Plans to extend marketing ‘soft opt-in’ to charities

June 2022

Exemption to consent could be extended to not-for-profits

In a move welcomed by the Institute of Fundraising, the Government has confirmed it intends to extend the use of the ‘soft-opt in’ for electronic marketing to charities under UK data reform plans.

So, what is the ‘soft opt-in’, how does it currently work, and how might it work for charities?

What’s the ‘soft-opt-in’?

The laws governing electronic marketing are covered in the UK’s Privacy and Electronic Communications Regulations (PECR) which cover email, SMS and telemarketing.

Under PECR you need to have consent to send electronic marketing messages (e.g. email or SMS) to what are termed ‘individual subscribers’. These are people who personally subscribe to their email/SMS service provider (often referred to as B2C marketing).

But you don’t always legally need consent…

There’s an exemption under PECR for electronic marketing to existing customers. This is commonly known as the ‘soft opt-in’.  An ambiguous term as it permits the use of an ‘opt-out’!

Currently only available to commercial businesses, there are specific rules you need to follow when relying on this exemption:

  • Contact details are collected during the course of a sale, or negotiations for a sale, of a product or service;
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication;
  • You only send marketing about your own similar products and services; AND
  • You provide the ability to opt-out in every communication

For more information see PECR Regulation 22 and the ICO’s Guide to PECR.

Charities use of soft opt-in

The devil will be in the detail about how this might be applied in practice for charities. Daniel Fluskey, Director of Policy and Communications at the Institute of Fundraising points out:

“Charitable donations don’t normally count as a sale or transaction in law as it’s a one way transfer of money with nothing bought or expected in return. So, if what we get is a narrow application of this, then making a donation on a charity website wouldn’t count for the soft opt-in. But a supporter buying something (a ticket for a concert, a product bought through an online charity shop, or someone buying a charitable service, etc) would be able contactable via soft opt-in to offer them that similar product in the future.

Perhaps though, if a wide application is applied then donations could be counted for the soft opt-in to work. This would of course be a bit more of a game-changer and is one of the areas that we’ll have to see the wording of the legislation and accompanying guidance to see where it lands.”

It’s worth noting the rules on consent and the ‘soft opt-in’ under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email/SMS service. (Commonly referred to as B2B marketing).

To quote the ICO on this, here’s an extract the draft Direct Marketing Code of Practice:

“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”

You do however need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’, so would fall under the consent / soft opt-in rules for B2C marketing.

Are changes also on the cards for political campaigning?

In another potential change to marketing rules, the Government says it will be considering whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).

It also intends to extend the soft opt-in to political parties and elected representatives. This could allow for contact with individuals who have previously shown an interest in the activities of the party without their explicit consent.

The examples given in the Government response to the data reform consultation include – ‘attending a conference’ or ‘making a donation’. Is this a possible sign charities will also be able to use the ‘soft opt-in’ when individuals make donations?

To find out more detail about the data reform plans, we’ve published key highlights: UK data reform plans revealed.

Nothing is certain yet. As the legislation progresses it will be subject to parliamentary scrutiny and possible changes.

Consumers increasingly comfortable sharing data

March 2022

Trust and transparency remain fundamental drivers

In the modern data-driven economy, businesses need people to share their data. Marketers need to understand what makes their audience tick and be willing to share.

But how important is trust in the data exchange? How do attitudes to data sharing differ across international borders and between age groups?

New research shows people increasingly understand the benefits of sharing their data; a clear value-exchange has never been more important. Younger people are shown to have less privacy concerns than older generations.

These are just some of the findings of the ‘Global Data Privacy: What the Consumer Really Thinks 2022’ research report. The report represents 28 marketing associations whose reach stretches to more than half the world’s population – including the UK Data &  Marketing Association (DMA). The latest findings build on previous studies, giving us trends useful over the past decade.

Here are some key points from the global and UK-specific reports.

