Home > News
Mind my data Click to visit the homepage
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Confused.com fails to clarify privacy policy status

I'm just trying to determine whether Confused.com's privacy policy constitutes a standard form civil contract or not. It's proving difficult.

After obtaining a quote for car insurance in May, Confused.com started sending me electronic marketing. I wasn't happy about this because I am of the opinion that Confused had not clearly advised me that they would use my e-mail address to send me electronic marketing. In other words, I believe that they failed to obtain an "informed" indication of my consent. So I asked Confused to clarify the point at which they obtained my consent to send me electronic marketing. Confused.com replied on the 13 May as follows:

'As customers are required to indicate that they have read and agreed to our website Terms and Conditions and our Privacy Policy during the quotation process (on the first 'About You') page, you have actually agreed to be contacted for marketing purposes. I appreciate that not all customers will read the full Terms and Conditions and Privacy Policy before indicating that they have, but it is important to read these documents before entering your personal information, especially when your acceptance is required on a website. As you indicated your agreement to be contacted by us, and as we have not received any previous communication from yourself requesting to unsubscribe, I'm afraid I am unable to uphold your complaint'.

'I appreciate that not all customers will read the full Terms and Conditions and Privacy Policy before indicating that they have, but it is important to read these documents before entering your personal information, especially when your acceptance is required on a website'.

Okay, well Confused.com appear to be of the opinion that I agreed to to be contacted for marketing purposes because I read and agreed to their privacy policy. I disagree for two reasons:

Reason 1: I do not accept that I agreed to their privacy policy when I ticked the box. I'll accept that I entered into a legally binding contract when I ticked the box and agreed to Confused.com's terms and conditions, but I very much doubt that Confused.com's privacy policy constitutes a standard form civil contract. And if it does, then I don't believe that they've made this clear to me. The thing is, most people know that by accepting an organisation's terms and conditions they are likely entering into a legally binding contractual relationship. But a privacy policy is meant to be an information only page so I find that misleading.

Reason 2: A data controller has an obligation to clearly advise individuals if they intend to use their information to send them electronic marketing. And as I never visited Confused.com's privacy policy page, I fail to see how they made me clearly aware that I would receive electronic marketing. All I did was tick a box - there was no consent statement associated with that box. Had the tick box stated: 'By ticking this box you agree to our terms and conditions and agree to receive electronic marketing as outlined in our privacy policy', then I wouldn't have a problem; because this consent statement clearly advises me. So even if I am contractually bound by Confused.com's privacy policy I fail to see how they've obtained my consent - because consent needs to be clearly advised and I don't believe I was.

Anyway, I told Confused.com that I never visited their privacy policy page and asked them for further clarification about my acceptance of their privacy policy. On the 20 May they said:

'I appreciate that you have advised that you did not read our website Terms and Conditions and Privacy Policy even though you ticked the box to indicate that you had read and agreed to the information provided in these documents. However, this is where we explain to customers how their data will be used after it is submitted on our website. As you indicated that you had read and agreed to our Terms and Conditions and Privacy Policy, including the 'Information about our services' section which explains what contact our customers will receive from us, I'm afraid we are unable to uphold your complaint regarding the emails you received from us after you had completed your car insurance quotation'.

Still no clarification about whether or not their privacy policy constitutes a standard form civil contract. So I contacted them again and on the 3 July Confused.com told me:

'Customers are required to tick a box to indicate that they have read and agreed to both the Terms and Conditions and Privacy Policy before they are able to proceed with their quote. If customers tick to confirm they agree to how we will use their data, they are able to click 'next' to complete the quote process and view returned prices from our panel of insurance providers. If customers do not agree to how their data will be used, they have the option to not tick the box and leave the quote process at that point, ensuring that their data is not saved in our systems and not sent on to our panel of insurance providers'.

And on the 10 July Confused.com told me:

'We require customers to tick a box to indicate that they have read and agreed to the information given in both the Terms and Conditions and Privacy Policy before they are able to proceed with their quote. If customers tick to confirm they agree to how we will use their data, they are able to click 'next' to complete the quote process and view returned prices from our panel of insurance providers. If customers do not agree to how their data will be used, they have the option to not tick the box and leave the quote process at that point, ensuring that their data is not saved in our systems and not sent on to our panel of insurance providers'.

