Home > News
Mind my data Click to visit the homepage

Dennis Publishing - a law unto themselves

Digital publisher Dennis Publishing, claims to have over a million customers who have agreed to receive indirect electronic marketing from third party companies. It's highly unlikely that the Information Commissioner would agree with this boast.

I'm really disappointed with Dennis Publishing. In 2007 when the ICO concluded that they were failing to obtain my consent for electronic marketing, Dennis asked me not to take the matter to court (see point 5 below) because they were working with external consultants to improve the way in which they processed personal data. Yet I recently did a review of their websites and for me, there are still glaringly obvious failures. I've contacted a number of Dennis Publishing employees about this on three separate occasions to discuss the matter but they've ignored me. I received an out of office for one of them too which suggests that she must have been receiving my e-mails so I've decided to list the issues here. Furthermore, Dennis Publishing were given the opportunity to review this article and correct any inaccuracies before publishing but they didn't respond. They're clearly not interested in discussing the matter with me.

Dennis Publishing UK Ltd, publish a number of popular paper and online magazines: PC Pro, Computer Active, and Men's Fitness to name but a few. I've done a review of their processing and I have the following issues:

1. They use mini registration forms without authenticating the e-mail address

Dennis Publishing make use of mini-registration forms on their websites to allow individuals to sign-up to their newsletters. The problem with these mini-registration forms is that only a small amount of generic information is collected and as such, it's really easy for anyone to fill out one of these forms by entering someone else's information - either maliciously or for a laugh. And there lies the problem. If those forms are used to sign an individual up to electronic marketing, and if Dennis Publishing cannot demonstrate that the person who entered the e-mail address into the form is the owner of that e-mail address, then at what do they obtain consent from the owner of the e-mail address?

For example, if someone else signed-me up to one of their magazine e-mail newsletters, then at what point would Dennis Publishing have obtained my consent to target me with electronic marketing? If I didn't fill out that form then I fail to see how they can possibly have obtained my consent. Furthermore, if someone else is able to register my information on the Dennis Publishing systems, there's a possibility that they may enter that information incorrectly. And of course, the failure to keep information accurate and up to date is a contravention of the fourth data principle. And, let's not forget that any contractual agreement that Dennis Publishing claim to have with an individual who apparently filled out the form will be unreliable if they cannot reasonably demonstrate that the person who filled out the form is the same person that the information relates to.

What they should be doing with these mini registration forms in my view, is using a process of e-mail validation. We've all seen and done it: you register and you receive an e-mail (non-promotional) thanking you for registering and asking you to click the link to finalise the registration process. If you don't click the link you don't activate the registration and you don't give your consent. But if it was you who entered the information then you click the link to validate your registration and everyone's happy. It's easy enough to implement so why don't Dennis Publishing implement an e-mail validation process for their mini registration forms to ensure that they're obtaining consent?

2. At what point do they need to give us the opportunity to refuse consent?

Assuming that I were to sign-up to one of their magazines - I tested the Computer Shopper registration process, the electronic marketing consent statement used by Dennis Publishing states the following:

Your personal information will be used as set out in our Privacy Notice. Submitting your details indicates your consent, until you choose otherwise, that we and our partners may contact you about products and services that will be of relevance to you via, direct mail, phone, e-mail and SMS. You can opt-out at ANY time via the web or email. 

Yet, according to section 53 of the Commissioner's Direct Marketing Code Of Practice, consent for electronic marketing is only valid if it is:

freely given – the individual must have a genuine choice over whether or not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses. Consent cannot be a condition of subscribing to a service or completing a transaction.

specific – in the context of direct marketing, consent must be specific to the type of marketing communication in question (eg automated call or text message) and the organisation sending it. This is discussed further below.

informed – the person must understand what they are consenting to. Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious. Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find, difficult to understand, or rarely read will not be enough to establish informed consent.

an indication signifying agreement – consent must be a positive expression of choice. It does not necessarily have to be a proactive declaration of consent – for example, consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out. But organisations cannot assume consent from a failure to opt out unless this is part of a positive step such as signing up to a service or completing a transaction. For example, they cannot assume consent from non-response to an email, as this would not be a positive indication of agreement.


