Category Archives: Legislation

Comments surrounding the recent court ruling against John Lewis

As the comments surrounding the recent court ruling against John Lewis fly around fast and furious, I am concerned that everybody is weighing in without being in full possession of the facts.  I know that I don’t know what happened but what I do know is that the two scenarios that I have seen in the press are very different and therefore my opinion of the outcome equally different. I should point out that I am not a lawyer and am speaking from a best practice perspective. In most cases best practice exceeds the standards set forth in the law so by following best practice a marketer should never have to worry about running afoul of the law.

The Drum and Sky Scenario

The story as first reported indicated that Mr Mansfield had registered on the John Lewis website and then proceeded to browse the site. John Lewis then used the soft-opt in principle as the basis for sending marketing communications.  The soft opt-in principle is that a business can mail a customer about “similar goods and services” and it defines a customer as anyone who has “entered into a negotiation” for goods or services. John Lewis relied on the ICO guidance that a negotiation starts when a consumer asks about the price of a specific product. Since prices are included on the John Lewis website I can see their point but I personally think this is a very aggressive strategy as in this case the website is really nothing more than a digital catalogue. If an item had been placed in a shopping basket however, I think you could clearly argue that a negotiation had started but this does not appear to be the case here.

The Register Scenario

The details that appeared in the Register are very different. In The Register version, Mr. Mansfield wanted to check on the cost of delivery from Waitrose and was forced to register on the site to get this information. He then received marketing emails from John Lewis. Even if you could argue that a negotiation has begun with Waitrose (which I don’t think you can), John Lewis is another brand and does not sell similar goods and services. Unless it was very clearly stated in the Waitrose email capture form that the details would be shared with John Lewis, there is not a situation where sending emails from John Lewis would be alright. The first thing a marketer has to ask themselves is would a consumer expect to get this email given the information they provided. If I have given my details to Waitrose, I would not expect to get an email from John Lewis. It does not matter that John Lewis owns Waitrose.

The Information Commissioner has recently revised its guidance and has said that a pre-ticked box would not be acceptable in most cases and I think most legitimate email marketers are taking steps to change their current data capture processes but as we know these things take time within big organisations. Interestingly, I did a quick check of some of the sites where the story has appeared as well as the Waitrose and John Lewis websites. The Drum and The Register use a pre-checked box and Sky uses a check this box if you do not want to receive anything. The Waitrose registration however, requires the user to check a box to get information about the John Lewis Partnership and specifies which brands that includes while the John Lewis registration requires the user to check a box to get information on John Lewis. Maybe this case has pushed to guys at John Lewis along and hopefully coverage of this case will push other legitimate email marketers along as well.

 

The Curious Case of Roddy the Spam Troll – Sky News Producer casting stones from his employer’s glass house

Sky News Producer and Data Directive litigation Troll Roddy Mansfield has apparently won his 3rd “victory” against a brand – in this case John Lewis, who (soft) opted-him-in for marketing by using a pre-ticked consent box after he had registered his details with John Lewis’ website.

This was breathlessly reported on Sky News as “Spammer To Pay Damages After Court Victory,” Roddy – the spam troll argued that “an opportunity to opt-out that is not taken is simply that. It does not convert to automatic consent” Well he would know that! Given his track record one would think he more than anyone else in the UK would know what that pre-checked box meant.

The irony of it all is Sky his own employers operate an enforced opt-in policy which means anyone who registers for a Sky ID is automatically put on their mailing list whether they want it or not and the only way to prevent that happening is to tick a box and actively opt-out. Interestingly they do it the opposite way to John Lewis and most brands as you can see below and their approach is as good an example of psychological sleight of hand as you are likely to see. To add insult to injury Sky would seem to be opting you into receiving 3rd party offers from brands you may not actually ever want to hear from, something John Lewis do not.

  

One of the challenges with the 2003 EU Directive is that it is open to interpretation and as such many Experts, Brands and even Countries apply it in different ways. I have no doubt that Sky’s lawyers are pretty certain that their interpretation stands muster, but I know many brands and commentators who would not feel uncomfortable with their approach and might argue that consent for 3rd party mailings should not or cannot be via opt-out. Most websites require registrants to explicitly opt-in to receive 3rd party mailings.

So what does this mean to those of you out there who concerned by this ruling? My understanding is that County Courts have no power to set legal precedent and as such you are free to use a pre-checked box, particularly as it is one of the most widely accepted interpretations of the Directive. My guess is that John Lewis could have appealed and most likely succeeded, but decided it would be cheaper to pay up and move on. Which is precisely why it is so difficult to stop litigation trolls using the small claims courts as a handy way to top up their holiday fund by suing large employers and brands.