Rise of the ‘unconcerned’

The research categorises people into three groups:

  • Data unconcerned – people who have little or no concerns about their data privacy. The UK report shows a notable rise in this group, almost doubling over the past decade from 16% in 2012 to 31% in the latest study. So nearly a third of consumers are not unduly concerned about their privacy.
  • Data pragmatists – people who are happy to share data with businesses as long as there’s a “clear benefit in doing so”. This group still makes up the largest group of consumers, but has declined in the past decade from 53% to 46%.
  • Data fundamentalists – People who are unwilling or highly cautious about sharing their personal information. This group is in decline reducing in the past decade from 31%  to 23%.

The chart below illustrates UK trends over the last 10 years:

Data unconcerned

Younger people are most comfortable sharing their data

Growing numbers of consumers claim to feel more comfortable with the idea of exchanging personal information with companies, although there’s a significant variation across age groups.

Younger people (18-44) are most likely to feel comfortable sharing data. However those aged 55+ have actually become less comfortable sharing data.

Trust and transparency remain fundamental

Trust in an organisation remains the most important factor driving consumer willingness to share personal information. This comes significantly above factors such as product/service benefits, price and value perceptions.

The chart below shows UK trends for the factors driving consumers to share their data:

Trust remains vital

Consumers continue to seek transparency. Today, 77% of global consumers claim that transparency around how their data is collected and used is important to them.

Industry is still seen to benefit more than consumers from the data economy

The majority of consumers globally see data exchange as essential for the running of society. Over half (53%) of consumers across all markets agreed ‘the exchange of personal information is essential for the smooth running of modern society’.

However, consumers globally continue to believe that industry benefits more than they do from data sharing, despite a small shift towards greater value being perceived by consumers. On average (across the 10 trended markets) 71% of consumers believe that ‘industry benefits more from data sharing’. In general, younger people tend to be more likely to understand and recognise the benefits from sharing their data.

This suggests we still have a long way to go to truly enable consumers to fully realise the benefits from sharing their data, or they could see this as an unfair trade.

Importance of the data exchange

The findings once again illustrate the importance of the data exchange – the moment when businesses request or otherwise collect personal data from individuals. Whilst increasingly many consumers understand the intrinsic value of their data, they want easy access to clear information about how their data will be used and need to understand what product, service or value benefits they’ll get from sharing it.

The age profile of your customers is crucial here. It’s clear businesses need to work hard to win trust and provide clear information for older age groups.

Alex Hazell, Head of Privacy and Legal at Acxiom (the DMA’s UK research partner):

‘We must drive home the value exchange between brands and people – in other words, strive harder to help people understand what they receive in return for sharing their data. For marketers, we must continue to make that value clear, whether it’s in more straightforward scenarios like relevant discounts and offers, or in more complex processing such as cross domain personalised experiences that surprise and delight.’

Concerns about online privacy remain, although reduced

As the digital economy has expanded and matured, more and more consumers are engaging with online data exchange. The proportion of UK consumers who claim to have ‘high levels of concerns’ about online privacy has fallen to 69%.

Younger consumers want to support smaller businesses

The role data sharing can play in driving more competitive economies is a compelling reason for many UK consumers to share personal information. 52% of UK consumers stated they would be more likely to exchange personal data to provide a competitive advantage to smaller companies. This sentiment was most pronounced for the under 45s.

DMA Chief Executive, Chris Combemale gave a summary the UK findings:

‘Overall, concern with data privacy is in decline, while the levels of happiness with the amount of data shared and comfort with the notion of data exchange are on the rise. In addition, public awareness and understanding of the role that data exchange plays in the modern digital economy has increased dramatically since 2012.’

“As the UK’s digital economy, alongside digital markets around the world, continue to advance and mature, there has been an increase in public ease and engagement with data sharing and the digital world. Younger people are digital natives – this is reflected in both their willingness to share data and acceptance of its importance to modern society.”

The times they are a changin’

The research highlights some interesting trends. You can read more detail in the Global report or UK report.

While consumers may be increasingly comfortable with sharing their data, it’s clear they’re most likely to do this with brands they trust, who’ve been upfront and honest about how they handle personal information and clearly demonstrate the benefits of the data exchange.

