American Express’s £90k fine: Not the wisdom of crowds, the stupidity of group-think
According to a quick LinkedIn search, there are between several hundred and a few thousand people employed at American Express claiming expertise in compliance, risk or regulation. I know that most won’t be focused on the UK market or customer comms and marketing, but I’m sure that those that are would (virtually) fill more than a big room with considerable cleverness and costs of employment.
In which case it’s reasonable to ask why American Express has just been found guilty of sending over 4 million illegal marketing emails by the Information Commissioner’s Office and fined £90,000 for doing so?
Amex’s error was rooted in its disregard of the Privacy and Electronic Communications Regulations (PECR) rules. Specifically, it broke the – pretty fundamental – bar on sending emails with marketing messages to customers who had opted out of marketing communications. Views and interpretations of what constitutes marketing can, of course, vary widely – but (whether you, I or Amex like it or not) the ICO has a very a clear definition. Direct communications are either Service comms or Marketing comms and Marketing means any kind of promotion or marketing of goods or services.
American Express argued that it included information on offers, promotions, loyalty bonuses and its member app in its emails because “Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods” and even that the emails provided “…benefits reinforcement, rather than marketing materials”. This smacks of wishful thinking, at best. And data privacy compliance has little scope for wishful thinking. Worse, it’s evidence of group-think (the inept, incurious sibling of the wisdom of crowds).
Companies can and should look at data privacy challenges creatively, by using different perspectives or techniques – which is just what the innovators in the emerging world of privacy tech are doing. But wishful thinking and group-think just won’t cut it and will create potentially unmanageable compliance and customer experience risks.
The world’s full of organisations that are either wilfully or naively ignorant of the laws and regulations that govern marketing and customer engagement in order to maintain customers’ rights and protect their data privacy. Amex shouldn’t be one of them.
Sometimes it pays to get an independent perspective, free from wishful thinking and organisational group-think.
If you think your organisation could do with that, then drop me a line hello@channeldoctors.co.uk
154% Increase in Direct Mail. Back to the 1980s?
This week’s fascinating stat is from James Flashman & Olivia Cairns at Selectabase.
In the past year they have seen a 154% increase in new clients looking to use their direct mail services.
Is it ‘back to the 1980s’ time, then?
No. Of course not.
But – along with other posts we’ve recently shared about the success of traditional channels – it just goes to show how we all need to better manage and integrate the growing variety of digital and analogue channels available to acquire and interact with customers
What’s 46% contemptible, 45% inept and 9% clueless? The ICO’s fined felons
ICO fines increase by over 400%
The Information Commissioner’s Office (ICO) is in the midst of a flurry of activity. So far this year it has fined 11 firms for transgressions in their marketing efforts – just one fewer than the total for the whole of 2020. So, is the ICO challenging the murky practices of the adtech players, the widespread ignoring of the cookie rules or delving into marketers’ use of opaque machine learning algorithms for making offer and pricing decisions? Well, it may be, but they’re not what’s prompted the ICO’s £1.2m of fines in the space of 10 weeks.
The ICO’s time warp dance
The General Data Protection Regulation (GDPR) is approaching 3 years old, along with its legal implementation in the UK, the 2018 Data Protection Act (DPA) – but that’s not what might be causing sales, marketing and customer experience professionals sleepless nights. No, all of this year’s fines have been levied under the auspices of the aged Privacy and Electronic Communications Regulations (PECR), a set of rules which date back to 2003 – before most social media, messaging apps or smart phones.
Delving into the ICO’s lengthy Penalty Notices for each of the 11 fines throws up some interesting insight.
The first piece of insight from our analysis is, to be fair, undeniably very subjective. Looking at the companies involved, the way they set about doing business, the explanations they gave the ICO when under investigation and whether they are still in business, all allow some judgements to be made. This isn’t a scientific judgement and because I don’t want to be sued for libel, I’m not saying which specific companies fall into which category, but I’ve grouped them into three groups:
The Contemptibles
Organisations that almost certainly knew the PECR rules very well, but just decided to ignore them
The Clueless
Companies whose attempts at direct marketing were so devoid of forethought and planning that a fine (even a tokenistically small one) seems almost cruel
The Inept
The most interesting group. Companies – including ones turning over ten, even hundreds of million pounds – on this list of 11 which seem to be woefully ignorant of some real basic activities, like:
- Ensuring online checkout journeys include clear information and customer control over future email marketing contacts
- Screening outbound calling numbers against the TPS
- Completing proper due diligence when sourcing third party prospect data
- Including an opt facility on marketing text messages
Channel choices
Perhaps surprisingly – 20 years after the demise of telemarketing was first predicted – it’s live phone calls that are the most commonly used communication channel in these cases.
