Home > Analysis
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Consent: UK data controllers and their plausible deniability

How can it be that it's 2014 yet so many well known companies do not appear to understand their need to obtain consent before targeting their data subjects with electronic marketing?

According to section 53 of the ICO's direct marketing guidanceNew window, for consent to be valid, it must be freely given – the individual must have a genuine choice over whether or not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses. Consent cannot be a condition of subscribing to a service or completing a transaction.

The solicitors Bond Dickinson have done summarised the guidance in an easy to read fact sheetNew window.

What this means in layman's terms is that you cannot obtain consent by burying a consent statement in your privacy policy or terms and conditions because that consent will be a condition of subscribing to a service. Unless the individual is given a clear choice to withdrawn their consent before receiving electronic marketing, then - according to the ICO, you will not have obtained their consent. The easy way to give a choice of course is to have clear tick-boxes on your form so that the user can opt-out. The data controller also needs to identify the type of marketing: by phone, by e-mail etc, and for third party marketing to be valid (indirect consent), the data controller will need to identify those companies or the category of business that will make use of the data subject's indirect consent (section 79) for it to be valid.

I've come to the conclusion that many well known companies must simply be ignoring the issue of consent in the hope that they can continue to abuse and exploit the rights of their data subjects for financial gain. In other words - plausible deniability. Actually, isn't that potentially fraudulent? Deliberately misleading someone for financial gain? I've decided therefore to start contacting these companies to see what they have to say. I'm going to refer them to this page and I'll make a note of their response. Will they come clean or will they simply ignore me. If they ignore me then I'll keep contacting them and make a note of the number of times I've done this. I'll start with a few first.

The aim of this page then, is to see how well known UK companies will respond to a direct question about consent and whether or not their consent has been obtained by giving their customers a choice to refuse. Will they admit that they are failing to obtain consent and put this right, will they attempt to plicate me, or will they ignore the question and carry on regardless. Do these companies put financial gain above the statutory rights of their customers?

What does this say about the ICO who stated on the BBC's Panorama programme that they're clamping down on the abuse of electronic marketing. It's likely that some of these companies are abusing the rights of millions of customers - what's the ICO doing about it?

MilletsNew window

Struggling to get a straight answer from them

Date: 17.04.2014. Millets replied via Twitter saying:

'Hi David, I can assure you that our emails are only sent out to those who opt in to receive them'.

It's this response that made me start this page. I am confident that the person who submitted this reply is not in a position to make such an assurance.

Date: 19.04.2014. I've sent an e-mail to customercare AT millets.co.uk. Ref: SA491976X.

Date: 25.04.2014. I've sent an e-mail to customercare AT millets.co.uk. Ref: SA497443X.

Date: 28.04.2014. Contacted them by Twitter to get a response to my two enquiries.

Date: 29.04.2014. Millets replied via Twitter saying:

I can confirm though that we have amended our check-out process to only display one opt-in tick box.

What this means is that they've removed the duplicate opt-out for their newsletter - which is a step in the right direction but what about the other marketing... when do they give me a choice for that?

Date: 11.05.2014. Still waiting for a response.

Date: 14.05.2014. Have contacted them again for a response to my question.

Compare the MarketNew window

They do appear to give a choice

I submitted a complaint to the ICO a few years ago about Compare the Market sending me electronic marketing without obtaining my consent. The ICO concluded that they had not obtained my consent and advised them how to become compliant. They've clearly taken the ICO's advice on board as they now have clear opt-outs for all types of marketing on their registration form. It just goes to show that some companies actually value their customers rather than treating them as a commodity.

I can vouch for Compare the Market as they're now my preferred comparison website and a company that I'm happy doing business with.

ArgosNew window

They do appear to give a choice

Date: 19.04.2014. I've contacted their customer services via their web form. Received auto-responder but no reference number.

Date: 27.04.2014. Tweeted Argos about the enquiry that I submitted. It seems that it will take longer to get a response from their data protection person.

Date: 02.06.2014 Argos contacted me to confirm the following:

I can confirm that before completing a reservation or a home delivery order on our website you are presented with the option to select two boxes to opt out of receiving marketing emails from Argos or, selected companies outside Home Retail Group

Super! Well done Argos!