Google’s FLoCs are dead, long live Topics (for now)

February 2022

How does the introduction Topics change advertising targeting?

The story so far

Google has been working on a solution to replace third-party cookies for advertising for some time. Although other browsers such as Mozilla Firefox and Safari have deprecated the use of third-party cookies a while ago, Google only made its announcement in 2019. 

Meanwhile, and with some fanfare, they came up with the idea of FLoCs – Federated Learning of Cohorts. Available details on what this involved were limited but in essence, Google was going to use algorithms to categorise data about individual users browsing patterns to create a range of interest-based groups which could be used for targeting. 

What happened next? 

Things did not progress as rapidly as expected. There were a series of delays and hold-ups with many speculating about the cause: 

  1. Many parties including major publishers were concerned about the conflict of interest and the fact that Google was still harvesting vast quantities of data. 
  2. Various anti-trust bodies including The Competitions and Markets Authority in the UK got involved and determined that FLoCs were potentially anti-competitive. 
  3. The Data Protection community in many territories expressed concern about FLoCs for being too intrusive and non-compliant. 

In Summer 2021, Google announced a delay to the launch of FLoCs. Not only did this cast doubt over it’s future but it also provided a stay of execution for those who were still reliant on third-party cookies for their targeting. There ensued a period of silence for 6 months.

Parallel technology developments for advertisers

Over the last few years, a number of alternative solutions have emerged which take advantage of recent technology to allow personal data to stay on your device rather than be collected centrally. 

In parallel, contextual advertising solutions are being adopted that are focussed on context and interest. A notable, but not only, example is Permutive which uses context to create advertising target audiences and has been introduced by a series of major publishers. 

The advent of Topics by Google

Eventually, in January 2022, Google announced Topics, and guess what? It’s using edge computing techniques as well as focusing targeting efforts on context. 

Does this mean that Google is just catching up with some of the more innovative organisations? Have Google decided that they wish to be more respectful of privacy concerns? Have they decided to walk away from the face-off with anti-competition bodies across USA and Europe? 

What does Topics do?

To quote Google extensively:

“With Topics, your browser determines a handful of topics, like “Fitness” or “Travel & Transportation,” that represent your top interests for that week based on your browsing history. 

Topics are kept for only three weeks and old topics are deleted. Topics are selected entirely on your device without involving any external servers, including Google servers. When you visit a participating site, Topics picks just three topics, one topic from each of the past three weeks, to share with the site and its advertising partners. 

Topics enables browsers to give you meaningful transparency and control over this data, and in Chrome, we’re building user controls that let you see the topics, remove any you don’t like or disable the feature completely.”

How does this differ from FLoCs?

Superficially it appears that Topics allows for meaningful transparency and control of personal data whilst serving ads that are based on your browsing interests: 

  1. Topics share far less data about the user – it simply shares an interest in topics
  2. No data is stored centrally – the targeting occurs in the browser when you visit sites 
  3. The user can curate the topics that are used for targeting 
  4. Topics provide the user with more clarity over how their data is being used through the browser settings
  5. Data is deleted after 3 weeks rather than retained 

What does it mean for advertisers? 

If Topics does see the light of day, this is a major change in the way that Google is approaching the targeting of advertising with a significant shift towards a privacy-friendly solution with a continuing focus on interests. If no investigations have been carried out by advertisers into using context as a basis for targeting, now seems like a good time to get started. 

Practically, the deadline for deprecating third-party cookies on Chrome is late 2023. This deadline may or may not move. Google will need the time to ensure that this alternative is well tested and is successful for targeting. 

Successfully leveraging contextual advertising? 

Successful contextual advertising relies on using your compliantly collected first-party data to create segments and profiles. These can then be used to target new prospects using context as the basis for targeting rather than behaviour. Such solutions often rely on data remaining on an individual’s device until the point when they start to consume relevant content – known as edge computing. Back to the future for some of us old enough to remember media buying without any technology!

The Golden Rules of Telemarketing

February 2022

How legitimate businesses avoid being ‘nuisance’ callers

My 83-year-old mum was recently called by someone trying to sell her a panic alarm. I’ve urged her to hang up on calls from anyone she doesn’t know, but she hails from a politer generation than mine.