There not giving much away are they? Aren't data controllers supposed to be open and transparent about their data processing? Why won't they just clarify whether or not their privacy policy constitutes a standard form civil contract?

Confused.com keep telling me that I've accepted their privacy policy but unless they're able to qualify their claim with some legal framework, then I am of the opinion that their view is both unfounded and misleading - it's just their word against mine. They say I've agreed... I say I have not. They say I've agreed... I say fuck you! Tell me what legal framework you're relying on to support your view? Civil law, statutory law, regulatory law, code of practice, crossed fingers? Why are you so reluctant to tell me... I'm confused by your silence Confused.com.

In contrast, the other week I noticed that the BBC were requiring me to tick a box to accept their privacy policy on the Top Gear website so I decided to see what they had to say about it. One of the BBC's data protection people replied as follows:

'As you rightly note, the purpose of a privacy notice is to set out our data handling practices and ensure that persons providing their data to us are fully aware of the purposes for which it will be processed. It is not necessary to ‘agree’ to it in the contractual sense as consent to the processing is implied through the act of submitting the form. It is not our intention that our privacy policy constitutes a form of civil contract but we acknowledge that this particular statement is not worded well and the form in question is due to be updated with more appropriate wording'.

A superb response from the BBC.

Earlier in the year I received a coupon from Amazon.co.uk for a Free Graze box from Graze.co.uk so I decided to check Graze' privacy policy. I noticed that they had an opening statement in their privacy policy stating that individual's were 'accepting and consenting to practices described within'. So I asked them to clarify the nature of that acceptance. They consulted with legal professionals and they've now removed that opening statement. I assume that they realised that such a statement was unfounded and misleading - as I had suggested.

I've now reported Confused.com to Trading Standards and I'm going to report them to the FCA at the weekend. What about the ICO you might ask. Well, they've just blown em!

In a recent case review, the ICO were of the opinion that I am indeed bound by Confused's privacy policy. So I'm bound am I... so if a data controller has a clause in their privacy policy stating that I have to pay £500 to submit a subject access request I have to pay that do I? I don't think so! And when I questioned this response and pointed the case reviewer to the ICO's own guidance on privacy policies, I was told:

'It is the individuals responsibility to take the appropriate steps to ensure they read the terms and conditions.  Whilst Confused.com cannot force the individual to read the terms and conditions; they have equipped the individual with all the information they need to know about how an individual’s data is handled.  The fact that you have not read the privacy policy/ terms and conditions is a matter of choice and as such Confused.com could not be held responsible for your actions'.

This is unfounded nonsense. The ICO's job is to consistently ensure compliance of data protection laws and regulations; it's not their job to preach unfounded nonsense. What next, are they going to tell me not to drop litter, or not to walk on the grass? You don't see the Inland Revenue telling people that they need to spend their tax rebate wisely do you? I mean, c-mon WTF! My contractual relationship with a commercial organisation has fuck-all to do with the ICO - unless the organisation is attempting to negate my rights as a data subject. Indeed, every view given by the ICO to justify the actions of a data controller should be based on law or policy because if it's not, then it's just unfounded drivel that has no place in a formal response. If I wanted unfounded drivel then I could go down the pub and get it. Why am I as a tax-payer paying these chumps to tell me stuff like this?

This is the thing about the ICO though; it's so badly managed that instead of getting the view of the Information Commissioner as consistently interpreted by his staff - based on law, regulations and established policy, I often get an unfounded and subjective views like the one given above. Plus, the lack of consistency is dreadful, it's likely that you'll get a different answer depending on who deals with your complaint. So I've now got to submit a complaint to the Parliamentary and Health Service Ombudsman (PHSO). I'm kind of looking forward to it though as I'm going to accuse the ICO of making a mockery of the case review process.

The Information Commissioner is partially to blame though because his privacy notice code of practice document advises data controllers to avoid making the wording of a privacy policy legalistic. What he should have done though is point out the implications of making a privacy policy legally binding - of which there are likely to be many. Perhaps this is why Confused.com don't want to admit to anything. They are going to give me a response though - I can guarantee that! I'm also confident that by this time next year they won't be relying on acceptance of their privacy policy to obtain consent. I submitted a similar complaint about Comparethemarket.com a few years ago and look at them now - a row of tick-boxes on their quote form to obtain an informed indication of consent. Superb! Well done them!

