Regulation Hub Update - February 2019
13 Feb 2019
- Renewable energy firm sanctioned – but not fined – by the ICO for making 800,000 unconsented calls to consumers on the TPS
- Accident claims contact centre fined £80,000 for calling TPS numbers
- Two rogue marketing firms’ directors banned for 6 & 4 years by the Insolvency Service
The closure of TPS’s TPS Protect app has been confirmed. Whether its lack of take-up is reflective of what some people see as a general decline in public concern about ‘nuisance calls’ – helped by the networks’ blocking of suspected rogue calling numbers - or simply that the proposition didn’t appeal to enough consumers is hard to say.
Ofcom’s quarterly complaints figures have been published.
Virgin Media still have the most complaints for Mobile and Pay TV.
Vodafone’s market shares for Broadband and Landline services have now reached the 1.5% threshold level that triggers companies’ inclusion in Ofcom’s analysis. Unfortunately for Vodafone, it tops the tables with the highest complaint levels for both!
As previously noted, we’re keen to understand how the Payment Cards Industry (PCI) Security Standards Council’s updated Guidance for Phone-Based Card Payments is having an impact on real-world customers and contact centres. www.pcisecuritystandards.org/documents/Protecting_Telephone_Based_Payment_Card_Data_v3-0_nov_2018.pdf
If you have any insight, please do let us know!
This month, the PSA has taken further action against two service providers which had previously been sanctioned, but failed to pay fines or engage with the Authority.
Global Awareness Limited, an adult video services provider, has been fined £200,000 and banned from providing premium paid services for 5 years. Global Awareness is no longer trading.
Halak Online operated www.helplinecontactnumber.co.uk - a customer care number look-up facility, which charges a premium for calls made (similar to Tobaji’s www.customerservicecontactnumber.uk which we wrote about in October 2018 October Update) - has been fined £250,000 and also barred for 5 years. The website still appears to be live, though…
Nothing of note from the Fundraising Regulator, this month.
(Although they have produced an infographic on the Fundraising Preference Service's rather underwhelming take-up rate, which we covered in the last update January Update )
The DMA’s data protection conference, Data Protection 2019, is being held on 1st March
DMA’s Privacy Working Group (the new name for the Privacy Taskforce)’s most recent meeting was dominated by a discussion about Brexit planning and the DMA’s interactions with government https://dma.org.uk/uploads/misc/brexit-toolkit.pdf - as well as a presentation from Tapmydata (www.tapmydata.com - see the final page of this Update)
This month the ICO has been busy reiterating its advice about how to prepare for various Brexit scenarios www.ico.org.uk/for-organisations/data-protection-and-brexit/
Meanwhile, in Brussels there’s still no clarity as to the shape and release data of the proposed new ePrivacy Regulation.
ICO Regulatory Sandbox
Sadly, we’ve had no Christmas Competition entries suggesting what the ICO’s Regulatory Sandbox might be, so we’ve had to find out ourselves.
Apparently it’s a proposed new service from the ICO which will support organisations with innovative propositions involving personal data to test their compliance before they are brought to market
Here’s a brief video from a nice man at the ICO to explain.
ICO Enforcement Actions
NWR, a renewable energy firm based in Kent, has been ordered to cease illegal marketing calls to numbers registered with the TPS.
An ICO investigation which was triggered after a total of 138 complaints – to both TPS and the ICO directly - established that:
- NWR routinely called TPS numbers – over 860,000 from May 2016 to May 2018 – when making unsolicited marketing calls
- NWR’s contact centre agents were using false, generic company names (including ‘Energy Care’ and ‘Energy UK’) when calling consumers
Again, the ICO used Third Party Information Notices to both a CLI provider and a non-geographic number re-seller to track down NWR.
It’s not clear why NWR hasn’t been fined in this case; fines are normally imposed at the same time as other Enforcement Notices are issued. The ICO’s full report is here.
Alistar Green Legal Services
Alistar Green, based in Liverpool, makes outbound calls to generate road traffic accident claims. From March to July 2017 213 complaints were made to the ICO and TPS from consumers registered with the TPS who had received calls from Alistar Green.
When investigated Alistar Green confirmed that they used third party-supplied calling data, but said that the data was both TPS-screened when supplied to them and then TPS screened internally before dialling. However, Alistar Green claimed that a newly-employed Dialler Manager must have been responsible for not following the correct processes and not notifying management of complaints received.
