heard many times from different ICO people – if a data controller thinks it has consent, acts on that consent, and crucially, the ICO doesn’t receive any complaints, then they probably had consent. In other words, the ICO won’t act on complaints it hasn’t received. The ICO did not give charities an exception. Should any charity have bothered to investigate, they would have found that ICO has no power to do so. The problem was, as Christopher Graham told Parliament last month, there were thousands of complaints about charity direct marketing, but they were all going to the Fundraising Standards Board, a self regulatory body that regulates the Institute for Fundraising’s code. The FRSB did not pass any of the complaints on to the Information Commissioner.

**UPDATE: originally, this blog said that the Fundraising Standards Board was ‘run by‘ the Institute for Fundraising, which was poorly worded shorthand, treating the IoF as if they are the embodiment of fundraisers and charities. The FRSB is a membership body, paid for by its members (who are charities and fundraisers), and its role is to act as a self-regulator for the Code of Fundraising Practice drawn up by the IoF. I don’t believe that the FRSB is properly independent of the Institute for Fundraising not least because they ‘enforce’ a code written by the IoF, and which was legally inadequate. I’m not the only person who thinks this: post-Etherington, the FRSB is being abolished, and responsibility for the Fundraising Code is being transferred to a new regulator. The IoF’s Chief Executive welcomed the new regulator’s creation (tacitly welcoming the abolition of the FRSB), and recognised that moving the Code from the IoF to the new regulator was necessary to avoid the perception of a ‘conflict of interest‘.**

The biggest barrier to charities accepting legal reality – either by complying with the TPS, or with some workable version of the FPS if such a thing is possible – may be the fact that some in the sector don’t really believe in consent at all. Matthew Sherrington, a consultant writing in Third Sector this week, wasn’t exactly subtle: “The awkward truth, which is difficult for charities to argue publicly, is that the generous public (the UK is the most generous in Europe, as it happens) do not give off their own bat, but need to be asked” (my emphasis). The same argument was made by Ian MacQuillin, blogging on behalf of Rogare, a fundraising think tank: “Everyone knows that most people give because they are asked to do so” and later on “I suspect that the FPS would be used not just by people who really are on the receiving end of such a deluge of fundraising material that it was making their lives a misery; but more by people who want to spare themselves the difficult choice of deciding how to respond to a donation request, and the guilt and cognitive dissonance that results when they say no“. The thinking that runs through both articles, and others, is that fundraisers must be able to ask, that the potential donor / prospect / target (which is what we all are to the fundraiser) should not be allowed to opt-out of being asked. We should have to listen to the pitch, and should be forced into the awkward, embarrassing (or in MacQuillin’s word) guilt-ridden option of saying no. There is, in this world, something inappropriate, even immoral in having a choice about whether to be approached in the first place.

**UPDATE: I have had a long Twitter conversation with Matthew Sherrington. He hasn’t put a comment on the blog (which he and anyone is welcome to do) but he thinks I have misrepresented what he said about consent and marketing, and I think that I should mention this. I stand by my comments above, but I’m linking to his article again here so you can read it and make up your own mind about what he says.**

It’s possible that fundraisers and consultants genuinely don’t understand the TPS, don’t understand that it’s already supposed to be possible to opt-out of every marketing phone call, or that texts and emails are opt-in in the first place. Fundraisers see widespread abuse of PECR and Data Protection, so assume that it’s all fine and that daft proposals like the FPS represent unfair singling out of the charity sector. At this point, it is fair to criticise the Information Commissioner for their generally insipid enforcement. I think there is also a sense of entitlement among charities (which is one thing, as most charities have a clear public interest objective), but also among fundraisers (who are, in the main, just private businesses making a profit). There are no exemptions. There is no charity carve-out or defence. The European Data Protection Directive, from which everything in UK DP and PECR law is derived, makes clear that charities are included along with everyone else. It’s in article 30, if you’d like to check.