EbuyerNew window

No response so far

Date: 19.04.2014. I've sent an e-mail to dataremoval AT ebuyer.com.

Date: 14.05.2014. Have contacted them again for a response to my question.

Marks and SpencerNew window

They claim that they're obtaining consent on all channels but it's unlikely

Recommend opting-out under section 11 of the DPA shortly after registering

Although they do obtain consent by giving choice on some occasions, it's clear that it depends on which M&S website you're using. This brings into question the assurance given by the M&S Executive Office and their view that they take the matter very seriously. Best to play safe and opt-out under section 11 of the DPA shorty after registering.

Date: 19.04.2014. I've contacted their customer services via their web form.

Date: 20.04.2014. Marks and Spencer have responded by saying:

'Thank you for contacting us about marketing emails you have been receiving. I am sorry to hear you do not want to recieve these emails. I have checked our systems and have been unable to find an online account for you. So I can look into this further for you, please send me the email address you have been receiving the emails to and also what kind of emails you have been receiving. Thanks again for getting in touch. I look forward to hearing from you'.

She's not read the e-mail properly so I've replied seeking an answer.

Date: 22.04.2014. A response from the M&S Executive Office said:

'I can assure you we do ask for marketing consent on all our channels and this is something we take very seriously'.

However, after viewing their web form I've asked for further clarification. This is because the two opt-outs that they have on their registration form refer to "updates". Their consent statement states:

Please tick the boxes below if you do not wish to receive updates from us by email and/or text relating to Marks & Spencer products and services

It's not clear though what they mean by updates. Furthermore, a communication that relates to a product or service can be promotional or non-promotional. A security message about my account for example, relates to a service but is non-promotional. As such, there's nothing specific about this consent statement that informs me that, by ticking the box, I am only opting out of electronic marketing. If I've just placed an order then I still want to receive updates about that order by e-mail; it's the electronic marketing that I don't want to receive.

As far as I'm concerned, unless they specify what they mean by "update" then it's misleading. They need to replace the word "update" with "marketing" in my opinion because then it will be clear, that by ticking the box, I am opting out of direct marketing e-mails only; e-mails that promote a product or service rather than e-mails that relate to a product of service - which may or may not be promotional. There's a huge difference and I'm surprised to see this from M&S; particularly after telling me that they take consent very seriously. I suspect that the lack of clarity will prevent some people from ticking the box because they will be concerned that they are opting out of all e-mails and not just marketing e-mails.

Date: 22.04.2014. Final response form M&S:

I can confirm that M&S is confident that its email marketing practices are entirely lawful including the mechanisms provided to customers to allow them to exercise their right to opt out of direct marketing.
We do not believe that any purpose will be served by engaging with further debate with you, not least because you intend to complain to the ICO and post details of communications from M&S on your website. Accordingly, I will not be responding to further communications from you. We will, of course, cooperate fully with the ICO if and when we hear from it in relation to the matters you have raised.

This response has come from the M&S Executive Office and they're telling me that they obtain consent. I'm going to raise this matter with the ICO but I'm also going to check all the M&S websites to see whether this is the case.

Date: 26.04.2014. In light of the response from M&S, I decided to contact M&S Energy to enquire as to whether they obtain my consent. I received the following response:

There is no area to opt-out of email or post marketing when appling through our website. Once we recieve your application you are then able to decline any/ all marketing.  The avrage time for us to recieve an online application is 72 hours.

Not my spelling mistakes by the way. This suggests to me that they are failing to obtain consent because they're making consent a condition of signing up to the service. This seems to contradict the assurance given to me by the M&S Executive Office.

I've now put M&S into my "S" file so I'll register, out-out under section 11, submit Subject Access Requests and submit complaints to the ICO at every opportunity.

Confused.comNew window

I advise against giving this company your personal information

This company does not give you any choice when obtaining your consent so you should consider better alternatives such as Compare the Market or MoneySupermarket. If you do need to register with them though you consider opt-out under section 11 of the DPA shortly after registering and submit a complaint to the ICO if they continue to send you marketing. Plus, their TV advert is crap.

Date: 19.04.2014. I've sent an e-mail to dataprotection AT confused.com and received an auto-responder with Ref: 00812407.

