Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Capital One reluctantly complies with section 11

Capital One have finally agreed to comply fully with my section 11 request after insisting that they were entitled to send me promotional information about products that I was already subscribed to. But have they really accepted the ICO's assessment and taken their advice on-board or are they simply doing the necessary in order to placate the Information Commissioner?

In response to my section 11 request, Capital One agreed to cease processing my personal data to target me direct marketing. However, they continued to send me information about balance transfer ratesNew window because they were of the opinion that this kind of notification was not direct marketing.

Capital One said:

Unfortunately, I can only re-iterate what they have already said to you. To advise. the mails you are receiving regarding balance transfer offers are advising you of an existing service, rather than marketing a product. Therefore, even if you have opted out of receiving marketing information, you may still receive balance transfer offers. I apologise for any upset this may cause. With regards to the e-mails you are receiving from Visa Extras, this is a benefit for your account which allows you to receive discounts by using your Capital One card; it is not direct marketing. However, you can opt out of receiving these e-mails by following a link at the bottom of the e-mail that is sent to you. Please note, the opt out is only valid for six months.

I submitted a Request For Assessment to the Information Commissioner's Office and they were of the opinion that the balance transfer rates letter did constitute direct marketing (RFA0434845). The ICO wrote to Capital One and advised them on what they needed to do to comply fully with my section 11 request. Capital One then wrote to me to conclude the matter, they said:

'The ICO has written to us as I understand you had contacted them following a Section 11 request you had made to Capital One. I gather you had contacted them as you had received Capital One mailings which you deemed to be direct marketing.

Capital One takes its Data Protection obligations very seriously and strives to put the appropriate processes in place to ensure that customer data is treated and processed in the right way. I'm very sorry that you've felt the need to contact the ICO again as I can see that we had previously received correspondence from them regarding this matter. In response to your initial request, Capital One opted you out of direct marketing. This ensured that you would not receive anything which we would consider to be direct marketing, for example inbound telemarketing, outbound telemarketing, email marketing and direct mail. This opt out however, did not exclude you from receiving customer management material from Capital One, as it is not considered to be direct marketing.

I would like to use this opportunity to provide you with some context about customer management materials. The Capital One credit agreement is set up to have two tiers of interest rates; standard interest rates and promotional interest rates. The standard interest rates apply consistently throughout the term of the agreement, however, under section 12 of our credit agreement, Capital One may also grant to the customer a lower preferential rate for a period of time. Under section 12 we contract with the customer that where such preferential rates apply we will write to them in advance and set out the full details of the preferential interest rate, including, the period for which it applies, the period in which the transaction must be made, and any charges that apply. This allows the customer to be in a position to make an informed decision about the way in which they would like to use their account. Therefore, as this is a term of the original agreement which the customer has entered into with us, and not a new product or service, we would therefore not consider this to be direct marketing'.

Capital One's letter went on to confirm that:

'after the ICO wrote to us in February we took action to ensure that you would not receive any further customer management materials'.

Capital one are now complying fully with my section 11 request - so far.

Analysis

Bearing in mind that this is Capital One's final letter to me and that they now consider the matter closed, I'm confused by the fact that they still appear to be of the opinion that their customer management materials do not constitute direct marketing. The ICO have informed Capital One that, in their opinion, it is direct marketing, and bearing in mind that Capital One have not appealed this decision, shouldn't they now be referring to their customer management materials in the past tense? For example, 'we were of the opinion that our customer management materials constituted direct marketing but we are not longer of that opinion because we have accepted the ICO's assessment'. They're not talking in past tense though, so it appears that Capital One have not accepted the ICO's assessment... for the following reasons:

1. That marketing relating to a service that I already subscribe to is not direct marketing.

The definition of direct marketing given by the DPA is 'the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals'. Notice that the definition does not refer to products that "I already subscribe to". Notice too that the definition does not refer to "new products or services". The definition clearly states ANY advertising or marketing materials. How does an organisation like Capital One with all it's legal resources not understand this? Capital One are sending me the balance transfer letters because ideally they want me to transfer more money onto my credit card in the hope that I will ultimately pay them more interest. A reasonable person would have to conclude that this is marketing but if Capital One's legal people believe otherwise, please write to me and quote me the law that supports your point of view; the legal term that negates the definition of direct marketing as given by the DPA.