The Commissioner appears to be of the view then that a consent statement on its own is not enough to obtain consent for electronic marketing; the individual has to be given a choice not to give their consent. In other words, according to the Commissioner's guidance, a consent statement might say: 'By submitting this form you consent to receive electronic marketing. Tick this box if you do not wish to receive this marketing'.

'consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out'.

But I didn't see an opt-out mechanism - a tick box for example, on the Computer Shopper registration form where I could refuse to give my consent so I'm not convinced that Dennis Publishing actually obtain consent. Fair enough, they make it clear that we can withdraw our consent at a later time ('until you choose otherwise') by unsubscribing for example, but if they don't give us the option not to give our consent in the first place then one could argue that they're obtaining consent by default - as a condition of subscribing to their service.

Even if Dennis were relying on the soft-opt in to obtain consent, regulation 22 of the PECR still requires them to satisfy all three rules and one of those rules is that the data subject be given a simple mechanism to refuse consent at the point our information is captured. Again, it's all about being given a choice at the point of collecting our information.

Despite the fact that Dennis assured me in 2007 that they were working with consultants to put things right, the Commissioner would likely conclude that they're failing to obtain consent - as they did in 2007.

3. They're failing to identify the partners who will inherit your indirect consent

Assuming that I were to sign-up to one of their magazines, the electronic marketing consent statement used by Dennis Publishing is as follows:

Your personal information will be used as set out in our Privacy Notice. Submitting your details indicates your consent, until you choose otherwise, that we and our partners may contact you about products and services that will be of relevance to you via, direct mail, phone, e-mail and SMS. You can opt-out at ANY time via the web or email. 

However, according to the Commissioner's direct marketing code of practice, indirect consent - consent to receive electronic marketing from third party companies, is only valid if those third party companies or group of companies has been specifically named. For example, if Tesco were a Dennis Publishing partner, then according to the Commissioner, their consent statement should read something like this:

Your personal information will be used as set out in our Privacy Notice. Submitting your details indicates your consent, until you choose otherwise, that we and our partner Tesco may contact you about products and services that will be of relevance to you via, direct mail, phone, e-mail and SMS. You can opt-out at ANY time via the web or email. 

What I'm saying is... the Commissioner expects data controllers to identify the specific company, companies (Virgin Group for example), or the type of companies (marketing from financial services companies for example) in the consent statement. By stating "our partners" in their consent statement it's likely that the Commissioner would conclude that they're failing to obtain consent for indirect electronic marketing - because the individual has no idea what kind of electronic marketing they're going to receive or who they're going to receive it from.

This is outlined at section 76-79 of the Commissioner's Direct Marketing Code Of Practice, as follows:

76. Although there is a well-established trade in third party opt-in lists for traditional forms of marketing, organisations need to be aware that indirect consent might not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages. PECR specifically requires that the customer has notified the sender that they consent to messages from them: see the definition of consent above. On a strict interpretation, indirect consent would not meet this test – as the customer did not directly notify the sender, they notified someone else. Therefore it is best practice for an organisation to only send marketing texts and emails, or make automated calls to individuals, if it obtained consent directly from that person.

77. However, we do accept that indirect consent might be valid in some circumstances, if it is clear and specific enough. In essence, the customer must have anticipated that their details would be passed to the organisation in question, and that they were consenting to messages from that organisation. This will depend on what exactly they were told when consent was obtained.

78. Clearly, organisations cannot infer consent just because consent was given to a similar organisation, or an organisation in the same group. It must have extended to the organisation actually sending the message as well.

79. Indirect consent may therefore be valid if that organisation was specifically named, or if the consent described a specific category of organisations and it clearly falls within that description. But if the consent was more general – eg to marketing ‘from selected third parties’ – it will be very difficult to demonstrate valid consent to a call, text or email if someone complains.


Although not statutorily mandated; this code of practice does reflect the view of the Commissioner and would likely be used by case officers when conducting an assessment or responding to a complaint from the public; providing that you get a case officer who knows what they're doing. A data controller can always contest this view of course and I'd like to see more data controllers contesting the ICO's view. Remember, it's likely that a failure to comply with the PECR will also have an impact on a data controller's need to process personal data fairly in accordance with the DPA.