Date: 22.04.2014. Confused have confirmed that:

'We refer you to our last response, dated 25th September 2013, in which we advised we are unable to comment further about our privacy policy or enter into general discussion about our business practices. We went on to advise that we will not enter into any further correspondence with you on this subject, and our position remains unchanged.'

Just to clarify then, I currently have a case that I'm submitting to the PHSO because the ICO concluded in an Assessment that it was likely that Confused had obtained my consent. Both the Assessment and subsequent case review were performed by ICO staff who are simply not qualified to do the job and this is the kind of thing that I'm up against. This is because the Commissioner's guidance clearly states that consent cannot be a condition of signing-up to a service. This is one of nine complaints that I'm submitting to the PHSO.

From past correspondence then, Confused are of the opinion that they obtained my consent when I ticked a box to accept their privacy policy and they're sticking to that.

I should be submitting my nine complaints to the PHSO within the next few weeks. I'm actually off work this week to work on them. I've trashed all but one, in that, the views given in the Assessment/Case Review conflict with the DPA, the Commissioner's published guidance or other similar Assessments.

ThreeNew window

Struggling to get a straight answer from them

Date: 06.05.2014. I've sent an e-mail to DPA.Officer AT three.co.uk.

Date: 13.05.2014. Three responded as follows:

Our privacy policy is a notice to our customers explaining how we use personal data for the purposes of providing Three’s services. As per our policy, when using Three’s services, all customers have the opportunity to select their marketing preferences at any time.

They've avoided answering the question so I've sought clarification.

SkyNew window

Looks like they're avoiding me now

Date: 19.04.2014. I've sent an e-mail to dpoffice AT bskyb.com.

Date: 20.04.2014. Sky responded as follows:

'Thank you for your email and for confirming our response will be published on your website. We can confirm we have added your details to our suppression list'. 

Date: 20.04.2014. I've sought further clarification because they did not answer my question about whether they are giving a choice when obtaining consent. No response.

Date: 06.05.2014. I've sought further clarification but it's looking more like plausible deniability. I've contacted their data protection team so I'm not sure what the problem is. No response.

Date: 12.05.2014. I've sought further clarification. No response.

Date: 13.05.2014. I tweeted Sky and received the following response

You shouldn't receive any, you can always check on the above link to your My Sky to confirm it is all up to date for you :).

How many millions does this company spend on advertising yet they can't afford a Compliance Officer who can give me a straight answer to my question?

Date: 14.05.2014. I Tweeted again this morning and was advised to contact
responsibility AT bskyb.com.

Date: 15.05.2014. I sent an e-mail to the address given above but it was returned undelivered for the following reason:

The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly.

Is that a mailbox full of unanswered data protection enquires I wonder.

Date: 15.05.2014. I tried again when I got home from work and my e-mail was returned undelivered for the same reason - mailbox is full.

Date: 21.05.2014. I Tweeted again about the mailbox being full but received no reply.

Date: 23.05.2014. I Tweeted again about the mailbox being full.

Furniture VillageNew window

They are going to review the process but no date given

Date: 20.04.2014. I've sent an e-mail to internet_sales AT furniturevillage.co.uk. This company also requires me to consent to their privacy policy so I've asked them what the nature of this consent - what exactly am I consenting to, and what happens if I don't read their privacy policy?

Date: 20.04.2014. I also Tweeted Furniture Village and received the following response:

'afaik [as far as I know] yes we do David, I know we have strict regs for everything this team's involved with'. Do you have a specific concern?

What's the point in replying to me without clarifying the facts? And I'm fairly confident that their regs are not strict but let's see. I'll go through their check-out process today to see how much choice I'm given. Are we seeing a trend here where companies that respond via Twitter give a positive response regardless?

Date: 26.04.2014. I received the following response:

I know that we’ve previously spoken about this and as I said at the time we are currently reviewing the Privacy Policy and will be updating this as soon as possible.

We do not target people with electronic marketing without first gaining their consent. You will see an example of this at the link below.
http://www.furniturevillage.co.uk/Customer-Services/Before-you-buy/Request-a-catalogue.aspx#aspnetForm.  
All customers and prospects are given the opportunity to opt-out of marketing communications at any time.