He said, at her age and living on her own, she was at risk. I suspect the salesman elicited these details from her during the call. He urged her to have a panic alarm installed so she could alert family or a neighbour if she needed to.

Luckily, she told him she wasn’t quite ready to make a decision. Then she asked for his company name and phone number, so she could call back when she was.

You’re probably ahead of me here… of course he declined to give her this information.

It’s an all too familiar tale.

The call was, in my view, a disgrace. It shouldn’t have happened. I registered mum’s number with the Telephone Preference Service (TPS) years ago. However predators (and there are plenty of them) will always target the potentially vulnerable.

While nuisance calls are a key priority for the Information Commissioner’s Office (ICO), with frequent fines issued, it’s a game of whack-a-mole. Take out one chancer, and two more pop up somewhere else. And being potentially tarred with the same brush isn’t, as the kids say nowadays, a good look.

What do legitimate businesses need to do to avoid falling foul of the rules?

The rules aren’t complicated. There’s really no excuse! Here’s a quick 5-point guide:

1. Live marketing calls to individuals

The Don’ts
    • Don’t call anyone who’s told you they don’t want to hear from you
    • Don’t call anyone registered with the Telephone Preference Service unless you’ve obtained their consent to do so (And yes, that will be UK GDPR level ‘specific, informed and unambiguous’ consent)
The Do’s
    • Say who’s calling – be transparent
    • Always display your number (or an alternative contact number) to the recipient of your call
    • Provide an address or freephone contact number if asked
    • Keep a list of those who tell you not to call them and screen numbers against it before you make calls
    • Screen your lists against the TPS (unless you genuinely have consent)
    • Keep records of consent (if you rely on it)
    • Carry out a Legitimate Interests Assessment (if not relying on consent)
    • Make it easy to opt-out / withdraw consent. Make sure call handlers know how to respond when someone wants to opt-out.

2. Remember sector specific rules

There are stricter rules if you are making calls about claims management or pension schemes.

  • Claims management services: you must have consent
  • Pension schemes: you must have consent unless:
    • you are a trustee/manager of a pension scheme; or
    • a firm authorised by the Financial Conduct Authority; or
    • your relationship with the individual meets strict criteria.

3. Automated calls

For calls made by automated dialling systems which play a recorded message the rules are also stricter. You must have:

  • Specific consent from individuals indicating they’re okay to receive automated calls
  • Calls must include your organisation’s name and contact address or freephone number
  • You must display your number (or alternative contact number)

4. Marketing/sales calls to business numbers

The rules are the same for calling businesses as they are for individuals. (See the do’s and don’ts above).

Just remember, if you don’t have consent, you should screen your list against the TPS and the CTPS (Corporate Telephone Preference Service). This is because some businesses (sole traders and some partnerships) may be registered with the TPS.

5. Understand the difference between ‘service’ and ‘marketing’ calls

The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Telemarketing is absolutely in scope.

Routine customer service messages don’t count as direct marketing, but if you are treating it as a service call you need to be careful the script (or what your call handlers say in practice) doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts.

It’s worth noting a Trade Union was recently fined £45k. Telephone numbers hadn’t been screened against the TPS because the union didn’t believe its calls were direct marketing. The ICO disagreed. Just because you believe you’re acting in good faith doesn’t mean you are. How did a Trade Union fall foul of the marketing rules?

What are the applicable laws?

The rules governing telemarketing calls in the UK can be found in the Privacy and Electronic Communications Regulations (PECR) and are covered in ICO Telemarketing Guidance. As well as complying with PECR you should consider UK GDPR for your handling of personal data.

The rules can differ outside the UK, so if relevant its worth checking local laws. Many countries have a ‘do not call’ register similar to the Telephone Preference Service. The UK rules are covered in the .

Google Analytics Processing Data in US – is this a problem?

January 2022

Austrian DPA has found that continuous use of Google Analytics violates GDPR

Once again, Google is under fire from a regulator in Europe. This time in Austria. 