In amongst all of the anger and self-justification available in the charity press, one article in Civil Society also caught my eye: “Trust in charities is at its lowest point since 2007, with charities now less trusted than supermarkets“, according to a survey carried out by npfSynergy. Some might blame the Daily Mail and Camila Batmanghelidjh, but purely anecdotally, on every training course about direct marketing that I have run in the past five years, the main examples people come up with for poor quality, persistent, sometimes rude marketing calls are either PPI or charities. Fundraisers and charities alike need to ask themselves if they want to be in company with spivs and spammers. Rather than try to rewrite history, or the law, or continue to adopt an approach based on pestering and guilt, perhaps the big charities should look at a business model that is bringing them into disrepute. There is a real question about how they raise funds without marketing calls and other contacts to people who don’t want to receive them but the only solution to this is to get PECR and the DPA amended to remove charities from the marketing requirements, but as this would deprive the public of their existing rights and mean that the UK is in direct breach of EU law, I doubt they’ll get very far. I still think the Fundraising Preference Service is unnecessary in the light of existing provisions, but if it is implemented in some meaningful form, and finally gets the message across to the most unrepentant of charity spammers, maybe I’m wrong.

King Canute famously stood in the waves and ordered back the sea, but only to show that his powers were limited. Some charities and fundraisers are up to their necks in water, but think that they have the ability and the right to turn the tide of history. If they don’t wise up, they will drown.

 

Labour pains

Last month, I registered as a supporter of the Labour Party in order to vote for the leader and deputy leader. I am a lifelong Labour voter, and no, I don’t care what you think about that, and if you tell me what you think about that in the comments, I will let your comment through solely so that I can edit it to replace your drivel with the word “Bellend”. WordPress lets me do this, friends, so choose wisely.

The choice of candidates for Leader is as tempting as being asked whether you want a smack in the face or a kick up the arse, while the inevitability of Deputy Tom Watson is just horrible. There are few experiences as emetic as opening an envelope to find Watson’s huge smug face staring out at you. If only I had a dartboard. Nevertheless, if the party is going to let me participate in the process of choosing which leader will lose the 2020 election, it seems churlish to pass up the opportunity. I actively want to vote for Stella Creasy, so there is some crumb of meaning in there somewhere, apart from the fact that she’s not going to win.

When I signed up, the Labour Party required me to agree to receive communications from the party. There was no more to it than that, and no terms and conditions for me to consult before signing up. It was a fait accompli – sign up and get the messages or go away and don’t vote. This is a straightforward breach of the Privacy and Electronic Communications Regulations 2003 (PECR). Communications from a political party are marketing. Regulation 22 states that marketing emails can only be sent if the recipient has notified the sender that they have consented to receive them. Consent is the same ‘freely given, specific and informed’ consent that you need for Data Protection. If there is any doubt about what that means for marketing emails, the Information Commissioner’s excellent guidance on Direct Marketing is – by ICO standards – uncharacteristically clear: “Consent cannot be a condition of subscribing to a service or completing a transaction”.

Labour cannot lawfully make the receipt of marketing emails and texts a condition of registering as a supporter. Every email and text sent to a registered supporter who has not actively and separately consented to receiving the emails and texts is a breach of PECR. The breach is particularly serious in my case, because in 2013 I exercised my rights under Section 11 of the Data Protection Act with all of the serious English political parties (and UKIP); this means that none of them can send me marketing, and so even the junk mail that each of the campaigns is sending me by post is unlawful. This is not my view; this is the view clearly expressed in the ICO guidance. The fact that I can opt-out is irrelevant. I should not have to (and anyway, I already have). Labour is arrogantly and cynically ignoring legislation that it passed when in government in order to hassle its most active supporters.

Inevitably, privacy champion Tom Watson has sent me the most emails, and demonstrated the least compliant approach. One of the emails had an option to tell Watson if you were going to vote for him, and so I clicked on the link to say no. I was then presented with a webpage asking me who I was going to vote for, as well as two pre-ticked boxes for ‘Send me email updates’ and ‘Send me text message updates’. A pre-ticked box doesn’t constitute consent (consent has not been ‘given’), but nevertheless, I unticked the boxes, clicked the box for ‘Stella’ and submitted.

Instantly, despite having told Watson’s campaign that I don’t want to vote for him and I don’t want to receive his email updates, I received a further email from Watson telling me how brilliant he is and how I should give him my second preference. There is no chance of this: not only will I never vote for Watson, I have always been fond of Ben Bradshaw, because he is Alan Dransfield‘s MP and he looks like he has skinned Hugh Grant and is wearing his face as a trophy. The second preference email was yesterday, and today, I have already received another email from a Watson supporter who has (no doubt spontaneously) written a paean to Watson that happens to include most of the examples the Watson campaign is using elsewhere. I am absolutely thrilled that the Watson campaign has apparently shared my email address with random strangers.

