Regulation Hub Update - March 2022

This article is written by Steve Sullivan, the Deputy Chair of the Contact Centre Council.

This month’s regulation and compliance news from the DMA Contact Centre Council’s Regulation Hub

ICO Fines

2021 was a was a bumper year for the ICO, with 36 fines levied on organisations for breaking the data protection rules, all but 3 of which were marketing related.

Since the last Update the ICO has fined 7 firms for marketing failings, many of which directly involved contact centre activities.

IFA firm EB Associates has been fined £140,000 for breaking the PECR ban on pension calling imposed at the start of 2019.
Over 100,000 calls were made on EB's behalf by two (unnamed) lead generating firms which took prospect names from (again, unidentified) lead generation websites which didn't clearly explain that brands like EB Associates which would contact consumers. EB's attempted defence was weakened by not being able to evidence any due diligence of its lead suppliers or having contracts with them.

What’s not clear is why the ICO didn’t name the lead generators and their contact centres, like Honda, Morrisons and FlyBe (remember them?)

In the past, Virgin Media's been hit by a £50,000 ICO fine for sending what the ICO deemed to be marketing emails to customers who had opted out of marketing trying to persuade them to opt-in to marketing offers. The details of the story are a bit involved, but simply put Virgin emailed over 420,000 customers trying to get them to opt back in - and 6,539 did so. That's 1.6%, not too bad a response. But one recipient complained to the ICO (0.0002% response rate) - and the ICO agreed with their objection, which wasn't so good.

So, yet again, the ICO sticks rigidly to its view that if you communicate with opted out members of your customer base (even a specific, targeted sub-set of that group) to try and persuade them to opt in to marketing then you're marketing without consent. Thus breaking the law.

Northern Gas & Power don't seem like the typical firm fined for illegal telemarketing activities by the ICO. Northern's a subsidiary of the equally professional looking and otherwise impressive Global Procurement Group and its founder won Britain’s Most Ambitious Business Leader in 2020. But the ICO fined it £75,000 in December. Why?

Well, firstly - as is often the case - the ICO's enforcement write-up makes it clear that how Northern went about its sales and marketing was far from an example of best practice, planning or execution, which will have contributed to the complaints that triggered the ICO's investigation. But what's of real intertest and relevance is that Northern - an energy brokerage - solely operated in the business-to-business market. Traditionally, if you want to avoid the ICO delving into your marketing and data management then the best advice is to avoid consumers and stick to B2B. But the ICO's Enforcement Notice (a fascinating read - honestly!) makes it clear that Northern's biggest mistake - amongst many - was not screening its prospect data against the TPS (Telephone Preference Service) and the CTPS (Corporate TPS - the B2B equivalent of the TPS).

A lot of small and micro business' phone numbers are in effect personal numbers, so may well be registered with the TPS and - even though few people will even have heard of it - the CTPS needs to be respected if you intend to market to business numbers.

A good, professional data management provider should guide brands like Northern through the required processes, but brands might not always be able to tell the good from the bad. Which is why if you’re running a professional contact centre operation it pays to read this Regulation Hub Update!

Welsh loft insulation firm Home2Sense made over 600,000 calls to Telephone Preference Service (TPS) registered numbers and has been hit with a £200,000 fine.

The following factors didn’t help Home2Sense’s cause in this case:

• use of multiple CLIs (calling numbers) and trading names
• using dubious 3rd party data from an untraceable source
• being unable to demonstrate any compliance awareness, training guides or procedures
• failing to co-operate with the ICO after initially denying it even made outbound calls
• and arguing that phone calls aren't covered by the PECR rules (they are!)
  

Energy Suite is another energy saving firm fined for illegally making telemarketing calls to TPS registered numbers. However, in contrast it's fine was an unprecedently low £2,000 - just 1% of Home2Sense's fine.

Energy Suite operates at a far smaller scale than Home2Sense or most other firms fined for calling TPS numbers, making a few thousand manually-dialled calls per month. It's apparent from the ICO Enforcement Notice that Energy Suite was ill-informed about how to go about its consumer marketing - but at least made efforts to set things right once the ICO intervened.