The Centre for Digital Rights (noyb), which is based in Austria and led by Max Schrems, filed 101 model complaints following the Schrems II decision in 2020. 

Following the complaint about Google Analytics, the Austrian regulator has determined that the continuous use of Google Analytics violates GDPR: 

“The Austrian Data Protection Authority (DSB) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb  in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.”  Source noyb

What does Google Analytics do?

Google Analytics operates by using cookies to capture information about website visitors. Google Analytics is free to use and it’s ideal for businesses who want to know more about:

  • Who visits their website
  • How their website is used
  • What’s popular on their website, and what’s not
  • Whether visitors return to their website

What information does Google capture?

You are likely to see a range of Google cookies that do different jobs. Here’s a short list showing some possible cookies that might be used:

  • _ga: Used to distinguish users and retained for 2 years
  • _gtd: used to distinguish users and retained for 24 hours
  • _gat: Used to throttle request rate and retained for 1 minute
  • AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service and retained from 30 seconds to 1 year
  • _gac_<property-id>: Contains campaign related data for the user. This is used when Google Analytics and Google Ads are connected and retained for 90 days

These cookies range from simple identification to remarketing and advertising cookies which allows you to track and remarket individuals through Google Ads. The more one strays into using this data for remarketing, the more intrusive the data capture becomes. 

What does this mean in reality?

Since the advent of GDPR, the burden to demonstrate that consent has been freely given has become greater. 

In the UK, when the ICO published their cookie (and other technologies) guidance in 2019, many large websites became instantly non-compliant. The requirement to demonstrate that consent had been freely given had become stronger. 

The ICO also clearly highlighted that Performance Cookies (such as Google Analytics) required consent to be used. 

Since 2019, companies have used a variety of methods to notify users about the existence of Google Analytics cookies. Some compliant, some less so. 

It is also clear that many have taken a risk-based approach to what they should do. The ICO’s own guidance provides a level of ambiguity on the topic:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. Source: ICO

What are the issues?

  1. Google is a data processor unless you enable data sharing with Google Ads at which point you become a shared controller – ensuring that your privacy policies reflect these differing relationships is important. 
  2. Google stores most data in USA – since Privacy Shield became illegal this has presented some problems. Google is relying on SCC’s but the main concern is that the US has surveillance laws that require companies such as Google to provide US Intelligence agencies with access to their data. 
  3. Google does use data to improve their services. For a user, this can sometimes seem creepy. 

What could Google or US government do?

A rather obvious solution would be for Google to move the processing of EU data outside the US to server centres in Europe where the US government cannot exercise the same surveillance rights as in the US. 

Alternatively, the US government could introduce better protection for private citizens. Although this was unthinkable under the previous presidential regime, it may be conceivable under Biden/Harris. It still feels like a long shot. 

Realistically it’s quicker and more realistic for the Google’s of this world to set up data centres in Europe. Saas providers such as Salesforce addressed this issue years ago and it feels like it’s about time Google and Facebook did too. 

What should you do? 

  1. Make sure you have correctly set up your cookie banner on your website. Technically, visitors should opt-in to Google Analytics and this permission should be captured before any processing takes place
  2. Provide a clear explanation of what data you are collecting and what that data is used for in an accessible cookie notice supported by a coherent privacy policy. 
  3. Make sure you describe all the Google cookies you are using – from simple tracking through to remarketing and advertising. Ideally each cookie would be included including the technical details, duration and purpose.
  4. If you use Google Analytics a number of settings have been introduced that help protect privacy:
    • Turn on the IP anonymising tool. It removes the last three characters of the IP address and renders the address meaningless. 
    • Make use of the data deletion tool – this is a bulk delete tool and can’t be used for one user
    • Introduce data retention policies – there is a default setting of 26 months before data is deleted but maybe you can delete data sooner. 
    • Consider the use of alternative tracking tools that do not rely on the use of cookies or transferring data overseas. A quick search resulted in a non-exhaustive list of analytics tools that don’t rely on cookies. There will be other suppliers: 
      • Fathom
      • Plausible
      • Simple Analytics
      • Insights
      • Matomo

In conclusion

  • At the moment, this finding by Austrian DPA does not apply in the UK. However it’s possible other DPAs may follow suit. 
  • Having said that, there are plenty of lessons to learn about how to work with Google Analytics and other US-based companies who insist on holding data in the US
  • It’s essential that your cookie notice and privacy policy clearly set out what tools are being used and what data is being processed. This is particularly important if you are linking Google Analytics to Google Ads for remarketing. 
  • Given that the world is slowly turning against cookies, maybe now is the time to start looking at less intrusive performance tracking solutions. 