So I'm on a mission now to outlaw the ticking of a box to accept a privacy policy. I suspect that the PHSO will tear the ICO a new one when they see the response given in the case review. Once that happens I'm going to bombard the ICO with complaints about ticking a box to accept a privacy policy for as long as it takes for companies to realise that a privacy policy is for information only.

Confused.com is a trading name of Inspop.com Ltd.

Update 29/08/2013

Confused.com have now confirmed that their privacy policy is not a contractual document.

They went on to say:

However, the Privacy Policy does need to be read in conjunction with the Terms and Conditions (as set out in the 'Our agreement with you' section of the T&Cs) as the document does contain important information about our services in the context of how we will communicate with customers about our products and services. This is in accordance with what the ICO recommend we should do, and they confirmed that this approach was compliant when you recently raised your complaint with them. As we advise customers about the contact they can expect from us in our Privacy Policy, and the ICO have confirmed that this approach is compliant, we remain unable to uphold your original complaint regarding the email you received following your comparison of car insurance quotes on our website.

Now that Confused.com have admitted that I am not contractually bound by their privacy policy, why are they still asking me to agree to the terms of their privacy policy in their terms and conditions? A privacy policy does not contain terms; it contains statements of processing. This is still confusing and in light of this response, I've submitted a further complaint to Trading Standards.

According to the OFT, and the Unfair Terms in Consumer Contracts Regulations 1999, A term is unfair if:

'Contrary to the requirement of good faith it causes a significant imbalance in the parties' rights and obligations under the contract, to the detriment of consumers.'Good faith' means that you must deal fairly and openly with consumers. Standard terms may be drafted to protect commercial needs but must also take account of the interests and rights of consumers by going no further than is necessary to protect those legitimate commercial interests'.

In my view, there is no legitimate commercial need for any company to require an individual to agree to the statements contained within their privacy policy. This is because a data controller is judged by his actions - not by what he says he's going to do in a privacy policy. A privacy policy is for information only. A privacy policy can contain bullshit processing statements that deny an individual of their rights under law but the ICO cannot act upon the wording of a privacy policy. As consumers and data subjects we should not have to accept bullshit statements of processing.

I'll give you a really good example. I've just had a quick look through the Confused.com privacy policy - that I've apparently agreed to, and noticed that they require me to follow a set procedure for submitting a subject access request. Can they require me to follow a set procedure though? No they cannot! They can ask me to follow their procedure but as a data subject I am under no obligation whatsoever to write a letter to their data controller. Nor do I have to submit the payment or ID up front; I can wait for them to request this information.

What do we have here... a bullshit statement in the Confused.com privacy policy? They cannot require me to submit a Subject Access Request by post.

It's misleading! To submit a Subject Access Request, all I need is a working e-mail address - any working e-mail address for Confused.com. With O2 earlier this week I simply found an old e-mail address for their customer services and sent my Subject Access Request to that address. As long as I can show that I sent my Subject Access Request to a valid e-mail address the ICO will conclude that I have submitted it. Indeed, the ICO has just concluded (RFA0491854) that it is unlikely that Tesco has complied with the requirements of the DPA with regard to my Subject Access Request. Tesco said that they never received my Subject Access Request but the ICO had a copy of the e-mail that I sent to Tesco and they can see the valid e-mail address. I'll add this as an article over the weekend. With O2, they wrote back to me and asked me to follow their procedure so I've submitted a complaint to the ICO. This information can be found in the ICO's online guidance.

If it's information only then, although it's still misleading, it's information only! But according to Confused.com's terms and conditions, I've agreed to the terms of their privacy policy so I've apparently agreed to write a letter when submitting an Subject Access Request. This is a prime example of why no data subject should agree to or accept a privacy policy - because these smug bastards don't seem to understand the rights of their data subjects. Why doesn't Confused.com's Compliance Team know the rules about submitting a Subject Access Request? Or is it that they do know but they just want to abuse the rights of their data subjects?

