Contemptible, Clueless or Inept?
Download it here:
ICO fines increase by over 400%
The Information Commissioner’s Office (ICO) is in the midst of a flurry of activity. So far this year it has fined 11 firms for transgressions in their marketing efforts – just one fewer than the total for the whole of 2020. So, is the ICO challenging the murky practices of the adtech players, the widespread ignoring of the cookie rules or delving into marketers’ use of opaque machine learning algorithms for making offer and pricing decisions? Well, it may be, but they’re not what’s prompted the ICO’s £1.2m of fines in the space of 10 weeks.
The ICO’s time warp dance
The General Data Protection Regulation (GDPR) is approaching 3 years old, along with its legal implementation in the UK, the 2018 Data Protection Act (DPA) – but that’s not what might be causing sales, marketing and customer experience professionals sleepless nights. No, all of this year’s fines have been levied under the auspices of the aged Privacy and Electronic Communications Regulations (PECR), a set of rules which date back to 2003 – before most social media, messaging apps or smart phones.
Delving into the ICO’s lengthy Penalty Notices for each of the 11 fines throws up some interesting insight.
The first piece of insight from our analysis is, to be fair, undeniably very subjective. Looking at the companies involved, the way they set about doing business, the explanations they gave the ICO when under investigation and whether they are still in business, all allow some judgements to be made. This isn’t a scientific judgement and because I don’t want to be sued for libel, I’m not saying which specific companies fall into which category, but I’ve grouped them into three groups:
Organisations that almost certainly knew the PECR rules very well, but just decided to ignore them
Companies whose attempts at direct marketing were so devoid of forethought and planning that a fine (even a tokenistically small one) seems almost cruel
The most interesting group. Companies – including ones turning over ten, even hundreds of million pounds – on this list of 11 which seem to be woefully ignorant of some real basic activities, like:
- Ensuring online checkout journeys include clear information and customer control over future email marketing contacts
- Screening outbound calling numbers against the TPS
- Completing proper due diligence when sourcing third party prospect data
- Including an opt facility on marketing text messages
Perhaps surprisingly – 20 years after the demise of telemarketing was first predicted – it’s live phone calls that are the most commonly used communication channel in these cases.
What do they do?
As you can see, it’s a mixed bag of businesses. The lure of trying to sell face masks without stopping to think about the regulatory requirements has added a couple of ecommerce sites to the naughty step, but the biggest group is lead generators. These are businesses that really should – and almost certainly – did know better than to cut the corners that resulted in their fines.
The ICO was explicit from the first lockdown a year ago that it intended to target firms which were breaking the direct marketing rules in order to exploit consumers through the pandemic. To some extent it has done this, with a number of opportunistic hand sanitiser and face mask sellers having been fined. However, in its communications the ICO can (ironically enough) over-sell the extent to which some dodgy marketing practises are Covid-related. It seems to be a stretch to claim that non-compliant marketing is Covid-related just because it’s been carried out during the pandemic. But then, deep down, the ICO seems to be instinctively uncomfortable about a lot of marketing per se.
So, after a quiet 2 years since the implementation of the GDPR and new Data Protection Act the ICO has been coming down hard on firms that disregard personal data protections when acquiring and engaging with customers. It just hasn’t – thus far – been making use of the new rules to do so.
Which makes it even less forgivable when companies fall foul of the old PECR rules, which give specific guidance around how electronic and voice communication channels are used. Like all things in the world of data protection, the rules can be complex in certain situations, but the basics are pretty clear. And should be second nature to competent sales, marketing and customer experience professionals.
And sign up to our monthly newsletter http://eepurl.com/gqxzw5
Back in the darker days of the pandemic a soft furnishings brand was faced with having to tell customers that their orders would be delayed, by up to a month. People can get very worked up about soft furnishings at the best of times – let alone when they’re stuck at home, surrounded by unloved curtains and cushions! The brand decided to experiment with proactively contacting its customers to let them know about the delay and ask for their forbearance, rather than accepting a refund.
The results were quite spectacular, with over 87% of customers contacted by phone agreeing to retain their orders and wait a few weeks longer.
This is a compelling example of the enduring power of direct, one-to-one communications in building and reinforcing customer relationships.