Based on the Commissioner's code of practice then, it seems that the trade in indirect consent mailing lists for electronic marketing has been well and truly curbed - and not before time.

It's probably the best thing that the ICO has done in the past five years. Anyone who receives unexpected electronic marketing from a genuine UK company should submit a subject access request to find out how they obtained your information. I do it without fail and hardly ever have to pay the fee. It appears though that Dennis Publishing couldn't care less about the Commissioner's guidance because they're clearly ignoring the need to specifically identify the third party or the type of marketing. We can see this on the Dennis Publishing website under the page heading of Email marketing:

Dennis Publishing

I fail to see how Dennis Publishing can make this claim bearing in mind that the Commissioner requires data controllers to specifically name the company, group or type of marketing when seeking indirect consent. And of course, the same rules apply for indirect consent in that it cannot be obtained by subscribing to a service - individuals must be given a choice not to give their consent. According to the Commissioner.

4. They require me to agree to their privacy policy

Assuming that I were to sign-up to one of their magazines, the electronic marketing consent statement used by Dennis Publishing concludes with the following:

.

This is one of my biggest peeves.

A privacy policy is one way in which a data controller can satisfy their need to process personal data fairly. There are other methods though, they don't have to have a privacy policy. The thing is, it's their obligation as a data controller to make us aware who they are and how they intend to process our personal data - it's got nothing to do with us as data subjects. As long as they provide a mechanism for making us aware then they've fulfilled their obligation.

There is no requirement whatsoever for a data subject to visit, read, view, accept, understand, or agree to a privacy policy.

Unless of course Dennis Publishing are of the opinion that their privacy policy constitutes a standard form civil contract. If this is the case then I'd be willing to challenge that in court or with the OFT. It's ironic that they require us to tick a box to state that we understand their privacy policy when the people who actually need to understand are the people that work for Dennis Publishing.

In my view, the only reason why data controllers ask us to agree to their privacy policy is so that they can mislead us about their processing. In other words, it gives rise to the situation where a customer services person might say that you're obliged to receive marketing because you ticked the box to state that you understood their privacy policy when you registered. This is what Confused.com did but they soon backed down when I asked them to confirm whether I was contractually bound by their privacy policy. It's utter bollocks! If anyone tells you that you are obligated because you've accepted or agreed to their privacy policy, submit a complaint to the ICO.

The fact that the ICO don't state anything about this in their privacy notice code of practice is a serious oversight in my opinion. They need to prosecute a few companies so that we can nip this in the bud.

5. What Dennis Publishing said in 2007

Finally, here's a transcript of the letter than Dennis Publishing sent me in 2007 when I was threatening legal action.

I am writing in response to your email of 14th July 2007.

Update of our Internal Compliance Review
Following correspondence from the ICO in November 2006 we take note of their requirement to ‘review our web data capture and assess whether opt in / opt outs are confusing for our customers’. The ICO has suggested simplifying our data capture forms which are now nearing completion. Despite the fact that in their November 2006 letter the ICO states they ‘do not intend to pursue the matter further’, internally we take the matter more seriously and have commissioned legal advice on both the Privacy and Electronic Communications Regulations (PECR) 2003 and the Data Protection Act (DPA) 1998.

As a result of our internal investigation we are proposing to change all our web based data capture to ensure that the data subject provides a positive signifying action to indicate that, for the time being, they consent to receive direct marketing via ‘electronic mail’ from Dennis Publishing Ltd. Please see appendix A.

In recognition of the fact that many data subjects will be providing their information simply for access to web content (and arguably not entering into a sale or negotiation for sale of a product or service) we will not be relying on the soft opt-in remedy available in PECR 2003. Instead we will seek to obtain a ‘hard opt-in’ via the combined action of the data subject reading and acknowledging the information provided in our privacy policy; ensuring that any data subject who clicks the submit button to transmit their personal data will be indicating to us that they consent, for the time being, to receive direct marketing from Dennis Publishing Ltd..

