Category Archives: Permission

Comments surrounding the recent court ruling against John Lewis

As the comments surrounding the recent court ruling against John Lewis fly around fast and furious, I am concerned that everybody is weighing in without being in full possession of the facts.  I know that I don’t know what happened but what I do know is that the two scenarios that I have seen in the press are very different and therefore my opinion of the outcome equally different. I should point out that I am not a lawyer and am speaking from a best practice perspective. In most cases best practice exceeds the standards set forth in the law so by following best practice a marketer should never have to worry about running afoul of the law.

The Drum and Sky Scenario

The story as first reported indicated that Mr Mansfield had registered on the John Lewis website and then proceeded to browse the site. John Lewis then used the soft-opt in principle as the basis for sending marketing communications.  The soft opt-in principle is that a business can mail a customer about “similar goods and services” and it defines a customer as anyone who has “entered into a negotiation” for goods or services. John Lewis relied on the ICO guidance that a negotiation starts when a consumer asks about the price of a specific product. Since prices are included on the John Lewis website I can see their point but I personally think this is a very aggressive strategy as in this case the website is really nothing more than a digital catalogue. If an item had been placed in a shopping basket however, I think you could clearly argue that a negotiation had started but this does not appear to be the case here.

The Register Scenario

The details that appeared in the Register are very different. In The Register version, Mr. Mansfield wanted to check on the cost of delivery from Waitrose and was forced to register on the site to get this information. He then received marketing emails from John Lewis. Even if you could argue that a negotiation has begun with Waitrose (which I don’t think you can), John Lewis is another brand and does not sell similar goods and services. Unless it was very clearly stated in the Waitrose email capture form that the details would be shared with John Lewis, there is not a situation where sending emails from John Lewis would be alright. The first thing a marketer has to ask themselves is would a consumer expect to get this email given the information they provided. If I have given my details to Waitrose, I would not expect to get an email from John Lewis. It does not matter that John Lewis owns Waitrose.

The Information Commissioner has recently revised its guidance and has said that a pre-ticked box would not be acceptable in most cases and I think most legitimate email marketers are taking steps to change their current data capture processes but as we know these things take time within big organisations. Interestingly, I did a quick check of some of the sites where the story has appeared as well as the Waitrose and John Lewis websites. The Drum and The Register use a pre-checked box and Sky uses a check this box if you do not want to receive anything. The Waitrose registration however, requires the user to check a box to get information about the John Lewis Partnership and specifies which brands that includes while the John Lewis registration requires the user to check a box to get information on John Lewis. Maybe this case has pushed to guys at John Lewis along and hopefully coverage of this case will push other legitimate email marketers along as well.

 

The Curious Case of Roddy the Spam Troll – Sky News Producer casting stones from his employer’s glass house

Sky News Producer and Data Directive litigation Troll Roddy Mansfield has apparently won his 3rd “victory” against a brand – in this case John Lewis, who (soft) opted-him-in for marketing by using a pre-ticked consent box after he had registered his details with John Lewis’ website.

This was breathlessly reported on Sky News as “Spammer To Pay Damages After Court Victory,” Roddy – the spam troll argued that “an opportunity to opt-out that is not taken is simply that. It does not convert to automatic consent” Well he would know that! Given his track record one would think he more than anyone else in the UK would know what that pre-checked box meant.

The irony of it all is Sky his own employers operate an enforced opt-in policy which means anyone who registers for a Sky ID is automatically put on their mailing list whether they want it or not and the only way to prevent that happening is to tick a box and actively opt-out. Interestingly they do it the opposite way to John Lewis and most brands as you can see below and their approach is as good an example of psychological sleight of hand as you are likely to see. To add insult to injury Sky would seem to be opting you into receiving 3rd party offers from brands you may not actually ever want to hear from, something John Lewis do not.