Thanks to David Freedman of Confero for sharing this with me .
The Great Wilmslow Chocolate Heist & other stories
Download it here:
The one last resolution you can stick to
Download it here:
So, there was a (sort of) UK-EU trade deal, after all. Reassuringly for those of us without the inclination to read the 1.246 pages of the agreement, other have done the hard work and confirmed that the economically crucial EU decision as to whether to grant the UK’s data protection rules “adequacy” status has been deferred, with another delay of up to 6 months.
So how does that work, you might wonder when we’d all been repeatedly told that 31st December was an immovable deadline? How can there be yet another extension for the data decision when we were supposed to be stood on a cliff edge?
It’s all down to (sensible) rules and bureaucracy trumping politics.
The European Commission is empowered to make a decision about the adequacy of the UK’s data protection regime, but only on the recommendation of the EDPB (European Data Protection Board) – a sort of grand committee of the various EU members’ national data protection regulators. But the EDPB takes its time and wouldn’t work through the night on Christmas week, like the main negotiating teams did.
A bit like if you were having your house extended and – in a rush to get the kitchen functioning in time for Christmas – you got some help from friends or relatives after the builder had downed tools in mid-December. Your mate who’s a plumber would be invaluable and if Uncle Frank could do the electric work that would be great. But if Frank isn’t qualified then he can’t sign off the work, so you won’t be able to safely use the lights or the electric oven until someone qualified does sign it off.
Reassuringly, data isn’t exactly like electricity and we can still safely use the ‘kitchen appliances’ for the time being.
Good thing too!
The Quality Street’s all gone. So read this!
Download it here:
Only 2 shopping days till Covid Christmas – and maybe 8 days to get the lawyers in before 2021…
Chatbots are experiencing a rapid growth in take up and adoption. From acting as a simple but effective triage for initial contact handling through to demonstrating real machine learning capabilities, bots are starting to make life easier for consumers and brands alike.
But what about a chatbot that results in a big brand breaking data protection rules and getting a £1.25m fine from the Information Commissioner’s Office (ICO)?
Well, that’s not quite the story, but it seems to be what Ticketmaster tried to tell the ICO after its breach of customer and payment card data which resulted in the fine. The details are hidden away, rather obliquely, in the ICO’s Penalty Notice . It’s clear that the vulnerability that fraudsters exploited to access payment card details (initially highlighted by Monzo – perhaps showing the superiority of #fintech systems and data analytics) was created by Ticketmaster’s use of a Inbenta chatbot. However, it’s also clear that Inbenta specifically warned against using the bot on payment pages of the website for just that reason. The bot wasn’t really to blame, Ticketmaster’s internal risk management regimes and mindset was.
Given Ticketmaster’s business, it’s a safe bet that a lot of their routine customer contacts are to do with checkout and payments, so what better place to put a chatbot? One of the beauties of chatbots, like so many SaaS products, is that you can just paste the code on a page to get started. If you have access to your website then you don’t need to jump through your IT colleagues’ tedious permission hoops and rules.
Is that what happened in the Ticketmaster case? I don’t know, but I do know that misunderstandings and miscommunications resulted in a 7-figure fine, thousands of unhappy customers, a failed chatbot implementation and considerable reputational damage for Ticketmaster.
How do you avoid Ticketmaster’s fate befalling you?
Well, it’s the usual simple-sounding, but difficult to achieve need to get all your teams (internal & external) – technology, marketing, digital, risk, tech vendors – aligned and cooperating, with a shared understanding of business benefits and risks. Only then can you balance doing the smart thing for your business and customers without exposing both to fraudsters and rule breaking.
It’s the end of the week and – yet again – a last minute post-transition Brexit trade deal is in the balance. This is no time for predictions, but here’s why it’s in everyone’s interests to secure a deal that includes an EU adequacy ruling on UK data protection rules.
According to a report from New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’ if the UK’s rules aren’t considered adequate by the EU then a raft of new contractual arrangements using standard contractual clauses (SCCs) will be required.
“The aggregate cost to UK firms would likely be between £1 billion and £1.6 billion.”
Most of which would be be spent on commercial lawyers.
And no-one wants that.