Regulation Hub Update - July 2019

This article is written by Steve Sullivan who is the Deputy Chair of the Contact Centre Council.

ICO

This month’s biggest news is the ICO’s notices issued on Monday announcing its intention to fine two global brands unprecedentedly large amounts for their respective data breaches.

• British Airways - £183m fine for its 2018 data breach, affecting 500,000 customers
• Marriott - £99m fine for Starwood (which Marriott subsequently purchased)’s 2016 data breach of over 300m individuals data (30m of whom were EU residents), also notified to the regulators in 2018

Both cases mark the ICO’s first ‘GDPR era’ enforcements (excluding an earlier Cambridge Analytica-related case). As yet, it’s hard to work out what these headline-grabbing cases tell us. The BA fine – if carried out – equates to 1.5% of parent company IAG’s global turnover – versus the theoretical maximum 4% that GDPR would allow for this sort of infringement. Marriott’s would be a far lower relative proportion of turnover.

In the normal run of PECR-based enforcement, the ICO has fined another massive corporate – EE – and a much smaller transgressor:

EE has been fined £100,000 for sending marketing text Messages to 2.5m customers without gaining their consent. The texts were promoting EE’s new app, which EE considered to be informative service communications, but the ICO deemed to be marketing.

Smart Home Protection of Staffordshire was behind 118,000 unlawful marketing calls made between January 2017 and September 2018 to people registered with the TPS. Smart HP has been fined £90,000.

Key factors: In 2017 Smart Home Protection had invested in an (unnamed) cloud-based predictive dialler. The dialler had a feature that would screen out numbers which were TPS-registered. However, that feature had to be enabled and this had not been done. Furthermore, although Smart HP assumed that its data provider screened its third party data for TPS registration, Smart didn’t undertake any due diligence or even have a contract with the data provider.

Finally, the ICO has caused widespread confusion by overhauling its guidance on the use of website cookies. It says that all cookies will require “GDPR level” consent, which will create considerable disruption to online journeys (to see an example, go to the ICO’s own website), but has also said that enforcing the new rules will be a low priority…

Payments

According to a paper commissioned by payments firm Stripe – who aren’t what you would call a disinterested observer, to be fair – the new requirements for Strong Customer Authentication (SCA), stemming from the EU’s Second Payment Services Directive (PSD2), may reduce EU-wide e-commerce revenues by 10% or €57bn annually due to an increase in declined online card purchases:

SCA broadly means that consumers will have to verify their identity more often when making online payments. SCA will be mandatory from September, but (unsurprisingly) according to 451 most people have never heard of it- and nor have a lot of merchants selling online.

So, SCA could have a significant impact on all organisations selling online (but not by phone – phone payments are out of scope). However, just in the past couple of weeks, the EBA (European Banking Authority) has announced, in effect, some wiggle room for national regulators like the FCA to not enforce the new rules in September, as originally planned. Watch this space…

PSA
Madlenka Limited has been fined £250,000 by the PSA for running an online number look-up service which directed callers to a 0345 contact number for big brands 9am-5pm but out of those hours re-directed to a message telling customers to call a 118 service charged £6.98 at for the call and £3.49 per minute thereafter.

Ofcom

Ofcom’s latest move to lower the barriers to consumer switching is a new service allowing customers to change mobile providers via a text message (‘Text to Switch’).

Elsewhere it’s been an uneventful month for TPS and the Fundraising Regulator.