 

ICO Opinion on Ad Tech – Old wine in a new bottle?

December 2021

Does the ICO Opinion piece tell us anything new?

The ICO has published an “Opinion” which can be interpreted as a shot across the bows for any Ad Tech company who is planning to launch their new targeting solutions for the post-third-party cookie world. 

If these companies thought new targeting solutions would get waved through because they don’t involve third-party cookies, it’s clear that Google’s difficulties with their Sandbox solution say otherwise. 

Google is currently knee-deep in discussions with both Competition and Marketing Authority (CMA) and ICO to come up with a targeting solution that is fair to consumers whilst also avoiding the accusation of being anti-competitive. 

In the ICO’s opinion piece they set out the clear parameters for developing these solutions in a privacy-friendly manner. You won’t be too surprised to hear all the usual concerns being re-heated in this discussion. To quote the ICO:

  1. Engineer data protection requirements by default into the design of the initiative
  2. Offer users the choice of receiving adverts without tracking, profiling, or targeting based on personal data. 
  3. Be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing
  4. Articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful, and transparent
  5. Address existing privacy risks and mitigate any new privacy risks that the proposals introduce

This opinion piece is the latest publication from the ICO in a relatively long-running piece of work on the use of cookies and similar technologies for the processing of personal data in online advertising. In their original report in 2019, the ICO reported a wide range of concerns with the following which needed to be rectified:

  • Legal requirements on cookie use;
  • Lawfulness, fairness, and transparency;
  • Security;
  • Controllership arrangements;
  • Data retention;
  • Risk assessments; and
  • Application of data protection by design principles. 

You can read the back story here

The state of play in 2021

Since the ICO has started its investigations in 2019, the market has continued to develop new ways of targeting advertising that does not rely on third-party cookies. The net result is that the world has moved to a less intrusive way of tracking which has been welcomed by ICO. Some examples include: 

  • With Google Chrome’s announcement re: cookies, there is an expectation that third-party cookies will be phased out by end of 2022. 
  • There have been increases in the transparency of online tracking – notably Apple’s “App Tracking Transparency” ATT
  • There are new mechanisms being developed to help individuals indicate their privacy preferences simply and effectively
  • Browser developers are introducing tracking prevention in their software.  A notable example is the Google Privacy Sandbox which will enable targeting with alternative technologies.

How should we interpret this opinion piece?

A lot of what has been included is information from the 2019 reports. In effect, it’s a summary of previous activities plus additional material to bring you up to date. Although it is a rather long piece, there is some clear guidance for the way forward for developers of new solutions. 

Furthermore, it is bluntly warning technology firms that they are in the ICO’s sights: 

“In general, the Commissioner’s view is that these developments are not yet sufficiently mature to assess in detail. They have not shown how they demonstrate participants’ compliance with the law, or how they result in better data protection outcomes compared to the existing ecosystem” Source: ICO

Data protection by design is paramount – no excuses for non-compliance this time

The ICO opinion clearly flags to developers that they will accept no excuses for developing non-compliant solutions. In the past, there have been difficulties because the Ad Tech solutions have been in place for some time with the data protection guidance being retrofitted to an existing ecosystem. 

With the demise of third-party cookies and the advent of a variety of new solutions, there can be no excuse for ensuring that privacy is engineered into the design of the solutions. 

It explicitly highlights the need to respect the interests, rights, and freedoms of individuals. Developers need to evidence that these considerations have been taken into account.  