We are also currently reviewing all areas of data capture within the website and will be making some changes in the next couple of weeks to ensure that everything is as transparent as possible.
If you have any specific concerns regarding our use of data, please feel free to contact me directly at this email address.

Okay, the example given is a form to request a catalogue and it does include an opt-out. However, I tried checking-out using PayPal and I'm not convinced that consent was obtained. And I'm not convinced that they're validating the e-mail addresses entered into the £10 voucher pop-up. For example, if I were to enter someone else's e-mail address into that box, then at what point have they obtained that person's consent? They need to be validating those e-mail addresses.

It's encouraging though to see that they're going to review their processes. They could always ask the ICO to conduct a data audit. I'll be checking back.

DabsNew window

They are going to review the process but no date given

Date: 21.04.2014. I've sent an e-mail to assistance AT businessdirect.bt.com. I received an auto-reply with the following reference: #8744-419715498-1115.

Date: 06.05.2014. I sought further clarification: #8744-422195539-2110 and Dabs replied informing me how they obtain consent. Well, they do have an opt-out for third party electronic marketing on their registration form so I seems that I am given a choice to opt-out of third party marketing at the point my information is collected. However, it's not worded very well - there's no indication of the types of marketing or what companies will be providing it; it just says from carefully selected partners.

For electronic marketing from Dabs themselves, it appears that they do not provide a choice but instead obtain consent for electronic marketing by default - when registering with them. As such, this consent is likely to be invalid. Fair enough, they do make their data subjects aware that they can change their marketing preferences by logging in to a control panel after the event, but this information is buried away in their privacy policy.

However, a privacy policy is a one-way information page; it allows the data controller to fulfil their legal obligation to inform their data subjects about how they intend to process their information. But data subjects are under no obligation whatsoever to even visit a privacy policy page, yet alone read it. And any mechanism that requires a data subject to agree to or accept a privacy policy is pointless in my opinion. A privacy policy meets a data controller's obligation - not the data subjects!

The way I see it, unless I am opted out by default and use the control panel to opt-in, or unless the control panel is part of the registration process, or unless Dabs make it absolutely clear that I can opt-out via the control panel - before I receive marketing, it's unlikely that they gave me a choice when obtaining my consent. And, to be fair, making it absolutely clear probably won't work either. If they make it absolutely clear on the registration form then that will constitute a consent statement and they need to provide an opt-out. If they make it absolutely clear by sending me a non-promotional e-mail then what happens if receive the marketing before reading the e-mail. Sure, the ICO will say that a tick-box is not the only mechanism but I think it practice, it's the only reliable mechanism.

Data controllers should avoid treating their privacy policy as an instrument for binding their data subjects because it's unlikely to stand-up in court. A privacy policy is for information only and a data controller still needs to process my personal data in accordance with the DPA/PECR regardless of what it states in their privacy policy or indeed, whether or not I read it.

I've sought clarification from Dabs

Date: 09.05.2014. Dabs replied and said

The account sign-up process is something we’re looking at reviewing. We realise the communication preferences involved in the sign-up are questionable therefore we will look to improving this when we update the account sign-up.

This was from Dave at Dabs so I've sought further clarification about his role and when we can expect that review to be completed.

Date: 12.05.2014. Dabs have confirmed that they will be reviewing the process but they're not sure when.

MoneysupermarketNew window

They do appear to give a choice

Looking good, they give you a clear opportunity to opt-out of receiving electronic marketing at the point of registration.

Date: 21.04.2014. I've sent an e-mail to DPO AT moneysupermarket.com.

In their privacy policy it states that 'any electronic marketing communications we send you will include clear and concise instructions to follow should you wish to unsubscribe at any time'. Fine, but do Moneysupermarket obtain consent by giving a choice prior to sending those electronic marketing communications?

Date: 29.04.2014. Moneysupermarket have confirmed that they do provide a choice when obtaining consent and they provided me with a screen shot of their registration form.

 

Please let me know if you want me to contact a specific company. I'll keep going and eventually add the companies and the feedback to a database and as some point I'll contact a researcher for the BBC. You see, the ICO have told the BBC twice that I'm aware of - once on the News and once on Panorama, that they're getting tough on companies that fail to obtain consent but I suspect that they're doing close to nothing.