Home > News
Mind my data Click to visit the homepage
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

Can I have a Nectar Card without all the marketing?

I was in the process of registering for a Nectar card but decided to stop half way through because I wasn't happy with their privacy notice

I usually shop at Tesco but since Sainsburys opened a store near to me last year I'm finding myself shopping there more often; particularly as I virtually walk past the store on my way home from work each day. I decided that I may was well register for a Nectar card.

I'm not a big fan of these reward points cards because they are often designed in such a way that makes it almost impossible to separate the reward points from the associated marketing. What if I just want to collect the reward points without all the marketing and special offers that goes with it - can I just collect the points? I should be able to because as a data subject I have a statutory right to opt-out of all direct marketing with an organisation - under section 11 of the DPA.

I started filling out the Nectar Card online form but when I reached the privacy policyLightbox window section of the registration process (I've not seen this done before) I paused for thought and then cancelled the registration. What I'm not happy about is the line stating

'you agree to receive these communications in order to enjoy the benefits of participating with Nectar'.

Nectar cannot make me receive direct marketing as a condition of doing business with them because I have a statutory right not to receive direct marketing from them if I so choose. So when I see comments like this shoved in my face it gives me the impression that Nectar think that they can negate my statutory rights with their civil law terms and conditions and that pisses me off. What they should be saying is that they intend to send me marketing for as long as I allow them to.

So I'll be registering with Nectar at some point this year and we'll see what happens. I'll wait first to hear back from the Parliamentary Ombudsman about Tesco's Clubcard.

For further information about Tesco's Clubcard see appalling inconsistences at the ICO. Basically the ICO said that Tesco can send me marketing with my Clubcard because I accepted their terms and conditions. But this is inconsistent with many previous assessments where the ICO were clearly of the opinion that a data controller cannot negate my section 11 rights with their terms and conditions. And further supported by the ICO's response to an FOI enquiry where they confirmed that an organisation cannot negate my DPA rights with their terms and conditions. So I'm confident that the Parliamentary Ombudsman will overrule the assessment and subsequent case review. Oh, and in response the the FOI enquiry the ICO confirmed that they do not have a policy on what impact - if any, civil law has on the DPA. And we wonder why they are so inconsistent.

Conclusion

As far as I'm concerned, based on information provided by the ICO in response to numerous enquiries and assessments, an organisation cannot negate my right not to receive direct marketing from them with their civil law terms and conditions. With this in mind, any business model that requires me to receive marketing by default - without being able to opt-out, is unlikely to be compatible with the DPA. And the thing is, a data controller has an obligation to inform the ICO of any changes to the way they process personal data. So when an organisation agrees to process personal data for the data processing purpose of Advertising, Marketing and Public Relations - they agree to process the data in accordance with the law; which will require them to be fully compliant with section 11. If they have strict terms and conditions that attempt to negate these obligations then they should inform the ICO that they do not wish to comply with section 11. And what will the ICO say... you must process personal data in accordance with the rights of the data subject.

Update 6 Mar 2013

I received a response from Nectar via Twitter. I asked:

Please will you clarify that you support my right to have a Nectar Card without the associated direct marketing?

Nectar replied:

'All collectors automatically receive mailings when registering their card… This is only from Nectar & its partners'.

This does not really answer my question though. I accept that I am opted in to direct marketing when I register but I wish to opt-out of ALL direct marketing from Nectar - which is a right granted to me by section 11 of the DPA. I've therefore asked Nectar to answer the following question:

If I register for a Nectar Card and opt out of all direct marketing under section 11 of the DPA, will I be able to use the card without receiving the marketing. Or are you telling me that I MUST accept the marketing if I wish to use the card?

The impression that I get from reading their privacy notice, particularly the bit in bold, is that I must accept the marketing if I wish to collect Nectar points.

Nectar replied:

'If you register online you can call us on 0844 811 0 811 and we'll opt you out of mailings'.

So I'm happy. I'll register this week and opt-out with a section 11 request as I prefer to have something in writing. Then after a month or so I will expect all electronic marketing to stop and after three months all postal marketing should have stopped. I just want to use the card to collect points to save some money; I'm not interested in anything else.

Well done Nectar! Although you might want to review that bold text on your privacy policy as there's no need for it; you've already obtained consent with a clear notice on the first page of the registration form. At the end of the day, you process personal data because the data subject allows you to do so and this should be reflected in your privacy policy. The ICO has guidance on good practice for privacy notices on their website.

See Appalling inconsistences at the ICO

Added: 04.03.2012