Data Protection News for Digital Marketers - April 2015

Data protection may not be sexy, but it's undoubtabtly a hot topic.There’s so much happening at the moment it's difficult to remember what happened just 2 weeks ago. So I've gone through the data protection news from the past few weeks, brought it all together and briefly summarised:

Firms, directors and senior managers at higher risk of fines for breaches of advertising and data laws

As of March 12th 2015, magistrates now have the power to impose unlimited fines for breaches of key "public laws".
Previously, companies and individuals found guilty of committing an offence under the Data Protection Act in the Magistrates Court could only receive a fine of up to £5,000.
Now companies and individuals who act in senior decision-making roles (who can be shown to have been neglectful or consented to the offence) are at risk of unlimited fines.
Ref:
http://www.marketinglaw.co.uk/advertising-regulation/now-the-sky-s-the-limit-for-magistrates-fines-for-ad,-sales-and-data-law-breaches?cat_id=1
http://www.legislation.gov.uk/uksi/2015/504/pdfs/uksi_20150504_en.pdf

------------------------------------------------

"substantial damage or distress" thresholds scrapped, making it easier to fine companies who break the law

Coming out of the Nuisance Calls and Texts task force, the ICO now no longer have to prove substantial damage or distress in order to issue fines of up to £500,000 against telephone, text and email marketers who break the Privacy and Electronic Communications Regulations (PECR).
Previously it was only viable for the regulators to pursue the very worst offenders in the industry. Now, ordinary marketing firms must realise that fines are now a very real risk if they fail to comply with ICO guidelines, although minor breaches and technicalities will not be the ICO's focus.

------------------------------------------------

6 month cap on permission for third party data

Also coming out of the Nuisance Calls and Texts task force, it was stated that marketers who rely on third party data must take steps to ensure that they can show that the consent was not obtained from the consumer more than six months beforehand. Firms are also told to view ICO guidance on direct marketing using third-party data and make sure they are compliant

------------------------------------------------

Third party data chain unsubscribe process

Another massive statement to come out of the Nuisance Calls and Texts task force:
When a consumer wants to opt out of all marketing, if the marketing list came from a third-party vendor, all of the companies in the “data chain” (a phrase to acknowledge that data vendors often buy, sell and swap data between each other) must be informed of and adhere to this unsubscribe request.
This has been ICO guidance for some time, but often ignored by marketers and data vendors alike. With this new focus on consumers and third-party data abuse, it should be a priority of all marketers who currently use, or are planning to obtain third party data, to ensure their vendors allow a means of unsubscribing not just from their list, but from the underlying list controlled by their vendor and the other companies in the “data chain”

------------------------------------------------

More responsibility and accountability for board members

My last point coming from the Nuisance Calls and Texts task force findings:
Businesses should treat compliance with the law on consumer consent to direct marketing as a board-level issue. The point being made here is that, on occasion it may be the decision-makers who need to be directly held to account. ICO powers are being assessed to determine whether they need additional powers to target those managers and directors (or those who act in that capacity) who deliberately choose to ignore the law.

------------------------------------------------

ICO £80,000 fine for nuisance calls

The ICO didn’t wait for their increased powers on the 6th April! Direct Assist Ltd, a "personal injuries claims management" company, has been issued with a monetary penalty by the ICO for making personal injury claims calls to people without consent and for refusing to remove people from dialling lists. Read more here: https://ico.org.uk/media/action-weve-taken/mpns/1043639/direct-assist-ltd-mpn.pdf

------------------------------------------------

Daily mail expose of the data industry used by marketing firms

If you have somehow missed this, I suggest you pause what you are doing and read this and watch the videos:
The response to this has been immediate and dramatic with an ICO investigation and police involvement. I strongly suspect that this will just be the beginning of a complete and much-needed shake-up of the data industry and a wake-up call to those marketing companies who blithely and blindly use data which is clearly in breach of the Data Protection act and PECR.

