Consumersâ privacy expectations drive data protection changes

One of the key themes at both the Information Commissioner’s Office Privacy Practitioner’s Conference and the DMA's data protection summit earlier this month was consumers’ privacy expectations. Businesses need to prepare for a new world order where consumers are more aware than ever of their privacy/data protection rights.

Christopher Graham, the UK Information Commissioner warned about the dangers of organisations losing consumers' trust and how good privacy practices will increasingly become a means for businesses to attract consumers. He warned how the Edward Snowden revelations and the botched implementation of the new medical records scheme have completely destroyed UK citizens' trust and confidence in the ability of the Government to look after their personal information securely.

The same is true in the private sector, as a result of large scale data security breaches such as the Target case in the USA. Graham went on to say that organisations both in the private and the public sector must be open and upfront about how they are going to use the personal information they have collected from consumers and citizens. This year we have seen Microsoft launch an advertising campaign around privacy.

What are the implications of this new world where consumers are in control?

ICO’s new approach to data protection concerns from 1 April 2014
The ICO will take a much more consumer focused approach to data protection concerns; it will use consumer complaints about an organisation’s data protection policies and procedures to determine whether to review the organisation’s compliance with its data protection obligations.

Christopher Graham stated a similar view when he launched the ICO’s Corporate Plan for 2014-17 which includes this new approach: “These changes are about getting better results, both for consumers and for data controllers. That means learning from the individual cases and concerns brought to our attention, and concentrating on where we spot systematic problems."

The first rule, as David Smith told delegates at the DMA's data protection summit, is don’t annoy your customers. That's because it is unlikely that your organisation will face enforcement action from the ICO if your customers are not complaining to the ICO about your data protection policies and procedures, unless something disastrous goes wrong.

Naming and shaming of organisations: As part of the new approach the ICO will publish details of the number of data protection concerns raised by consumers about a particular organisation. These reports will be similar to the quarterly reports the ICO publishes summarising its enforcement work under the Privacy and Electronic Communications Regulations (PECR).

The ICO also intends to publish a report once a year to coincide with its main annual report identifying the organisations responsible for generating the most data protection concerns brought to its attention during the previous financial year. This report will not differentiate between data protection concerns which went on to result in regulatory action, those which were caused by a breach of the law or those which proved to be misguided.

The organisations will be invited to provide some comment to accompany their entry in the report. They will be able to describe how much personal information they process and what steps they take to ensure compliance with data protection legislation. The ICO will always include a statement explaining that there will be a correlation between the amount of personal information an organisation processes and the level of complaints to the ICO.

(The first enforcement report will be published no earlier than 1 October 2014.)

Nuisance calls and texts
The ICO has taken action against several organisations for sending marketing messages via automated recorded calls, making unsolicited marketing calls to consumers whose numbers are registered on the Telephone Preference Service and sending out marketing SMS messages where consumers have not consented to receive them. However, the ICO cannot issue a monetary penalty notice for breaches of these requirements unless it can prove damage and distress. In the Niebel case before the Information Tribunal Mr Niebel managed to have his monetary penalty notice set aside for various reasons including that an unsolicited SMS message does not normally cause damage and distress. Following the case the ICO has put a proposal into Government that the threshold for issuing a monetary penalty notice should b e reduced from damage and distress to nuisance and irritation. The Government is now considering this specific proposal and is expected to issue a consultation paper soon.

ICO Direct Marketing Guidance
Some of the best practice requirements in the ICO's new guidance published in September 2013 are clearly influenced by consumers' expectations, for example the new rules on indirect third-party consent for email.

Profiling/analytics
Businesses are now collecting vast amounts of information about consumers from mobile phone records, transactional information, profiling, cookies and other trails people leave behind. The temptation is to use the information once it is there for direct marketing purposes. However organisations need to take a step back and think whether or not it is within the consumer’s expectations and whether or not the organisation has the consent of the consumer to process such information.

It is always important to go back to the eight data protection principles in the Data Protection Act and check that you have told the consumer that you are going to use their personal information in that way and for that purpose. The problem is that organisations are not telling consumers what they are doing now with their personal information. Organisations will therefore find it difficult to meet consumers' expectations as to how they are processing such personal information, given the development of new forms of profiling and analytics.

Data-driven businesses that use direct marketing must take account of consumers' privacy expectations and concerns, if they do not then consumers will not trust them and will shop around and give their personal information to an organisation which does meet their privacy expectations’ and concerns.

James Milligan, Solicitor, DMA