Home > News
Mind my data Click to visit the homepage
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Are Millets failing to obtain consent?

Millets plan to send me marketing from them, from other companies within the JD Sports Fashion Group and from unknown third parties. Yet the only opt-out on their registration form is an opt-out to their Newsletter. So at what point are they obtaining my consent?

As a keen hill walker - I'm usually out on the hills at least one day over the weekend, and I decided it was time to buy some new baselayer items; as I can wear these as t-shirts in the summer. Millets were selling the Berghaus technical t-shirt for £15 - down from £25 so I ordered a few. As I was writing this article I received confirmation that they items have been despatched so that's quite a good service.

When checking out though on their website, I tried to pay by Pay Pal but it wasn't working for some reason; something to do with the delivery type being updated during the transaction. Having tried on three different occasions at different times, I gave up and decided to check out by registering and paying by credit card. The only opt-out that I saw on the registration form was an opt-out to the Millets Newsletter and it was opted in by default. I opted out and continued to the next page to enter my credit card details and there it was again... an opt-out to the Millets newsletter, opted in by default so that I had to opt-out again.

My first issue then is that, once I have withdrawn my consent, I shouldn't have to withdraw it again.

Apart from their Newsletter though, there were no other opt-outs on the registration form. However, according to Millets' privacy policyNew window , it clearly states that they will:

Also use your data for marketing purposes which may mean that you will receive marketing communications from us, other companies within the JD Sports Fashion Group or carefully selected third parties. However if you do receive marketing communications from other companies, we will endeavour to ensure that the company in question and its products will be as relevant to you as possible.

My second issue then... does this company actually understand their need to obtain consent before sending electronic marketing to individuals?

I think not! Fortunately, the ICO has published guidance that explains all about obtaining consent. According to section 53 of the ICO's direct marketing guidance:

For consent to be valid, it must be freely given – the individual must have a genuine choice over whether or not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses. Consent cannot be a condition of subscribing to a service or completing a transaction.

What this means is that you cannot obtain consent by burying a consent statement in your privacy policy or terms and conditions. If you want to obtain my consent then you need to give me the ability to choose not to give that consent - before you start sending me electronic marketing. The popular way of doing this is to include tick-boxes on the web form. Furthermore, the same guidance requires data controller to identify the third parties who they are passing information to, and they should be identifying the types of marketing - by e-mail, by post etc. It's all there in the ICO's guidance.

I raised the matter of the two Newsletter tick-boxes on Twitter and Millets responded by saying:

Thank you for bringing this to our attention, I have passed it on to our web team who will look into it.

I also raised the matter of consent on Twitter and Millets responded by saying:

I can assure you that our emails are only sent out to those who opt in to receive them.

This response appears to conflict with what is stated in Millets' privacy policy. I am of the opinion therefore that whoever said this is simply going through the motions of managing any negative feedback and does not really understand what their talking about. That's fair enough but if this is the case, then I'm not convinced that individual should be giving me their assurance if they're not sure. I get this time and time again from customer service staff who will often claim - with conviction, that they can do this or do that with my data when they don't have a clue. It's just poor customer service in my opinion that highlights a desire to mislead and plicate rather than investigate and resolve.

I'll wait to hear back from Millets to see what they have to say and what they're prepared to do. Personally I think Millets should issue a one-off, non-promotional apology e-mail to seek consent to electronic marketing from all of their customers. Something like this would suffice:

Dear Customer,

We're so keen to exploit you as our data subject that we've overlooked the fact that we need to obtain your consent before sending you electronic marketing. We have now reset your marketing status and have opted you out of ALL electronic marketing with us. If you wish to opt-in to receiving electronic marketing from us, please tick the box next to the type of marketing you wish to receive:

Our Newsletter by e-mail.
E-mails from us, and other companies within the JD Sports Fashion Group.
Third party marketing by e-mail from the following companies... [Identify the companies].

Again, we apologise that we are more concerned with exploiting your personal data than complying with your rights as our data subject.

Best wishes,

Millets.

That goes for the JD Sports Group too!

I've always been adverse to registering with non-UK data controllers because I expect them to bombard me with marketing. However, what has occurred to me in recent years is that overseas data controllers are actually more likely to comply with my rights regarding electronic marketing than UK data controllers. Amazon as a rule doesn't send me electronic marketing. I signed up with Mozy back-up last year and they don't either. I've opted out of marketing with Twitter and Linked-In and they don't send me marketing. In fact the only marketing that is related to my Linked-In account is when UK data controllers (usually employment agencies) farm my information from Linked-In, create a likely e-mail address for me and contact me at work to see if I can find a job for their candidate. Article coming soon.

I'm just becoming more and more reluctant to register with UK data controllers. They're not happy with the fact that I'm making a purchase - they want to exploit my data as part of the process. It's the first time that I've placed an order with Millets and it'll be the last. I follow-up on any and all unexpected marketing anyway by submitting a Subject Access Request to the company that sent me the marketing to find out how they obtained my information. If any marketing gets traced back to Millets or JD Sports then I will be submitting complaints to the ICO.

If you're obtaining unwanted marketing from Millets or their partners then you might want to submit a complaint to the ICO. The more complaints that the ICO receives the more likely it is that they'll take action.

Added: 18.04.2014