So if there are any other people like Roddy out there go register with Sky and fill your boots!

A Privacy Policy that Wins Business

Business is built on trust and trust is built on transparency. Both the DMA and ICO have long urged companies to be clear with their customers as to what data is collected and why.

As soon as you act in a way that a customer doesn’t expect or makes them feel abused, then any hard work previously done building trust immediately evaporates.

Simply put, nobody will do business with a brand they don’t trust.

According to the Customer Acquisition Barometer 2014 85% of consumers will only share their information if it’s made clear that it will be used only by the company that collects it and 32% say they expect a clearly worded privacy policy before they share information.

And there is such concern about data and privacy that the EU Parliament is busy voting for much tighter rules on data use and protection.

Whilst the privacy policy is the cornerstone of ensuring compliance it’s no secret that few people read the privacy policy. Do you?

So it was refreshing to see a totally different approach to a privacy policy from Lookout. A visual approach that gives consumers the big picture about the key issues at a glance.

It’s even a responsive design so it looks beautiful on mobile as well as desktop, view it online here. To top it all it’s built on open source and brands can pinch the code to create their own consumer friendly privacy policy.

LookoutPrivacyDesktopIt’s responsive too, how it looks on a mobile device:

LookoutPrivacyMobileThis must be the most consumer friendly privacy policy – ever.

 

Data protection self-defence

If you hadn’t noticed, domestic and international data protection laws are changing, consumers are getting greater protection and some of the proposals are causing concern in some industries.

The European Commission’s draft proposals for modernisation of the 1995 data protection rules are designed to improve trust between consumers and businesses in order to improve trade by building “a new gold standard of data protection” which the Commission hopes will become the international benchmark for data protection.

The draft regulations include:

  • Cross-border (international) spam enforcement
  • Simplification of rules, bringing together privacy and data-protection
  • Greater choice, privacy and protection for consumers
  • Strengthening of rules, closing loopholes which have been abused
  • Stronger enforcement with easier access to compensation claims

Why you need an international view of consent, privacy and data protection

Every email campaign is a multinational campaign
Many recipients use global ISPs, companies have international offices and hosting centres and email recipients travel. As a result almost every email campaign is a multinational campaign which could be subject to international regulations.

Rules are changing fast across the world
Even if you could map out every regulation for every country you knew you were going to hit, rules and regulations are currently in a state of flux, with changes somewhere every few months.

Look beyond the UK
New international regulations, dedicated enforcement teams and increased cross-border co-operation mean that marketers need to look beyond what is needed to work with the soft-touch enforcement in the UK and look at how to work with some of the more strict international regulations.

Why you need a defensive view of consent, privacy and data protection

Proposed EU regulations in the next couple of years are going to clarify, simplify and consolidate existing rules; but will also introduce a requirement for stronger enforcement AND a means of cross-border enforcement.

In the UK we have a largely self-regulating, laissez faire industry, but this is changing: earlier this year the ICO fined spammers £500,000 and a recent letter from the Information Commissioner to the Secretary of State warns of mandatory fines and suggests that more funding and stronger sanctions are necessary for enforcement.

However, I see biggest potential risk to most companies as professional or opportunistic claimants seeking out sites which have sign-up and marketing processes which are unclear or inadequate.

We need to change our data protection and privacy approach. Instead of making sure consumers rights are fulfilled, we need to be in a position to easily prove that consent has been obtained, so that opportunistic claims can be quashed immediately.

Simple Guidelines for Data Protection and Privacy Compliance

This is where things become simple! Focus on privacy, data protection, choice and transparency for your customers and subscribers and you will be adhering to the principles behind almost all international legislation.

Forget for a moment the legal standards and specific wording and look at these simple, small steps.

  • Review your own processes (or get an audit) to see what data you collect, how you collect and store it. Consider whether it is both appropriate and necessary and whether it fits with what your customers would expect.
  • Inform customers about what you do and why. Where possible, give them choices.
To review or audit your data collection and storage processes here are some starter questions:

When you collect data:

  • What data do you collect, where, when and how?
  • Is personal data collected which could be deemed excessive in relation to the purpose for which it was collected?
  • Is any personal data kept longer than necessary for the purpose for which it was collected?
  • Are your answers consistent with your customers’ expectations?

