Regulation Hub Update - August 2018
17 Aug 2018
Still no sign of the long-delayed new PCI DSS guidelines which will specifically address the contact centre world and consider new telephony and digital based scope reduction technologies (expected to make clear that ‘pause & resume’ will only take the call recorder and call recording storage out of scope of the PCI DSS and won’t take a contact centre out of scope).
There’ll be an update as and when we know more.
The next Linden meeting is due to be in October.
The Fundraising Regulator (FR)
The FR has celebrated its second birthday and launched a new more user-friendly website. The FR now has 3,200 charities registered, including 1,650 levy payers, nearly 1,500 smaller charities and nearly 90 fundraising agencies.
Direct Marketing Commission
No news from the DM Commission this month – and possibly won’t be until next year’s annual report for 2018. www.dmcommission.com/?attachment_id=3507
The Department for Digital, Culture, Media & Sport is expected to publish the results of its consultation about giving the ICO the ability to fine company directors shortly after it ends on 21st August.
As previously noted, the TPS data cleanse https://dma.org.uk/press-release/dma-and-ico-update-to-tps-system is half-way through. Around 3m landlines have been cleansed and removed from the register, but the process for mobiles hasn’t yet started.
In mid- July, Ofcom published its latest league tables on the complaints it receives about the UK’s major providers of telecoms and pay-TV services (which average c.300 per day)
The infographic of the Council’s research into contact centres’ perception of the Ofcom Persistent Misuse guidelines was published in July: www.dma.org.uk/uploads/misc/5b4dcd115ebb2-dma-cc-council-ofcom-survey-2018_5b4dcd115eafc.pdf
along with the accompanying blog : https://dma.org.uk/article/contact-centre-confusion-new-research-shows-widespread-confusion-over-ofcoms-outbound-calling-regulations
Which received ‘front page’ coverage in Decision Marketing
Ban on Pensions Calling
The proposed government ban on unsolicited cold calling about pensions is now likely to take effect in the Autumn after a self-imposed target of June 2018 was missed due to ‘technical issues’
The City of London police have recently said that consumers were victim of £51m of pension fraud in the first 3 months of 2018.
As I understand it, the FCA cannot ban cold calling unless it’s being carried out by FCA-regulated firms and the ICO cannot do so directly as it would be an extension of PECR. Therefore the ban will require primary legislation, sponsored by the Treasury, to be passed by Parliament.
GDPR, the new Data Protection Act and ICO
SAS research shows that 35% of UK adults claim to be planning to or already have removed their data from social media companies and retailers. That sounds like a step change in consumer awareness of their personal data rights post-GDPR and Facebook/Cambridge Analytica - or maybe just wishful thinking & the best intentions…
The ICO has reported the first increase in nuisance call complaints in nearly 12 months:
Contact Centre Council’s Controlled Lead Generation Activity Guide
At the start of August the Contact Centre Council’s Guidelines for Controlled Lead Generation Activity was published. It’s already proved a popular read and would have been impossible with the sterling efforts of Dave Clark
Both the Guide and the Contact Centre Agent GDPR Training Guide have already racked up over 400 views
DMA and the Privacy Taskforce
The successor to the DMA’s GDPR Taskforce will be the Privacy Taskforce, with a broader brief, but a similar make-up, reflecting the different Councils.No meeting in August, but I plan to attend the next one on 5th September.
The DMA’s latest (post-GDPR) Data Privacy survey was launched at the start of August:
The latest news from the DMA suggests that the Directive is unlikely to be agreed until next year and not take effect until 2010 (after Br*xit). And it’s all the Bulgarians’ fault!
Westminster News DCMS Secretary of Stare Jeremy Wright has been tweeting like crazy since starting his new job. www.computing.co.uk will be relieved…
No summer wind-down for our friends in Wilmslow. The fall-out from the multiple scandals over the use and abuse of personal data for political purposes continues and there have been a couple of fines and enforcement actions in ‘our world’ of direct marketing.
- STS Commercial - Evidence that ‘having form’ with the ICO isn’t a great place to be when a new investigation starts
- AMS Marketing - Another example of the ICO looking to technology providers to provide some clarity when marketers have been less than honest about their actions
STS Commercial, based in Bridgend, is a technology and services provider for the insurance industry. STS has been fined £60,000 for sending over 270,000 unconsented, spam text messages to people offering them low value ‘Pay day’-style loans from a broker, Cash Kitty.