  

One of the challenges with the 2003 EU Directive is that it is open to interpretation and as such many Experts, Brands and even Countries apply it in different ways. I have no doubt that Sky’s lawyers are pretty certain that their interpretation stands muster, but I know many brands and commentators who would not feel uncomfortable with their approach and might argue that consent for 3rd party mailings should not or cannot be via opt-out. Most websites require registrants to explicitly opt-in to receive 3rd party mailings.

So what does this mean to those of you out there who concerned by this ruling? My understanding is that County Courts have no power to set legal precedent and as such you are free to use a pre-checked box, particularly as it is one of the most widely accepted interpretations of the Directive. My guess is that John Lewis could have appealed and most likely succeeded, but decided it would be cheaper to pay up and move on. Which is precisely why it is so difficult to stop litigation trolls using the small claims courts as a handy way to top up their holiday fund by suing large employers and brands.

So if there are any other people like Roddy out there go register with Sky and fill your boots!

A Privacy Policy that Wins Business

Business is built on trust and trust is built on transparency. Both the DMA and ICO have long urged companies to be clear with their customers as to what data is collected and why.

As soon as you act in a way that a customer doesn’t expect or makes them feel abused, then any hard work previously done building trust immediately evaporates.

Simply put, nobody will do business with a brand they don’t trust.

According to the Customer Acquisition Barometer 2014 85% of consumers will only share their information if it’s made clear that it will be used only by the company that collects it and 32% say they expect a clearly worded privacy policy before they share information.

And there is such concern about data and privacy that the EU Parliament is busy voting for much tighter rules on data use and protection.

Whilst the privacy policy is the cornerstone of ensuring compliance it’s no secret that few people read the privacy policy. Do you?

So it was refreshing to see a totally different approach to a privacy policy from Lookout. A visual approach that gives consumers the big picture about the key issues at a glance.

It’s even a responsive design so it looks beautiful on mobile as well as desktop, view it online here. To top it all it’s built on open source and brands can pinch the code to create their own consumer friendly privacy policy.

LookoutPrivacyDesktopIt’s responsive too, how it looks on a mobile device:

LookoutPrivacyMobileThis must be the most consumer friendly privacy policy – ever.

 

Yahoo! Changes will Impact More than just Email Marketers

Not to be outdone by its rivals caught up in the PRISM ‘scandal’, Yahoo! has decided the best way to deal with lapsed users is to give their private details to the first person that asks for it.  Okay, well it isn’t really that bad but their recent announcement that they will start recycling dormant email accounts on August 15th will have significant repercussions for the both ecommerce and the email industry.

About two years ago my iTunes account was hacked using a well known Apple scam.  The hackers just need your account ID, which they use to download apps. How can they download apps without the password you may ask? They can’t, but when you unlock your password those apps are downloaded to your device and they get the cash because it was their app that was being downloaded. The whole ordeal around getting this sorted is another post for a different blog, but the important thing here was the remedy I used to fix it, which was to create a Yahoo! account using a random password generator to create the bit before the ‘@’. So far so good, no dictionary attack has cracked this email account.

The problem is, that I don’t ever log into the account (clearly I will have to add this to the list of monthly tasks like cleaning out the washing machine filter and checking the smoke detector). What would happen if I missed this announcement from Yahoo!? Come the middle of August somebody could take this email address from me and suddenly have access to my iTunes account.  The password reset would go to the address that they control and away they go.  If I was like many people including Mat Honan of Wired Magazine, this email address would also be used for other things and I would have lost control of all of them.

This will also clearly have implications for me as an email marketer.  Loads has been written over the past few years about removing data that has not opened or clicked in more than twelve months from your list. The thinking is that inactive addresses are being used as spam traps, although there has been a lot of disagreement on this by email experts such as Dela Quist. Regardless of which side of the fence you fall on this topic, you need a plan in place to be executed between the 15th of July and the 15th of August because if you email a recycled address – you will have spammed them.