Once you understand your own data consider the following:

  • In your privacy policy include detail of what data you collect, how it is stored, how it is used to benefit your customers and what their options are for deleting their data.
  • When you create an account or someone signs up make it clear at that time why you collect information and explain clearly why it benefits them, providing a link to the detailed section in the privacy policy.
  • Allow people to purchase without creating an account – but give your customers compelling reasons to create an account by telling them the benefits they will get from having an account with you.
  • Provide customers with ‘the right to be forgotten’ by allow customers to delete/obfuscate (replace their customer details with dummy data) their account history – but give them reasons NOT to do this.
  • Give your customers a choice to NOT be tracked, recorded and profiled. But give them compelling reasons why trusting you with their data is good thing.

Be defensive by design:

  • Keep wording and processes simple and unambiguous
  • Collect basic audit information which shows what consent was provided and when
  • Where possible and appropriate, start collecting explicit consent where you currently rely on implied consent
  • Keep privacy policies up to date, making it easy for customers to see if anything has changed
  • Make sure you are in a position to easily prove that consent has been obtained

Links

European Commission data protection proposals 25th Jan 2012

European Commission Working Party update 27th Feb 2013

DMA – How the EU Data Protection Regulation could affect you and your business 30th Jan 2013

ICO Comment on EU data protection reforms 8th Apr 2013

The Draft EU Data Protection Regulations and the Other Compliance Obligations

As our series of blogs on the proposed EU Data Protection Regulation is almost at an end, I think it’s fair to say that they made for very informative reading. I hope you would agree with me that many marketers can learn something from them. A lot of the main topics within the proposal have been covered. But what are the changes to the compliance obligations which organisations need to consider in their day to day activities if the proposal was to be passed in its current version?

Data processing is featured heavily in the proposed Regulation. One of the changes is around notifying the relevant national data protection authority, in the case of the UK the Information Commissioner’s Office (ICO), of your organisation’s data processing activities. Currently, providing such notification to the ICO has been a matter of course, whereas the proposal states that full records of data processing activities must be kept by the organisation and only supplied to the relevant national data protection authority on request.

The use of data in many organisations is crucial for marketing purposes, as well as general interaction with customers. If you work client-side, just think of the number of email campaigns your organisation sends out to your customers, whether the customers are active, prospective, lapsed or otherwise. Your data would have had to be processed in some way before emailing, whether it’s cleaning or segmenting for a targeted campaign; therefore keeping a record each time the data is processed with specific information would add another compliance burden to the activity. The obligation to keep records of processing activities is also extended to agencies where dealing with data is an integral part of running of the organisation, such as list rental and lead generation activities. With this in mind, if you think of your own organisation’s activities as well as the number of organisations involved in a typical data processing chain, then the number of data processing activities that will need to be recorded is overwhelming. The ICO is concerned that there is a danger that organisations will focus on the ‘paperwork’ rather than on actual data protection compliance. The removal of the notification fee, which organisations currently pay to the ICO when they complete the notification form, does raise questions as to how the ICO will be adequately funded to carry out its data protection work effectively.

Another change in the proposal which will have a big impact is the requirement for organisations with 250 or more staff to have a designated independent data protection officer. Even though data is crucial to a lot of organisations, the size, reasons for its use and frequency the data is handled and processed amongst organisations varies. The ICO believes that “a simple head-count criterion for the designation of a data protection officer is not the best approach.” Some low head count organisations may process a large amount of information about a lot of people and are therefore high risk. On the other hand, large head count organisations may carry out relatively small –scale and low risk processing. Read the ICO’s report on the draft regulations here

The additional bureaucratic requirements relating to these proposed new compliance obligations will certainly create extra administrative costs, particularly for smaller organisations. As well as the increased documentation of all data processing activities, consider the revision and issue of new terms and conditions, and the amount of employee guidance and training around these changes.

These new compliance obligations , as well as implementing the right to be forgotten, and explicit consent for data processing will mean that all organisations will have to review their day to day activities.

Changes to the EU Data Protection Regulation: What are the penalties?

When the updated European Commission’s Draft Data Protection legislation was announced last year, a lot was made of the sweeping changes to the fundamental data principles. Many of the have already been covered in other blog posts but what I want to delve into here, are the changes in financial penalties involved for failure to comply with the rules. There are two separate provisions which could hit your corporate wallet. The first allows the regulators to levy a fine for breaches. While the other gives individuals the right to be awarded compensation for breaches.

Fines from Regulators

The original proposal gave regulators the power to levy a full €1m, or up to 2% of a business’s global turnover for breaches of the regulations. On the 20th of February, the Industry Committee of the European Parliament voted against mandatory fines and to give the power to set the size of the fine to the national regulators, which is in line with the current regulations. While many consumer and privacy advocates have said this will water down the new regulations, I for one applaud this move as it will allow fines to be in-line with local attitudes about data privacy and economic conditions.