Tempcover sells temporary car and van insurance, has a 5-star 'excellent' rating on Trustpilot and seems to be a professional and wholly legitimate business. Unfortunately, it's just picked up a £85,000 fine for breaking the PECR rules.

Tempcover gathered millions of names from consumers requesting quotes on its website and - after conducting a Legitimate Interests assessment, involving the Head of Customer Operations & Compliance, marketing and Tempcover's Data Protection Officer - decided that it was ok to re-market to consumers, via email and SMS.

Because the online journey made it clear that people looking for quotations would be contacted in future then that may seem fair enough, especially when PECR enshrines the rather woolly "soft opt-in" concept.

However, the website didn't give users the opportunity to opt-out from marketing there and then then, because future marketing permission was bundled with the request for an insurance quotation, so the ICO says that consent wasn't 'freely given'.

Tempcover clearly aren't scammers or tricksters, but failing to cover the regulatory basics has left them £85k the poorer and with some serious reputational damage.

The ICO has fined loan brokerage The Money Hive £50,000 for sending over three-quarter of a million text messages to consumers without consent.

International Data Transfer Agreements (IDTA's)

ITDAs are the new, post-Brexit legal framework which will be used to allow the safe transfer of personal data between the UK and countries for which there isn't an 'adequacy' agreement. We don't have 'adequacy' ruling with many other countries apart from the EU/EEA, so this framework is really vital.

ITDAs were included in a new addendum to the Data Protection Act which had its first reading in Parliament in February and is expected to be agreed by the end of March.

DMA members can get further guidance on the role of ITDAs from the DMA Legal Helpdesk.

Data and Marketing Commission (DMC) Annual Report

As DMA Members will already know, the DMC helps ensure that DMA members act in line with the DMA Code.
It's 2020/21 Annual report has just been published and shows just 84 complaints, only 16 of which were of DMA members. There were no formal DMC adjudications, but one case that they referred to was another example of potential service vs marketing confusion (like the ICO Virgin Media fine described above) - though in this case the DMC was satisfied that the firm didn't have a systemic failure re sending the right type of email to the right customers.

You can read the DMC report here.

In late February Ofcom published its Tackling Scam Calls and Texts paper. In addition to sharing research on the continuing prevalence of fraudulent scam texts and calls, Ofcom have committed to some actions that should help:

1. Pushing telco firms to act on number ‘spoofing’. Calling line number ‘spoofing’ is the technique scammers use to make it look like their call come from a legitimate firm or organisation’s number. Ofcom’s paper makes it clear that although not all spoofing is easy for the telco firms to detect and prevent, most of it is. It seems that while some telcos have made great progress looking for and blocking spoof numbers, not all have been trying as hard.
   
2. Requiring telcos to undertake due diligence before allocating numbers. Ofcom has amended its rules to make sure the right checks are made, including requiring to carry out ‘know your customer’ checks. Formally these new rules are now subject to consultation, but it seems quite certain that they will be adopted.
   
3. Expanding the ‘Does Not Outbound Call’ (DNO) List. For some years Ofcom has been collaborating with UK Finance, to collate a list of legitimate inbound phone numbers which are never used to make outbound calls. Ofcom says that the DNO list has grown and grown as more and more “providers, the devolved administrations, government agencies and other public sector bodies” add their numbers to it. The DNO List is then shared with the telco firms and some call blocking’ services to help ensure that these legitimate numbers can’t be used by scammers to trick the public through their fraudulent outbound calls.

Although its figures are still above average is all categories – fixed broadband, landline, pay monthly mobile and pay TV – Virgin Media’s relative performance in Ofcom’s quarterly complaints analysis continues. TalkTalk still generates most broadband complaints and EE and Sky continue to top the tables with good service.

In December the PSA has fined two dodgy premium rates providers

• Moblix Media Limited - which ran the 'Friday' voucher code service

• Gothamiax Limited - responsible for the similar 'Every Day Saves' service

a total of £1m for misleading consumers. No fines of Premium Rate Providers from the PSA, this time around.

The rate of energy supplier failures has slowed since our last Update, but the impacts of the increased price cap which come into effect in April remain to be seen.

Content accurate as of 1^st March 2022