It’s a horrible week for news, and even if you ignore that, it’s a horrible week for Data Protection news, with charities up to their usual tricks, WHSmith and HMRC spraying their correspondents with other people’s correspondence, and in the middle of it all, the unforgivable mishandling of sensitive personal data at a sexual health clinic. Nevertheless, despite all of this, the First Tier Tribunal has delivered a little bit of good news which should gladden the heart of anyone who cares about Data Protection.
Last year, the Information Commissioner served an Enforcement Notice on Optical Express under the Privacy and Electronic Communications Regulations. Optical Express were ordered to send marketing emails and texts only to those who had directly given consent. As the appeal makes clear, Optical Express were relying on vague permissions obtained years in the past by different companies. They claimed that if a person has ever consented to marketing from anyone, anywhere, any marketing received from Optical Express was solicited and therefore lawful. This is bollocks, although somehow the Tribunal found different words to rebuff the argument. Optical Express lost, and must now appeal or start actually getting consent from real people before hawking their wares.
I’ve been waiting for the decision ever since the appeal was announced. In late Spring, I started to receive unsolicited emails from a variety of dodgy sounding companies – funeral planners, solar panel vendors, claims management companies, the usual parasites. Although my personal data is spread far and wide because I enter a lot of competitions, I’m as pedantic with T&Cs and tick boxes as you would expect me to be. The only spammer that could remotely count as a household name was Optical Express. They caught my eye (BOOM!) because of the Enforcement Notice and appeal, but also because Optical Express were the only ones to send me texts as well.
I contacted Optical Express to ask them where they had obtained my personal data from, as I have never had any dealings with them, nor have I ever consented for my data to be passed to them.
I don’t know whether Optical Express actually hold my email address because they won’t tell me and in any case, they seem to be using an affiliate marketer. The affiliate model is a marriage of convenience between a company who wants to advertise and a spammer or network of spammers with a list of email addresses. The spammers send the spam, but they’re hard to track down. The companies often don’t hold the data, and get plausible deniability when the recipient complains. Under PECR, the advertiser is still the instigator and is legally responsible, but until there is a clear ICO or court case involving affiliates, the spamming will not stop.
My own enquiries have led me to believe that Optical Express are using a Moroccan-based affiliate marketer called Youssef Zarouk, although for many months they have refused to tell me why I received their emails or who sent them, despite many emails to their customer service department and a letter to their Chief Executive. Optical Express are welcome to deny and disprove this if they finally have the good manners to answer my questions about the matter. I emailed Mr Zarouk to ask how he got my email address, after I obtained his address from an outfit called ‘Plan My Funeral’ (who are everything you might imagine them to be). He didn’t reply.
One thing Optical Express were willing to tell me is that they bought my mobile number from a company called Interactive Prospect Targeting, which is surely what a company that harvests personal data for marketing purposes would be called in a cartoon. Perhaps in recognition of how needlessly explicit their company name is, IPT is now called MyOffers, which was previously just the name of the competition website they use to hoover up personal data. Long, long ago, I used to enter competitions on MyOffers website, but I haven’t used the site for many years, and in 2013, I exercised my rights under Section 11 of the Data Protection Act to prevent IPT / MyOffers / Whatever They’re Called from processing my data for marketing purposes. This includes selling my data for marketing purposes.
I contacted MyOffers. After the traditional delay requiring me to contact them a second time which appears to be a list-broking industry standard, MyOffers informed me that I had rejoined their service in December 2014, after I allegedly filled in a survey hosted by another company called EDR, where they claim I opted in to receive calls from nPower and offers from MyOffers. MyOffers do not have any evidence of this, and could only provide me with a sample survey that I had never seen before and had not filled in. Weirdly, despite the claim that I consented to receiving marketing from nPower, they have never been in touch.
Having received the data from EDR (who are now trading as Progressive Digital Media), MyOffers sold my number to Optical Express, the Claims Advisory Group, Experian (of whom more later) and Digitonic, a text marketing company based on Scotland. Both CAG and Digitonic were very helpful when I approached them and keen to reassure me that they would neither use or sell my data on. However, they should look at the quality of data that they are buying, and who from, especially in the light of what Experian told me. Experian is inaccurately described as a credit reference agency; credit checking is only one part of its massive data capture and selling activities, which is why I sent Experian a Section 11 in 2012, and they were happy to tell me that it still stands. Experian told me that MyOffers provided my mobile number appended to a postal address that I moved out of in 2001. How this fits with MyOffers claim on its website that “MyOffers Data Rental is the UK’s leading source of fresh lifestyle data for direct marketing campaigns” is not something I can explain. Retaining and selling personal data for 14 years after it is out of date is clearly a breach of the 4th Data Protection principle, but I will leave that between MyOffers and their customers.
MyOffers did not explain to me why their purchase of my data from a third party negated my Section 11 with them. They did not contact me at the time to ask whether I wanted to withdraw the Section 11 or decide to respect it when they received my data. They simply assumed (on the basis of no evidence) that I had given my consent to a third party and they were entitled to sell my data again. The best MyOffers could offer me is that I am now on their ‘do not contact’ list, which will apparently mean that my data will be genuinely suppressed. They have, despite my asking them, not explained why I was not put on this ‘do not contact’ list in 2013. The compliance officer’s approach to due diligence and consent went no further than the claim that the company had bought 155 surveys from Progressive Digital Media, and nobody else had complained. This is the same compliance officer who signed my Section 11 response in 2013. He’s also a director of the company.
The response I received from DM&R was long but incoherent. Registration on the What’s On TV website includes a very clear section allowing users to sign up to enter competitions but opt out of any marketing either from Time Inc. itself, or from “carefully selected third parties”. It should be opt-in really, but there is no question that the registration form, and the text that appears if you sign up via an individual competition is very clear. I definitely did sign up to the What’s On TV site in 2012 to enter a competition, but not even DM&R claim that I opted in to receive marketing when I registered and when I checked, my marketing permissions are still set to nothing from anyone.
DM&R are the true source of the claim that I (or someone using my details) opted in to receive marketing from MyOffers and nPower. The problem is that I didn’t fill in any nPower survey, not least the one that MyOffers showed me. DM&R’s sole piece of evidence that I consented is an IP address which means nothing to me and doesn’t match the one my Mac currently uses. When I asked them to provide the wording that I had allegedly signed up to or real evidence that I had consented, DM&R said they needed to wait for their Data Protection officer to come back from holiday. I’m still waiting.
This is how Optical Express obtained my mobile number: through a congealed, undignified mess of agents and brokers operating with all the finesse of a dodgy garage welding together smashed up cars. When they claim to be sending solicited marketing, this is what they mean.
Type ‘list broker’ or ‘affiliate marketing’ into your search engine of choice (anyone for Ecosia?) and what you get is a swamp. Data is bought and sold from any and every source. Much of it is obtained unfairly and without consent, and then flogged to anyone willing to pay. The Data Protection Act is routinely flouted in pursuit of the bottom line. I would normally use this as an excuse to attack the Information Commissioner for not tackling the problem, but today, that is the wrong line to take. The ICO has done good work here, and the Commissioner’s statements about consent this week in relation to the scandalous case of Samuel Rae are very welcome. The only thing to say is that I would like to see more of it.