Do not think that because the power to set mandatory fines has been taken away from Brussels and granted to the UK Information Commissioner that companies dealing in personal data will have an easy ride here in the UK. The ICO continues to lobby for greater enforcement powers and more importantly, greater budget to dedicate towards enforcement. The ICO’s office has also been using their current ability to assess financial penalties more over recent years with a two fold increase in the number of fines issued in 2012 over 2011 and a fourfold increase in the monetary penalty over the same period. The trend is clear the ICO is issuing more penalties and the fines are getting bigger.

Individuals Right to Compensation

The other potential hit to your corporate wallet is the new proposal giving individuals the right to compensation for breaches in the data protection regulations. This is worrying for a number of reasons. First, there are no guidelines around how a court or regulator would determine when personal compensation is warranted, how the compensation should be calculated or limits to the compensation award. A second concern is that this proposal will drive the EU to be more litigious.

The third and greatest worry for us as an industry is that this personal compensation can be sought from both the data owner and the data processor. Making data processors responsible for the actions of the data controllers is a new and very troubling concept which will significantly impact the email marketing industry.

Up till now, data processors primarily in the form of ESPs acted only on the instruction of the data controller and therefore were not required to ensure that the behaviour of the data controller was in fact legal. There is already an extra burden on our industry because as we all know we deal with the “second regulator” in the form of ISPs deciding whether to accept our email transmissions or not. Should this new provision go through, ESPs will not only have to ensure that their clients are following the best practices to optimise deliverability but they also have to get right under the skin of the client’s business to ensure that they are legally compliant with data protection regulations. This will be an intrusion that many client companies will not want, it is a process which ESPs are not currently structured to handle and one that will have to be funded in the form of higher send costs.

Should I Worry?

At the end of the day it is email marketing 101 type stuff. Any email marketing professional worth their salt, or any member of the DMA should be following the basics of best practice closely enough to not be doing anything wrong and should therefore have nothing to generally worry about. The worry comes as a result of simple human error which can cause a file to be corrupted, or a laptop left on a train or a password that is too easy to crack. These “simple human errors” could get to be very costly.

Take action now!

If you haven’t already, take time to read the DMA’s assessment of the impact of the new regulations Think about how this could hurt your business and then reach out to your MEP and make your voice heard.

Opt-In & Opt-Out – Definitions of Consent according to the draft EU Data Protection Regulations

As a consumer, I am always in favour of legislation which seeks to protect individual freedoms, and reduce ambiguity in what organisations can and cannot do with my personal information. As a marketer too, it is important that the availability and use of a consumer’s personal information be governed by clear guidelines, and ends in a mutually beneficial result – at the bare bones of it; providing a customer with timely, relevant communications based on the data they have provided, at the same time as (hopefully) making a profit for the organisation I am working for.

The real worry is that the current draft of the European Union Data Protection Regulation, does the opposite by introducing more complexity and ambiguity than already exists, and potentially creates further issues which would not have surfaced if the status quo were maintained.

The verbatim definition of consent within the Regulation is as follows:

“…’the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed…”
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 4 (8)]

Furthermore, the “Conditions for Consent” are laid out as follows:
1. “The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes.

2. If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 7]

In the above, I have highlighted the key elements here – the Regulation is essentially saying that organisations need to obtain a clear and explicit statement/action by which a data subject provides consent. From an email permission-marketing best practice perspective, this is fine – however the Regulation does not address whether or not this would need to be retrospective for existing databases, and whether or not organisations would be able to contact customers with whom they have had previous interactions (as is currently permissible under the existing Privacy and Electronic Communications Directive – and, the majority of the time, expected by consumers).

This is completely disregarding whether or not those consumers actually want to be contacted, and if the “burden of proof” detailed above is an enforceable requirement (in a worse-case scenario) – then the Regulation is effectively saying organisations must delete said data if they cannot prove consent has been given explicitly! Then there’s the possibility of dispute over the meaning of “informed & explicit”… well, you can see where this is heading to – more ambiguity and less clarity.

Furthermore, there is an argument out there that this Regulation does not take into consideration the low risk use of Business-To-Business (B2B) data for marketing purposes – where, more often than not, a organisation would hold and process information on another organisation or group of members of staff, with perhaps multiple key decision makers – not an individual.

In summary, the intention is good but the detail is lacking – I strongly urge the legislators in Brussels to revise and alter the Regulation so that it can sit with the existing Privacy and Electronic Communications Directive They also need to focus on what the effect of the changes in the draft Regulation will be for both consumers and organisations.
To find out more about the consequences of this legislation passing unaltered, and the potential impact on your own business, take a look at http://dma.org.uk/eu-data-protection This site also provides information on how to take immediate action, by lobbying your regional MEPs.