Users must be given a real choice

In the first instance, users must be given the ability to receive adverts without tracking, profiling, or targeting based on personal data. There must be meaningful control and developers must demonstrate that there is user choice through the data lifecycle. 

Accountability – show your homework

There is an expectation that there will be transparency around how and why personal data is processed and who is responsible for that processing. In the current ecosystem, this is largely impossible to achieve and there is no transparency across the supply chain. 

Articulate the purpose of processing data

Each new solution should describe the purpose of processing personal data and demonstrate how this is fair, lawful, and transparent. Can suppliers assess the necessity and proportionality of this processing? The 2019 report highlighted that the processing appeared excessive relative to the outcomes achieved. How will processors change their ways? 

Addressing risk and reducing harm

As a start, it’s important to articulate the privacy risks, likely through a DPIA, but also explain how those risks will be mitigated. The previous ICO reports indicated their disappointment with the low volume of DPIAs produced by Ad Tech providers. This needed to change. 

To conclude with a useful developer checklist

The ICO provides a checklist of how to apply these principles in practice. You can probably jump to this section if you really want to know what is expected: 

  1. Demonstrate and explain the design choices.
  2. Be fair and transparent about the benefits.
  3. Minimise data collection and further processing.
  4. Protect users and give them meaningful control.
  5. Embed the principle of necessity and proportionality.
  6. Maintain lawfulness, risk assessments, and information rights.
  7. Consider the use of special category data.

The ICO is very clear that the industry must change. There is no appetite to approve solutions that fundamentally adopt the same flawed ways of working. There is also a clear acknowledgment that some solutions are potentially anti-competitive so a partnership with the CMA will continue. You have been warned!

How did a trade union fall foul of the marketing rules?

November 2021

Unite the Union has been fined £45K over its telemarketing practices

The Information Commissioner’s Office (‘ICO’) has issued a fine to Unite the Union for what it describes as a ‘serious contravention’ of the Privacy and Electronic Communications Regulations 2003 (commonly known as ‘PECR’).

This action follows 27 complaints from individuals who had registered with the Telephone Preference Service (TPS) but received calls from Unite regarding life insurance – services provided to Unite members by a third-party insurer.

Unite believed these calls did not fall within the scope of the direct marketing rules.

What is the Telephone Preference Service?

The Telephone Preference Service (TPS) is the UK’s official ‘Do Not Call’ register for landlines and mobile telephone numbers. It allows individuals and businesses to opt out of receiving unsolicited live sales and marketing calls.

There is also a register for businesses telephone numbers, called the Corporate Telephone Preference Service (CTPS).

What does PECR require?

Regulation 21 of PECR requires a business to have gained prior consent before making unsolicited telemarketing calls promoting a product or service to phone numbers registered with the Telephone Preference Service Ltd (TPS).

Therefore any telemarketing calls to TPS registered numbers without valid consent will contravene PECR requirements.

The ICO’s findings

The ICO asked Unite to provide evidence of consent for these marketing calls. But Unite argued these were not marketing calls and were to let members know about services and benefits they were entitled too.

In their view the calls were made in accordance with their internal ‘Rule Book’. This required Unite to “notify members of the services and benefits that fall within their union membership and any changes to those terms.”

The ICO rejected this and found Unite had contravened PECR on the basis that Unite’s own rules cannot override the statutory protection provided under PECR.

In conclusion, the ICO found that in the 12 months to 11th March 2020, Unite had used a public telecommunications service to make 57,665 unsolicited telemarketing calls to people whose telephone number was registered on TPS.

Whilst individuals were told how to opt-out, they were not provided with the option to give opt-in consent to specific means of communication (such as telemarketing calls) relating to specific types of services or benefits. The ICO also noted the insurance services promoted in the calls were provided by a third-party insurer.

The ICO found that the consent Unite relied on was insufficient, as it provided broad information to data subjects, rather than the specific detail required under Regulation 21 of PECR. They highlighted multiple violations of under Regulation 21 over the 12-month period, which resulted in 27 complaints.

Not deliberate

The ICO took the view Unite had not deliberately set out to contravene PECR. However the ICO’s enforcement notice states Unite was ‘negligent’ and failed to take reasonable steps to prevent the contravention.