What do they do?
As you can see, it’s a mixed bag of businesses. The lure of trying to sell face masks without stopping to think about the regulatory requirements has added a couple of ecommerce sites to the naughty step, but the biggest group is lead generators. These are businesses that really should – and almost certainly – did know better than to cut the corners that resulted in their fines.
Covid exploitation?
The ICO was explicit from the first lockdown a year ago that it intended to target firms which were breaking the direct marketing rules in order to exploit consumers through the pandemic. To some extent it has done this, with a number of opportunistic hand sanitiser and face mask sellers having been fined. However, in its communications the ICO can (ironically enough) over-sell the extent to which some dodgy marketing practises are Covid-related. It seems to be a stretch to claim that non-compliant marketing is Covid-related just because it’s been carried out during the pandemic. But then, deep down, the ICO seems to be instinctively uncomfortable about a lot of marketing per se.
So, after a quiet 2 years since the implementation of the GDPR and new Data Protection Act the ICO has been coming down hard on firms that disregard personal data protections when acquiring and engaging with customers. It just hasn’t – thus far – been making use of the new rules to do so.
Which makes it even less forgivable when companies fall foul of the old PECR rules, which give specific guidance around how electronic and voice communication channels are used. Like all things in the world of data protection, the rules can be complex in certain situations, but the basics are pretty clear. And should be second nature to competent sales, marketing and customer experience professionals.
If it’s not, drop us a line hello@channeldoctors.co.uk. Or have a read through the ICO’s enforcement notices https://ico.org.uk/action-weve-taken/enforcement/.
And sign up to our monthly newsletter http://eepurl.com/gqxzw5
I want it now! (but I can wait)
Back in the darker days of the pandemic a soft furnishings brand was faced with having to tell customers that their orders would be delayed, by up to a month. People can get very worked up about soft furnishings at the best of times – let alone when they’re stuck at home, surrounded by unloved curtains and cushions! The brand decided to experiment with proactively contacting its customers to let them know about the delay and ask for their forbearance, rather than accepting a refund.
The results were quite spectacular, with over 87% of customers contacted by phone agreeing to retain their orders and wait a few weeks longer.
This is a compelling example of the enduring power of direct, one-to-one communications in building and reinforcing customer relationships.
Thanks to David Freedman of Confero for sharing this with me .
The EU, UK, the Deal, Adequacy, EDPB, Uncle Frank and a Stretched Analogy
So, there was a (sort of) UK-EU trade deal, after all. Reassuringly for those of us without the inclination to read the 1.246 pages of the agreement, other have done the hard work and confirmed that the economically crucial EU decision as to whether to grant the UK’s data protection rules “adequacy” status has been deferred, with another delay of up to 6 months.
So how does that work, you might wonder when we’d all been repeatedly told that 31st December was an immovable deadline? How can there be yet another extension for the data decision when we were supposed to be stood on a cliff edge?
It’s all down to (sensible) rules and bureaucracy trumping politics.
The European Commission is empowered to make a decision about the adequacy of the UK’s data protection regime, but only on the recommendation of the EDPB (European Data Protection Board) – a sort of grand committee of the various EU members’ national data protection regulators. But the EDPB takes its time and wouldn’t work through the night on Christmas week, like the main negotiating teams did.
A bit like if you were having your house extended and – in a rush to get the kitchen functioning in time for Christmas – you got some help from friends or relatives after the builder had downed tools in mid-December. Your mate who’s a plumber would be invaluable and if Uncle Frank could do the electric work that would be great. But if Frank isn’t qualified then he can’t sign off the work, so you won’t be able to safely use the lights or the electric oven until someone qualified does sign it off.
Reassuringly, data isn’t exactly like electricity and we can still safely use the ‘kitchen appliances’ for the time being.