Needless to say, I have emailed Watson to point out his bad practice (and I didn’t use the word ‘hypocrite’, so see how I have matured) and more importantly, I have written a detailed letter of complaint to Iain McNicol, the party’s General Secretary. This is not my first rodeo with McNicol, so I know that all I will get is a reply stating ‘we’re perfectly entitled to do this and if you don’t like it, then opt out’. This reply is useful solely because the ICO understandably expects me to complain to the offending organisation first before going to them, and complaining to them is the only thing I can apart from write this blog for people who probably already agree with me.

Of course, the most the ICO will probably do is tell Labour to stop emailing me, which makes them (at least in this context) the world’s most convoluted unsubscribe button. But nevertheless, rather like voting for Creasy even though she’s going to lose because I honestly think she is the best candidate, I will complain about Labour’s habitual breaches of PECR because they need to be called out on it, even though no enforcement will follow.

An impossible thing before breakfast

The Information Commissioner, Christopher Graham, made one of his occasional appearances on BBC Radio 4’s Today programme this morning. He was there to talk about the Daily Mail’s blistering investigation into the call centres used by charities to raise money over the phone, often with high-pressure sales tactics and abundant breaches of PECR. As regular blog readers will know, I have always been a fan of Mr Graham personally on the basis that he is not his predecessor, but it was painful listening.

There was the obligatory yet pointless literary reference (Alice in Wonderland), some generalities about investigating and getting the bottom of things and, as is often the case with Mr Graham, an attempt to steer the story to something else. The trade in personal data is a massive concern but it is not what he was on the programme to talk about. It wasn’t hard to detect an element of squeamishness about the issue because it involves charities. Even though I would normally defend the ICO’s record on PECR breaches, I am certain that nothing will happen as a result of the Mail’s revelations because the ICO doesn’t have the guts to enforce the law on charities, no matter how badly behaved they might be.

As an FOI request revealed a few years ago, Mr Graham appears to be a stickler for the proper use of language: he went as far as to make his ‘Most Hated’ list available to his staff, although a subsequent FOI response rather confusingly claimed that the information was not held. Whatever his literary standards might be, Graham’s comments about PECR and consent showed that he doesn’t care much for getting the law right.

The worst mistake was when Graham claimed that where an organisation has an “established relationship” with a person, they have a “right” to call them. There is a very widespread misconception across a number of sectors, charities among them, that a customer or donor relationship trumps the TPS requirements. It doesn’t. There is nothing about this in PECR; the text says:

Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register

The subscriber (the person being called) has to “notify” the caller that they do not object. You can’t do this by implication, or because you have given a donation. As the Information Commissioner’s Direct Marketing guidance states “This needs to be a positive step to express their wishes”. There is an argument that it doesn’t matter what the Commissioner says on the radio, what matters is what the law says. However, Graham’s words are a gift to every charity and double-glazing company  – we have an “established relationship”, so we can call them. To describe the companies as having a ‘right’ to call people on the TPS because of an “established relationship” is an unforgivably sloppy use of language, and vulnerable people may pay the price for Mr Graham’s inattention to detail.

The other mistake Graham made was almost as serious, although to be fair to him, he made up some ground with subsequent comments. Senior people in the ICO have a habit of talking about consent being obtained through endless terms and conditions. His statement today was “we don’t realise we’re giving consent”. This is a completely false understanding of how consent works. Think of what the Data Protection Directive says: consent should be a freely given, informed and specific indication of the subject’s wishes. Look at what the ICO’s own guidance says (I wonder if Mr Graham has):

the person must understand what they are consenting to… Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find or difficult to understand, or rarely read will not be enough to establish informed consent”.

Mr Graham did go on to question whether such consent was ‘valid’, clearly indicating the possibility that it might not be. But some of the damage was done. Misunderstandings about consent are everywhere, and the uncertainty is ruthlessly exploited. I’ve even seen a Twitter conversation where a high-profile and respected privacy lawyer said “consent can technically be “obtained” even when people are unaware”. This is nonsense, but it is popular nonsense among organisations that want to breach PECR and the DPA.

Data Protection law can be subtle and flexible. Especially if you’re being quizzed by the permanently bewildered self-parody of John Humphrys that presides over the Today programme, it might be tricky to get the detail right. However, PECR is not subtle: it is made up of rules. The ICO has explained clearly in its guidance how those rules work. If there is a point to having a figurehead like the Commissioner, it should be that they can confidently and accurately explain the law, especially when the office’s position is actually clear. Unlike his predecessor, Christopher Graham will rightly be remembered for taking action at least some of the time. The problem with his comments to day is that he may do more harm than good.