2. That I agreed to accept the marketing as part of the original agreement that I entered into.

When I accepted Capital One's terms and conditions I did so on the understanding that their terms are fully compatible with my rights as a consumer and a data subject. As far as I'm concerned, any terms that are incompatible with my statutory rights are not only unenforceable in a court of law, but I suspect that the OFT will have something to say about misleading terms. And any civil law terms that relate to marketing must be misleading because a company cannot make it a requirement of a standard form civil contract that their data subjects MUST receive marketing from them - because the data controller of that company MUST process personal data fairly and therefore MUST uphold the statutory right afforded their data subjects by section 11 of the DPA. As such, any and all terms relating to marketing should really be in Capital One's privacy policy as a statement of processing rather than as an unenforceable term in their terms and conditions. There's an easy way to settle the matter... if Capital One truly believe that they have a valid legal argument then they should sue me for breach of contract for failing to accept their marketing terms and set an example. They won't do that though because they know that they do not have a valid legal argument.

Conclusion

It pisses me off when a company starts a letter off by stating that they take their data protection obligations very seriously and then goes on to make unsubstantiated and invalid claims as to why they're entitled to send me marketing against my wishes. If Capital one were taking their data protection obligations seriously then they would either accept the ICO's assessment, apologise for misleading me and review their invalid terms and conditions, or appeal the ICO's assessment. As it is, they appear to be ignoring the ICO.

Capital One informed me that they had contacted the ICO to confirm that my section 11 request has been actioned, and the ICO wrote to me on the 17 July 2012 to clarify that they were satisfied that Capital One had now met its obligations. But I wonder whether Capital One informed the ICO that they are apparently still of the opinion that marketing related to an existing service is not direct marketing? So what, they agree to comply with my section 11 to keep the ICO happy but they intend to continue with their noncompliant ways? What about their data controller's legal obligation to process personal data fairly and in accordance with the rights of their data subjects?

For me, this is a prime example of how (many) data controllers have no intention of complying fully with the DPA. Instead they want to comply with their own modified versions of the law; one that attempts to negate the statutory rights of their data subjects in an effort to increase profits. I see this as one of the major failings of the ICO because according to Part VI, section 51(1) of the DPA98:

‘it shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers’.

I believe that the Information Commissioner is failing to promote the observance of the requirements of the DPA because as long as a company complies with the rights of the individual who submitted the complaint, the case is closed and the company can carry on regardless. Don't get me wrong, I'm happy that Capital One have now complied but when you consider the bigger picture, it's a huge waste of a taxpayer's resource that the case gets closed without any commitment from the data controller to review the way in which they process personal data. It's common sense: Capital One must process personal data in accordance with the law, I've spotted something that I believe to be wrong, the ICO is of the opinion that it is wrong, let's make sure that Capital One put it right and while we're at it, let's review the way in which they process personal data - in order to promote the observance of the requirements of the DPA and to minimise future complaints.

What should happen in my opinion is that once the ICO has made its assessment, unless the data controller appeals it, then the ICO should conduct a compulsory data audit with the company to ensure that the data controller fully understands his or her obligations. I would also get them to submit another notification form so that the data controller has to agree to another statement of truth - that these are our data processing purposes, that we understand that we can only process personal data in accordance with the law, and that the information provided is correct; that we're not aware of any terms or conditions that attempt to negate the law. MPs, please take note. As it stands the ICO does not have the power to conduct a compulsory data audit against a commercial organisation.

Update - 28.08.2012

In response to my further compliant, the ICO have again been in contact with Capital One and are currently awaiting a response.

See: Are data controllers 'officially' lying to us?

See: How to put a stop to all direct marketing from a company with section 11

Last updated: 28.08.2012