Yahoo! will hard bounce all of the addresses that are to be recycled during this thirty day period, so you need to take this opportunity to tidy up your Yahoo! addresses.

There are well over 3 Billion email addresses in the world. It is not surprising that the email application providers want to start recycling them. Let’s face it, jimsmith@yahoo is a lot better than jimsmith345@yahoo. This is going to become a regular part of our world, so we better develop some strategies to address it.

The Draft EU Data Protection Regulations and the Other Compliance Obligations

As our series of blogs on the proposed EU Data Protection Regulation is almost at an end, I think it’s fair to say that they made for very informative reading. I hope you would agree with me that many marketers can learn something from them. A lot of the main topics within the proposal have been covered. But what are the changes to the compliance obligations which organisations need to consider in their day to day activities if the proposal was to be passed in its current version?

Data processing is featured heavily in the proposed Regulation. One of the changes is around notifying the relevant national data protection authority, in the case of the UK the Information Commissioner’s Office (ICO), of your organisation’s data processing activities. Currently, providing such notification to the ICO has been a matter of course, whereas the proposal states that full records of data processing activities must be kept by the organisation and only supplied to the relevant national data protection authority on request.

The use of data in many organisations is crucial for marketing purposes, as well as general interaction with customers. If you work client-side, just think of the number of email campaigns your organisation sends out to your customers, whether the customers are active, prospective, lapsed or otherwise. Your data would have had to be processed in some way before emailing, whether it’s cleaning or segmenting for a targeted campaign; therefore keeping a record each time the data is processed with specific information would add another compliance burden to the activity. The obligation to keep records of processing activities is also extended to agencies where dealing with data is an integral part of running of the organisation, such as list rental and lead generation activities. With this in mind, if you think of your own organisation’s activities as well as the number of organisations involved in a typical data processing chain, then the number of data processing activities that will need to be recorded is overwhelming. The ICO is concerned that there is a danger that organisations will focus on the ‘paperwork’ rather than on actual data protection compliance. The removal of the notification fee, which organisations currently pay to the ICO when they complete the notification form, does raise questions as to how the ICO will be adequately funded to carry out its data protection work effectively.

Another change in the proposal which will have a big impact is the requirement for organisations with 250 or more staff to have a designated independent data protection officer. Even though data is crucial to a lot of organisations, the size, reasons for its use and frequency the data is handled and processed amongst organisations varies. The ICO believes that “a simple head-count criterion for the designation of a data protection officer is not the best approach.” Some low head count organisations may process a large amount of information about a lot of people and are therefore high risk. On the other hand, large head count organisations may carry out relatively small –scale and low risk processing. Read the ICO’s report on the draft regulations here

The additional bureaucratic requirements relating to these proposed new compliance obligations will certainly create extra administrative costs, particularly for smaller organisations. As well as the increased documentation of all data processing activities, consider the revision and issue of new terms and conditions, and the amount of employee guidance and training around these changes.

These new compliance obligations , as well as implementing the right to be forgotten, and explicit consent for data processing will mean that all organisations will have to review their day to day activities.

Opt-In & Opt-Out – Definitions of Consent according to the draft EU Data Protection Regulations

As a consumer, I am always in favour of legislation which seeks to protect individual freedoms, and reduce ambiguity in what organisations can and cannot do with my personal information. As a marketer too, it is important that the availability and use of a consumer’s personal information be governed by clear guidelines, and ends in a mutually beneficial result – at the bare bones of it; providing a customer with timely, relevant communications based on the data they have provided, at the same time as (hopefully) making a profit for the organisation I am working for.

The real worry is that the current draft of the European Union Data Protection Regulation, does the opposite by introducing more complexity and ambiguity than already exists, and potentially creates further issues which would not have surfaced if the status quo were maintained.

The verbatim definition of consent within the Regulation is as follows:

“…’the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed…”
[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 4 (8)]

Furthermore, the “Conditions for Consent” are laid out as follows:
1. “The controller shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes.

