What’s 46% contemptible, 45% inept and 9% clueless? The ICO’s fined felons
ICO fines increase by over 400%
The Information Commissioner’s Office (ICO) is in the midst of a flurry of activity. So far this year it has fined 11 firms for transgressions in their marketing efforts – just one fewer than the total for the whole of 2020. So, is the ICO challenging the murky practices of the adtech players, the widespread ignoring of the cookie rules or delving into marketers’ use of opaque machine learning algorithms for making offer and pricing decisions? Well, it may be, but they’re not what’s prompted the ICO’s £1.2m of fines in the space of 10 weeks.
The ICO’s time warp dance
The General Data Protection Regulation (GDPR) is approaching 3 years old, along with its legal implementation in the UK, the 2018 Data Protection Act (DPA) – but that’s not what might be causing sales, marketing and customer experience professionals sleepless nights. No, all of this year’s fines have been levied under the auspices of the aged Privacy and Electronic Communications Regulations (PECR), a set of rules which date back to 2003 – before most social media, messaging apps or smart phones.
Delving into the ICO’s lengthy Penalty Notices for each of the 11 fines throws up some interesting insight.
The first piece of insight from our analysis is, to be fair, undeniably very subjective. Looking at the companies involved, the way they set about doing business, the explanations they gave the ICO when under investigation and whether they are still in business, all allow some judgements to be made. This isn’t a scientific judgement and because I don’t want to be sued for libel, I’m not saying which specific companies fall into which category, but I’ve grouped them into three groups:
Organisations that almost certainly knew the PECR rules very well, but just decided to ignore them
Companies whose attempts at direct marketing were so devoid of forethought and planning that a fine (even a tokenistically small one) seems almost cruel
The most interesting group. Companies – including ones turning over ten, even hundreds of million pounds – on this list of 11 which seem to be woefully ignorant of some real basic activities, like:
- Ensuring online checkout journeys include clear information and customer control over future email marketing contacts
- Screening outbound calling numbers against the TPS
- Completing proper due diligence when sourcing third party prospect data
- Including an opt facility on marketing text messages
Perhaps surprisingly – 20 years after the demise of telemarketing was first predicted – it’s live phone calls that are the most commonly used communication channel in these cases.
What do they do?
As you can see, it’s a mixed bag of businesses. The lure of trying to sell face masks without stopping to think about the regulatory requirements has added a couple of ecommerce sites to the naughty step, but the biggest group is lead generators. These are businesses that really should – and almost certainly – did know better than to cut the corners that resulted in their fines.
The ICO was explicit from the first lockdown a year ago that it intended to target firms which were breaking the direct marketing rules in order to exploit consumers through the pandemic. To some extent it has done this, with a number of opportunistic hand sanitiser and face mask sellers having been fined. However, in its communications the ICO can (ironically enough) over-sell the extent to which some dodgy marketing practises are Covid-related. It seems to be a stretch to claim that non-compliant marketing is Covid-related just because it’s been carried out during the pandemic. But then, deep down, the ICO seems to be instinctively uncomfortable about a lot of marketing per se.
So, after a quiet 2 years since the implementation of the GDPR and new Data Protection Act the ICO has been coming down hard on firms that disregard personal data protections when acquiring and engaging with customers. It just hasn’t – thus far – been making use of the new rules to do so.
Which makes it even less forgivable when companies fall foul of the old PECR rules, which give specific guidance around how electronic and voice communication channels are used. Like all things in the world of data protection, the rules can be complex in certain situations, but the basics are pretty clear. And should be second nature to competent sales, marketing and customer experience professionals.
And sign up to our monthly newsletter http://eepurl.com/gqxzw5