STS has already been investigated by the ICO about similar PECR infringements in 2015, which won’t have helped its case. Nor will some other aggravating features of the case listed by the ICO in its report:
- Lack of due diligence by STS
- The ‘opaque nature’ of STS’ set-up and ‘lack of transparency’ in responding to the ICO’s queries
- The fact that after STS’ network provider had cancelled its contract, STS then used unregistered mobile SIMs to send marketing texts
Also I’ve identified that Cash Kitty is owned by William Sinclair, who is a director of ATS Commercial – which may have contributed to the ICO’s comments about STS being ‘opaque’.
AMS Marketing Ltd of Peacehaven has been fined £100,000 for PECR infringements, namely over 75,000 unsolicited marketing calls to numbers registered on the TPS (about claimed car accident compensation cases) from Autumn 2016 to the end of 2017. AMS confirmed that it had not TPS screened prospect data purchased from third party data providers and the ICO judged that it had failed to carry out any appropriate due diligence of the data provided or had contracts in place with the data suppliers.
The story about AMS in Decision Marketing (www.decisionmarketing.co.uk/news/revealed-the-bungalow-which-spouts-out-nuisance-calls) revealed that AMS is a sole-director firm
operating out of a bungalow.
According to AMS’ latest accounts on www.duedil.com it has £17 in cash, so I doubt HM Treasury will see much of the £100,000 fine…
An interesting aspect of the case is that – in an echo of a number of similar cases a few months ago in which 8x8’s customers were identified and fined – the ICO’s route to proving AMS’ illegality was via a technology provider. In this case Hostcomm, a contact centre technology, predictive dialler and telecoms vendor, which confirmed that CLIs they provided had been being used by AMS – despite their AMS’ earlier denials. If you’re looking for a moral here, it’s probably that it’s always best not to lie to the ICO!
Lifecycle Marketing (owner of Emma’s Diary)
The ICO’s pre-publicised its investigation into Lifecycle Marketing for supplying the personal data of over 1 million households to Experian for use to target the Labour party’s direct mailing for the 2017 general election. In early August they announced the investigation was concluded and ICO fined Lifecycle Marketing £140,000.
Although we don’t usually ‘do’ politics, the issues in this case are directly applicable to direct marketing. Lifecycle Marketing’s transgressions were in the areas of fairness and transparency. The Emma’s Diary sign-up journeys, privacy policies and commercial promotion all failed to explain that personal data shared would be used for political purposes. Subsequent to the start of the ICO’s investigation Emma’s Diary did retrospectively alter its privacy policies to include political purposes, but Lifecycle Marketing has now declared that it will no longer use or sell the data for political purposes.
In July Elizabeth Denham said she was ‘minded’ to fine Facebook £500,000 (the maximum fine under the old Data Protection Act) for its role in the Cambridge Analytica scandal – specifically for failing to protect users’ data and not being transparent about its use. She also said that the ICO was taking action against Lifestyle Marketing (owner of expectant mothers’ marketing brand Emma’s Diary). As you can see above, they’ve now done so, but Facebook are still waiting for the outcome of their case. Many commentators highlighted that this was the first time the ICO had given advance notice of an intention to fine organisations for failing to respect data privacy, which shows the profile of the ICO’s investigations into political use of data. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.” Elizabeth Denham, July 2018
Next up? Possible Future Data Breach Case
As Ben Lappin highlighted a few days ago, Salesforce has revealed a so-far unquantified data breach by which an API coding error meant that users of its Marketing Cloud Email Studio and Predictive Intelligence products may have had their customer data copied to other users’ data.
Salesforce believe that there has been no malicious use of the data. Here’s hoping.
Finally, in the wake of all that excitable talk about the potential under GDPR for companies to be fined up to 4% of global turnover, it’s a diverting exercise when you realise that back in the real world Ofcom’s fining Royal Mail £50m (nothing to do with data or GDPR or marketing, of course) that’s still only 0.5% of Royal mail’s turnover…