2. If the data subject’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.”

[http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF Article 7]

In the above, I have highlighted the key elements here – the Regulation is essentially saying that organisations need to obtain a clear and explicit statement/action by which a data subject provides consent. From an email permission-marketing best practice perspective, this is fine – however the Regulation does not address whether or not this would need to be retrospective for existing databases, and whether or not organisations would be able to contact customers with whom they have had previous interactions (as is currently permissible under the existing Privacy and Electronic Communications Directive – and, the majority of the time, expected by consumers).

This is completely disregarding whether or not those consumers actually want to be contacted, and if the “burden of proof” detailed above is an enforceable requirement (in a worse-case scenario) – then the Regulation is effectively saying organisations must delete said data if they cannot prove consent has been given explicitly! Then there’s the possibility of dispute over the meaning of “informed & explicit”… well, you can see where this is heading to – more ambiguity and less clarity.

Furthermore, there is an argument out there that this Regulation does not take into consideration the low risk use of Business-To-Business (B2B) data for marketing purposes – where, more often than not, a organisation would hold and process information on another organisation or group of members of staff, with perhaps multiple key decision makers – not an individual.

In summary, the intention is good but the detail is lacking – I strongly urge the legislators in Brussels to revise and alter the Regulation so that it can sit with the existing Privacy and Electronic Communications Directive They also need to focus on what the effect of the changes in the draft Regulation will be for both consumers and organisations.
To find out more about the consequences of this legislation passing unaltered, and the potential impact on your own business, take a look at http://dma.org.uk/eu-data-protection This site also provides information on how to take immediate action, by lobbying your regional MEPs.

LinkedIn: No greater email marketing #fail than over-writing your customers preferences

LinkedInWTF2
I just got this  email from LinkedIn  Subject Line “A change to your DMA: Direct Marketing Association (UK) Limited digests” – the 3rd such email I have had this week about a group I belong to.
In it they tell me that they are going to ignore my mailing preferences and unsubscribe me from the group digests of which I get 1 a week a frequency selected by ME! I have now been forced to go and re-subscribe to the weekly digests of groups that I want to hear from 3 times this week. Do LinkedIn really think that is a good use of my time?

Just in case anyone was wondering, while I am not really a FB kind of person I definitely am an UBER LinkedIn user.

- I am a paid subscriber and highly active – I post, place jobs, recommend stay in touch connect etc.
- I have several thousand connections
- I check my page multiple times a day and use it as my primary vehicle for maintaining my business network. I have my preferences set exactly the way I want them for some groups – no email, others weekly and some daily
- I get 10 or more emails a day from linked in and open about 1 in 3 on my desktop and 80% of them on my mobile
- I click on at least one a day and some days 3 or more
- I save all my emails I currently have 2900 in my Linked in folder of which less than half 1427 are “unread”
- I regularly search for old messages or invites and click on them

So how on earth can a bunch of engineers and/or too clever by half marketers come to the conclusion that they know what I want better than me?
The irony is by stopping the DMA group weekly digest, they are going to reduce the chances of me ever visiting again! I wonder how the DMA and other group managers feel about that.

I can’t understand why having gone to the trouble of asking me to set my preferences LinkedIn should choose to expressly ignore the stated preference from a highly engaged – dare I say knowledgeable – paying subscriber. Surely that is as bad as spamming after all what is so different about these 2 scenarios?

1) I use LI preference centre choose to receive 1 email a week – after 3 months LI decide to unsubscribe me for not visiting the group.
2) I use LI preference centre and choose to receive 1 email a week – after 3 months LI decide to send me daily digests or 3rd party emails from partners they think I should hear from

LinkedIn are insulting their members’ intelligence one would think that someone like me would know how to both unsubscribe or hit the spam button. So if I haven’t done either of those things, it’s probably because…I DON’T WANT TO!