Confused.com also referenced the ICO's recent debacle in their latest response. See what I'm up against! I have numerous past assessments indicating that a data controller cannot obtain consent by burying a consent statement within their terms/privacy policy. However, because some clownshoes at the ICO gave me a totally unfounded view - that I am bound by Confused.com's privacy policy, and refused to explain the contradiction with the past assessments, I'm the one that now has to prove them wrong. The level of incompetence at the ICO is staggering and my complaint to the PHSO will hopefully make this clear.

Next steps - I need to draft my complaint to the PHSO. I've already submitted another complaint to Trading Standards and I'm going to contact the BBC to see if they're interested in this story as it's likely to affect us all. Confused.com will change their ways. Now that they've admitted that it's not contractual it's only a matter of time now before they remove any agreement of their privacy policy.

Update 30/08/2013

I've just submitted a Subject Access Request by e-mail. The way I see it, if I've agreed to their privacy policy and their privacy policy states that I need to submit my Subject Access Request by post, then they should refuse to comply with a request submitted by e-mail. If they wanted to comply with a request submitted by e-mail then they would have made this clear in their privacy policy - right? Let's see if they practice what they preach - will they refuse to comply with my e-mail Subject Access Request because I apparently agreed to submit it by post? :)

I blame the ICO. Their lack of policy and a lack of understanding by their staff allows data controllers to dick around with our rights as data subjects.

Update 01/09/2013

I've asked Confused.com to clarify what process they use to obtain agreement from their data subjects to any future changes to their privacy policy. Their privacy policy was last updated in March 2013 so did their data subjects as of Feb 2013 agree to the March changes or have they still agreed to the previous version of their privacy policy? If so, where is that previous version? If not, does this mean that Confused are processing data differently depending on when they obtained their customer's information? What about the quick quote feature for previous customers... what version of the privacy policy are they agreeing to?

I've also sought clarification on why Confused.com have a reference to English law in their privacy policy and state that 'these terms of trading are subject to English law'? Wouldn't this be an indication that their privacy policy constitutes a standard form civil contract? They've told me that it's not contractual but it looks like it is. I'll wait to hear back from them before submitting a further complaint to Trading Standards.

I also made Confused.com aware a few weeks ago that they are referring to the FSA on their website when the FSA no longer exists - it's now the FCA. They thanked me for making them aware but they continue to display the misleading information.

Update 04/09/2013

Confused.com's Compliance Team has agreed to accept my Subject Access Request by e-mail. They said:

'We are happy to accept your Subject Access Request by email as the requirement is only that the request should be in writing'.

Hang on, but according to their privacy policy that I've apparently agreed to I have to submit it by post. If I can submit it by e-mail then why do they only give me a postal address to write to? It's an excellent demonstration as to why a privacy policy needs to be for information only.

Update 01/03/2014

I've submitted a complaint to the Financial Ombudsman as follows:

1. A reference to English law on their privacy policy page. Why do they have a reference to English law on their privacy policy page when they confirmed (after many attempts) that I am not contractually bound by their privacy policy? If this is the case, then what purpose is served by having a reference to English law, other than to mislead? This might be a breach of ICOBS.

2. They failed to clarify whether they operate as an Insurance Business. A company cannot obtain explicit consent on behalf of others unless it qualifies for exemption. To qualify for that exemption a data controller must be operating as a an insurance business - as defined at section 95 of the Insurance Companies Act 1982. Confused failed to clarify whether it was operating its comparison business as an insurance business. Again, the fact that they failed to clarify might be a breach of ICOBS because there's nothing commercially sensitive so why refuse to clarify?

I'm also putting the finishing touches to my complaint to the PHSO. I'm going to submit it as a single complaint that the ICO's Case Review process is seriously flawed. That complaint will be supported by the nine Case Reviews that I have trashed, including the one for Confused.com. I'll write up the other nine once the matter has concluded.

The fact remains that Confused.com cannot obtain my consent to send me electronic marketing by making it a condition of their service- they must give me choice. They can say and do what they want but they are going to use an acceptable method for obtaining consent.

Also see: Why do we need to accept a privacy policy

Added: 04.08.2013. Last updated: 01.03.2014