Clearly the ICO was unimpressed by the explanations given and fined Alistar Green £80,000 for its infringements of the PECR rules: www.ico.org.uk/media/action-weve-taken/mpns/2614225/r-alistar-green-mpn.pdf
Eldon Insurance – Go Skippy
Between August 2017 and July 2017 over 1 million emails were sent to Leave.EU subscribers at Eldon Insurance’s instigation. Over 300,000 of these emails were opened. Although the emails were primarily about Brexit and Leave.EU’s campaigning aims, they partially contained Go Skippy (Eldon’s public brand) direct marketing messages in the form of discount offer ‘banners’, for which neither Eldon or Leave.EU had consent.
The ICO has confirmed a fine of £60,000, which it announced its intention to levy on Eldon in November (see last November’s Regulation Hub Update). Aaron Banks is Eldon Insurance’s owner and key backer of Leave.EU – which was fined £60,000 for its role in this case.
Magnacrest is a property developer which, after ignoring a Subject Access Request (SAR) lodged in April 2017 and then failing to respond to an ICO Enforcement Notice ended up at Westminster Magistrates‘ Court this month and was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs. The fine was imposed for Magnacrest’s failure to comply with the old, 1998 Data Protection Act, but suggests that the ICO is still more interested in ‘encouraging compliance’ than in having a significant financial impact on organisations that fail to recognise individuals’ personal data rights. www. ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/02/housing-developer-fined-for-ignoring-data-request/
The Insolvency Service
The government’s Insolvency Service is working more closely with the ICO to take action against company directors involved in data protection infringements, when the fines imposed aren’t paid.
Aaron Frederick Stalberg – The Lead Experts
The Lead Experts was fined £70,000 in October 2017 for making automated, recorded message calls without the recipients’ consent. It’s sole director, Aaron Stalberg has now been banned from holding a company directorship for 6 years.
Keith Hancock – Lad Media
Lad Media was fined £50,000 in February 2017 for sending nearly 400,000 spam text messages to consumers whose data was obtained from lead generation data brokers and whose consent was unclear and/or non-specific. Like The Lead Experts, Lad Media had a sole director, Keith Hancock, who has now been banned for 4 years.
The Direct Marketing Commission (DMC) investigates all direct marketing complaints against DMA members where the complaint is within the scope of the DMA Code (www.dma.org.uk/the-dma-code). The DMC explains on its website and annual report that the majority of cases referred to it – both consumer and business-to-business – are resolved informally. However, some cases go to formal investigation. The most recent of those which is relevant to the contact centre community is one involving consumer lifestyle data provider DLG/PDV (www.dlg-pdv.com), in July 2018.
The full text of the DMC ruling is below, but the cases revolved around DLG/PDV’s use of offshore contact centres conducting lifestyle surveys to generate lead data. In this case, the leads were passed to a legal services firm and included a consumer who complained about their call as they were registered with the TPS. The DMC upheld the complaint as it felt that the marketing contact consent obtained was unclear and insufficient to supplant the TPS registration. www.dmcommission.com/adjudications/2018/07/dlg-pdv-ltd-complaints-about-direct-marketing/
The Engergy Sector
Regulation and compliance is, of course, often very business sector-specific. Ofgem’s recent media releases about Economy Energy’s demise helps illustrate how in the energy sector Ofgem not only has considerable powers – unimaginable in unregulated industries - but is prepared to use them:
TapmydataA growing number of contact centres will have come across the Tapmydata app, being used by consumers to lodge Subject Access Requests. We have asked their CEO, Gilbert Hill to explain what it is they do:
“Recent scandals around breaches, Facebook and the 'weaponisation' of personal data have reached a tipping point in the media and public perception: trust has been lost. Tapmydata is a new service aimed at giving back citizens control of their data, one right at a time.
Launched in Oct 2018, Tap consists of a mobile app which enables individuals to find out which companies have information on them, make a SAR (Subject Access Request) and hold their personal data securely in a 'wallet'. Tap gives companies (who are obliged to supply this under GDPR) a web platform to handle these requests securely, and at scale. A record of these data 'transactions' is stored on the public blockchain.
From use of the mobile apps (Apple & Android), Tap's findings are that consumers appreciate companies who respond and trust them more as brands. People correct their own data and even go so far as to praise them via social media. Around 50 organisations are using the platform to handle requests, integrating this with their own websites and processes.
Tapmydata is expanding to cover further GDPR rights in 2019 as part of a strategy to be a well-known consumer privacy brand, and player in the 'data wallet' market. You can learn more about the PrivTech landscape in this Information Age article https://www.information-age.com/digital-self-defense-privacy-tech-killing-ai-123478931/ and at www.tapmydata.com”