------------------------------------------------

ICO actively hunting firms who supply personal data to the third party data industry

The ICO’s Enforcement Group have launched an operation to identify those companies supplying and using consumer data in breach of the PECR. They will be performing a “mystery shopping” exercise, which I can imagine will include signing up to those websites and firms suspected of illegally supplying the data industry with personal information.
This is the first exercise of this type I’ve seen in the UK and is clearly a result of the Nuisance Calls and Texts task force recommendations (which identified the data industry as the source of the nuisance call issue); and the Daily Mail exposé of the third party data industry (which alleges that the data industry is fuelled by data illegally collected and sold by big brand companies and websites used and trusted by consumers).

Also in direct response to the Daily Mail claims, the ICO has already launched an investigation into allegations about firms breaching PECR and sharing illegally sensitive personal data

------------------------------------------------

Competition and Markets Authority (CMA) Commercial use of Consumer Data

During the Nuisance Calls and Texts task force discussions it became clear very quickly that the cold calls and spam texts were only possible because someone was supplying these companies with data. Instead of making a rash decision the government raised a further consultation, specifically into the legitimate commercial use of consumer data. The information gathered is now being reviewed and the results and findings will be published this summer.
When an industry fails to effectively self-regulate and the government is forced to issue new regulations, that resulting regulation can be excessive, especially when fuelled by consumer opinion and coverage in the popular press.
Because of this I expect the findings and recommendations of this consultation will be much harsher as a result of the Daily Mail investigation.

To help prevent excessive or obstructive legislation I believe that industry bodies and leading organisations must come out and condemn this type of data use and marketing behaviour. If they don't then resulting legislation could be quite damaging.

------------------------------------------------

EU Data Protection reform marches forwards!

There's been that much happening in the UK, it would be easy to have missed the fact the EU Data Protection reforms have taken a couple of huge leaps forwards. The Council of the EU have agreed the most fundamental aspects of the General Data Protection Regulation. Reaching an agreement over the principles of consent and data processing is such an important step that there's now suggestions that the regulations could even be agreed by the end of 2015! Read more here: http://www.communicatorcorp.com/blog/eu-general-data-protection-regulation

------------------------------------------------

And if that’s not all… “The European Privacy Judicial Decision of a Decade”: Google v. Vidal-Hall

Oh yes, how could I forget the European Privacy legal “Decision of a Decade”

There will be international repercussions following this for some time, so I will keep this brief.
1 – Easy for consumers to take companies to court over loss or misuse of their data
UK courts recently decided on top of everything else to make it simple for both individuals or regulators to take action against firms suspected of non-compliance with data protection regulations. No longer will an individual have to prove the financial loss of having your credit card details lost or stolen, or have to prove the actual harm in having their personal details surreptitiously collected and used for ad-targeting. Instead “emotional distress” or “oral damage” is enough.
The reason I say that there will be international repercussions over this, and not just limited to the UK is the weight carried by the simplicity of the ruling: “Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded, so as to cause them emotional distress (but not pecuniary damage)”. Or more simply, if the data protection regulations are there to protect personal data, it should be enough to show that personal data was not protected.
Given the recent change to magistrates court fine limits, expect floodgates to creak open and then burst over this. How ironic would it be if we were to see the birth of a whole new cold-calling and spam industry cropping up and offering “no win no fee: have you ever received a cold call or spam” service?
2 – IP address and device information ARE personal data
An area of debate for some time has seemingly been cleared up: Are IP address and device information personal information or “personally identifiable”. We now have a decisive “yes” with the ruling that “the concept of ‘multiple users’ for a device is an outdated one” and that, especially with smartphones and mobile devices, in practice it is “typically possible to equate an individual device user with the device itself”
What this means for you is that, if you don’t already do so, you need to obtain permission to store and use this sort of information from your website visitors and your email openers and link-clickers .

------------------------------------------------

Summary
If nothing else, the fact that this summary needs its own summary shows how much movement there is at present.
What we have now is the new normal; and that new normal is one of change and a strengthening on the individual’s rights and increasingly robust and hands-on enforcement.
Regardless of whether you have personally seen the repercussions, the self-regulatory regime that we have grown used to has gone. Firms, company managers and directors and marketers must now understand their responsibilities and liabilities.
Recent focus on the EU data protection reform has not been redundant, but it is pretty clear that the UK government, agencies and regulators understand what is coming, but are not willing to wait and are taking steps now.

Keep watching, one thing is for certain: there is more to come!