Having gained consent, we recognise that the data subject should always be afforded the right not to have their personal data used for the purpose of direct marketing i.e. to change their mind. To this end we will ensure that our current member profile page remains as a simple means by which all data subjects can exercise their section 11 rights (DPA 1998) to opt-out of direct marketing. Access to this profile page is made readily available in the very first ‘welcome’ e-mail we send to all data subjects.. Please see appendix B.

Timeframe
We recognise reaching this point  has taken longer than it should have and are mindful that the ICO may in future enforce us to make these changes. As this is of no benefit we intend to make these changes by 31st October 2007. This will allow us time to integrate these changes in to our wider data strategy which includes bringing together a number of disparate data pools. As you will no doubt be aware achieving the single view of a customer will greatly improve our ability to comply with information law and privacy requirements.

With regard to your desire to take this matter to court, we would like to dissuade you for a number of reasons. We do take the matter seriously and are investing time and resources to make the changes outlined above. Having to attend court will only extend the time it takes us to make the changes you have suggested which would be in neither party’s interest. Can we suggest to you that if you feel our proposed actions and timescales do not satisfy your requirements, you contact the ICO who alone have the power in the UK to enforce compliance with both DPA and PECR. We will comply fully with any enforcement action issued by the ICO.

We trust this demonstrates our steps to comply with the law and, as you state, ‘get it sorted’.

Regards

[Name withheld]
Direct Marketing Manager


Bearing in mind that Dennis Publishing have been advised about their obligations by the ICO in the past, wouldn't you expect this organisation to have a Compliance Officer to ensure that they're doing things right? Many well known companies do make mistakes but some just make a mockery of the rights afforded us by the DPA and the PECR.

Conclusion.

If Dennis Publishing operated in accordance with the Commissioner's guidance then here's how I see it working.

In the consent statement they should make it clear that Dennis Publishing would like to send us electronic marketing and they should also name any third party company, group or type of marketing . They would need to give us genuine choice over whether or not to consent to marketing too! A tick box to opt-out is the obvious choice. Furthermore, it would appear that Dennis will need to a new consent-based mailing list because the current million plus mailing list is likely to be unreliable for electronic marketing.

I've since contacted the ICO about this and gave them a link to this article. They responded as follows

In your email you explain that you have discovered that Dennis Publishing are failing to give individuals a choice not to give consent to certain processing. Furthermore, you state that the publisher are failing to obtain indirect consent from individuals because they’re not specifying those third party companies or group of companies that will provide the marketing.

I confirm that I have passed the contents of your correspondence to our Intelligence Hub who have noted the information that you have provided.  Any decisions as to whether to take formal regulatory action against an organisation are based on our agreed strategy.

In addition, we will consider any complaints received from individuals who believe that they have been directly affected by an organisation's processing of their personal data.  Such complaints are handled on a case by case basis but if there is sufficient evidence to suggest that an organisation is repeatedly ignoring its obligations under the DPA, the matter will be referred to our Enforcement Department for further consideration.

Under the DPA, those who collect and use personal information have to follow rules of good practice for handling information (called the data protection principles).


I've not heard back from the ICO since but I have had a look at their regulatory action policy and I expect the ICO to order Dennis Publishing to adopt the view of the Commissioner - as given in his published guidance, or to give them the opportunity to challenge the Commissioner's view in court. However, if I don't hear back from the ICO then I'll give it a month or so and start subscribing and submitting complaints.

Personally I think the ICO should prosecute Dennis Publishing because of the scale of the abuse and their failure to keep up to date with the views held by the Information Commissioner.

The solicitors Bond Dickinson have summarised the Commissioner's direct marketing code of practice in an easy to read fact sheetNew window.

Update: 12.02.2015

The ICO have informed me that they will not be taking any action. So the next time that you see the ICO's Simon Entwisle, Deputy Chief Executive Officer, on TV telling us that he's trying really hard to put a stop to unwanted direct marketing and blaming us for failing to tick the boxes to opt-out, then bear this article in mind. I'll have to sort this myself.

Added: 22.11.2014 | Updated: 12.02.2015