The ICO also concluded Unite had access to sufficient financial resources to pay the fine without causing undue financial hardship and that it’s findings were not affected by the current COVID-19 pandemic.

What can we learn from this?

Controllers who conduct telemarketing either in-house or via a third party service provider (like Unite did) should remember that consent is required for any calls made to numbers registered on the TPS.

I would add that consent may not necessarily be required for telemarketing calls to individuals who have NOT registered for TPS or CTPS. Legitimate Interests may be used as an alternative lawful basis, provided the relevant conditions can be met. DPN would advise controllers who wish to consider this lawful basis to conduct a Legitimate Interest Assessment (LIA).

Membership organisations should recognise that they cannot override the requirements under PECR (or any other data protection law, for that matter) by adopting membership rules which are in conflict the protections the law provides to individuals.

Like any marketing activity involving personal data, care is required to make sure the relevant legal obligations and requirements are satisfied.

 

If you would like help to ensure your marketing is compliance, please Contact Us.

How risky are your bulk email communications?

November 2021

HIV charity fined for exposing personal data via email

The Information Commissioner’s has fined HIV Scotland £10,000 for failing to protect personal data, in a case that could raise alarm bells in other organisations.

What went wrong?

The penalty came about after an email was sent by HIV Scotland to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the ‘CC’ field. In fact, 65 of the addresses identified people by name.

HIV Scotland notified the Commissioner about the breach on 3 February 2020, contacted the Commissioner’s Helpline about the incident, and completed the necessary notification within two hours of the incident occurring.

Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented that assumptions could be made about individuals’ HIV status or risk from the data disclosed.

ICO findings

An investigation by the ICO found a number of shortcomings in the charity’s email procedures, including:

  • inadequate staff training
  • an inadequate data protection policy
  • incorrect methods of sending bulk emails by using the ‘BCC’ (blind carbon copy) method.

During their investigation the ICO discovered HIV Scotland had procured a new system back in July 2019 to enable bulk emails to be sent securely. However, at the time of the breach seven months later, they had failed to migrate the CAN email list over to the new email system. The charity still continued to use the ‘BCC’ method of emailing to the CAN list.

The BCC method of bulk email is open to human error. In this instance, the email addresses of recipients were mistakenly placed in the CC field instead of the BCC field.

The ICO’s Monetary Penalty Notice states HIV Scotland ‘failed to implement an appropriate level of organisational and technical security to its internal email systems’ which resulted in the breach of special category data.

Email breaches have happened before

The ICO considered that it had previously taken action against organisations for similar breaches. The risks of these kind of disclosures, and the consequences for the potential harm that might be caused to data subjects, are matters that had been reported on both mainstream and trade media.

The Charity’s Interim Chief Executive, Alastair Hudson, apologised unreservedly to anyone who had been affected by the data breach and said a new team and board of trustees had taken “robust steps” to improve information security.

The ICO recognised that HIV Scotland has completed procurement of the MailChimp email solution, implemented a training portal with mandatory UK GDPR training refreshed every year, and that it also took steps to try and mitigate the risks by asking all recipients to delete the email on the same day that it was sent. It has also added a message to its website.

ICO warns organisations about bulk emails

As a result of this case the ICO has issued a warning urging organisations to revisit their bulk email practices. This case should act as a reminder to organisations which handle special category or other sensitive data that their procedures, practices and technical measures need to be reviewed regularly to ensure they are fully up to scratch and don’t put people’s at risk from data being exposed.

What actions can we take?

Organisations which send bulk emails might wish to make sure:

  • staff who handle email communications have received sufficient training
  • you have appropriate and robust email procedures in place which staff should follow
  • you regularly remind staff of the correct procedures

Clearly there is a risk, if you use the BCC method, email addresses could accidentally end up in the CC field rather than the BBC field, resulting in disclosure of personal data. The ICO is indicating this method of sending should be avoided. If you regularly send emails using the BCC method, you should look to implement a bulk email solution solution to prevent the risk of disclosing personal data to others.