Regulation Hub Update - April 2019

This article is written by Steve Sullivan who is the Deputy Chair of the Contact Centre Council.

This Month’s Headlines

• Bounty fined £400k for pre-GDPR data protection abuses
• Pensions firmed fined £40k despite getting advice from specialist consultants and lawyers
• Funeral plan firm fined for calling TPS numbers
• Data cleanse leaves TPS file numbers 4m down vs 2018

Ofcom

Ofcom has published its 2019/20 Annual Plan.

Unsurprisingly, given the scope of Ofcom’s responsibilities, contact centre-related issues (including ‘nuisance calls’ ) don’t feature in Ofcom’s 9 priorities.

The Plan’s reference to Nuisance Calls effectively proposes the continuance of ‘business as usual; for Ofcom:

TPS

We have given various updates over the past few months on the TPS’ data cleansing exercise, which resulted in a significant drop in the volume of TPS registered numbers. As you can see, below, now that the bulk Landline and then Mobile data cleanses have been completed, the file size is stable at around 19m – nearly 4 m numbers less than at the total at the start of last year.

PCI

As awareness of the Payment Cards Industry (PCI) Security Standards Council’s updated Guidance for Phone-Based Card Payments percolates through the contact centre industry, we aim to have our survey circulated shortly.

PSA

One tribunal decision from the PSA, this month. Best VIP Games’ owner, Inter Inventory Company Ltd, has been fined £375,000 for running an unregistered gaming subscription service. Best VIP Games generated 161 complaints to the PSA in 2017/18 from consumers who said they hadn’t signed up and/or continued to be billed £4.50/week after they cancelled the service. Best VIP has also been ordered to refund all former customers who request a refund.

1st April marked the start of PSA’s price cap on calls to 118 (Directory Enquiry) numbers, after which date all calls to will be limited to £3.65 per 90 seconds.

The Fundraising Regulator

The FR has published its 2017/18 Complaints Report, which looks at both fundraising complaints made to the Regulator directly and the reported complaints received by the 58 charities spending the most on fundraising.

The biggest cause of complaints was the content of fundraising communications, but the following two reasons are more relevant to the Contact Centre audience:

• Failing to manage supporters’ data properly (and frequently not fulfilling requests to cease contact)
• Poor complaint handling

The FR also shared guidance from the Royal Mail about stamp fraud. Which is a thing, apparently...

The DMA

The DMA’s Privacy Working Group is finalising a checklist for Non Executive Directors, working on guidance around SARs (Subjects Access Requests) and security and next month will meet with IAB Europe (the industry body for online advertising).

ICO

ePrivacy Regulation - Although there’s still a desire in Brussels to get the ePrivacy Regulation text finally agreed before the next round of EU Parliamentary elections in late May, this hasn’t happened yet.

The ICO’s big annual Data Protection Practitioners’ Conference took place in Manchester on 8th April. There were some interesting contributions and discussions .

One specific cause for concern from the ICO was the increase in complaints it is receiving – up 98% in the wake of the GDPR and 2018 Data Protection Act.

As a lot of consumer’s data protection complaints and concerns will start off in contact centres, the ICO’s guidance checklist may help guide data controllers how best to handle data subjects’ complaints.

ICO Enforcement Actions

Three cases in the contact centre and direct marketing world, this month:

Grove Pension Solutions of Sevenoaks, Kent, has been fined £40,000 by the ICO for sending 2 million unsolicited marketing emails from October 2016 to October 2017, in contravention of the PECR regulations.

Some interesting aspects of this case:

• The ICO was initially alerted to Grove’s activities by the FCA
• Grove used a network of affiliate marketers which provided ‘hosted’ email marketing channels and typically acquired consumer records through testing and competition sites (see left)
• The ICO acknowledged that Grove sought the guidance of a specialist data protection consultancy and an independent data protection solicitor. But by implication the ICO thought their professional advice was incorrect

Bounty (UK) has been fined £400,000 under the 1998 Data Protection Act for sharing individuals’ personal data without informing them.

This is the joint second highest fine imposed by the ICO – its recent £0.5m fine of Facebook (which is being appealed) being the highest. The full notice is given here but there are some specific features of the case worth highlighting:

• Bounty – which provides expectant and new parents with support services, including ‘Bounty packs’ of free product samples – came to the ICO’s attention as part of an investigation into the data brokerage market. Bounty used to act as a provider of 3rd party data
• Bounty’s supply of data was on a massive scale. It had a database of 17 million unique records and shared nearly 35million to 39 organisations – including Equifax, Acxiom & Sky – between July 2017 and April 2018
• Although Bounty’s online data capture processes had marketing preference options, the ⅔ of members acquired offline had no way of opting out of Bounty’s (non-specific) data sharing
• Despite Bounty stating that it never shared children’s data with third parties, the ICO judged that sharing babies’ date of birth and gender data would allow third party organisations to append it to other existing data to better identify children
• Overall, Bounty radically changed its business model and approach to personal data in the lead-up to the GDPR, but the ICO’s enforcement focused on the prior period

Avalon Direct Limited (previously trading as Plan My Funeral Avalon), based just down the road from the ICO in Wilmslow, has been fined £80,000 for making unsolicited marketing calls to numbers registered on the TPS.

Avalon made over 2m attempted calls over a period in 2017, 134,000 of which connected. Of these, 52,000 were TPS registered.

• The ICO investigation was triggered by a critical article in the Mail on Sunday in November 2017
• At the time, two of Avalon’s director’s had already been subject to ICO enforcement for a different matter – and as they were also directors of Avalon’s lead supplier the ICO feels that they, at least, should have understood the law…
• As the calls were about funeral planning the ICO considered that the recipients may have been especially vulnerable

The Insolvency Service

There haven’t been any further instances of the government’s Insolvency Service taking action against the directors of companies which have been subject to ICO enforcement action, but haven’t paid the fines. However, it’s probably safe to say there will be more soon.

Direct Marketing Commission

The Direct Marketing Commission (DMC) has announced no further adjudication decisions since its annual report, which we covered in detail last month.

It Can Happen to the Best of Us...

Finally, it would be a shame not to share this article from The Register: