b4usearch.com, the Information Commissioner and the Press

It looks as though the story that the UK Information Commissioner has dropped the case against Birmingham base B4U will run after all. I just had a call from OUT-LAW.COM who broke the enforcement notice story back in July 2006 with their story "Information Commissioner issues first website enforcement order". They'd picked up the news from here about the case being dropped, either from "How does the UK Information Commissioner compare to a Traffic Cop?" where I revealed the dropping of the case, or from "Staggering press apathy regarding lack of prosecution of B4U".

It really is a case of having the law respected. Data Privacy law is good law. It is the lack of enforcement that brings it into disrepute. Lack of enforcement turns good law into bad law.

We have a very simple choice with this law: Enforce it or repeal it.

Since we can't repeal it without leaving the European Union, we have to enforce it

How do I get a mailing list?

The answer is not just "you go to a list broker." List brokers can only broker (broke?) what is available on the market. They are great for renting or buying lists, single use, multiple use, the lot. But they can't create what is not there: legality.

That's a pretty sweeping statement, so first let's look at where the problems lie: Permission.

In the European Economic Area we rely on permissions, though snail mail has a far less rigorous threshold than any other type of contact.

As a generalisation, snail mail requires no permission except that of opting out. In other words I could fill your paper intray with enough paper to destroy entire forests and be within the law unless and until you tell me to stop. I'm not saying that would be productive, just, generally, lawful.

The phone in the UK, either Business to Business (for which it seems we have to that the Federation of Small Businesses) or Business to Consumer, is covered by the Telephone Preference Service. Prohibit contact and cold sales contact is prohibited. Existing contact overrides TPS prohibition whatever the apparent pecking order of dates of contact vs date of registration. TPS style prohibition (or Robinson) lists are spreading, but are initially a UK phenomenon.

After those two "traditional" mechanisms of cold contact come the electronic methods. Those include, surprisingly, Voice Mail! Leave an unsolicited, cold calling voicemail and you are outside the law for B2C, and, because of the vagaries of the Privacy and Electronic Communication Regulations (PECR) you are outside the law with some businesses, too.

Fax used to be the bulk marketing mechanism of choice for distributors of components. I worked in the same building as the long defunct Connexe Peripherals, a PC bits and bobs distributor. The sole marketing activity was a daily fax blast to many hundreds of large and small PC resellers with the latest special deal. It was a powerful mechanism, got attention and was hugely cost effective. Today the ROI has plummeted, and many businesses don't even bother to equip themselves with fax machines. Add the PECR prohibitions and the long established Fax Preference Service, and you can see why fax is no longer appropriate except for small, highly customised, personal campaigns.

Which brings us to email. Just reading the PECR makes your head spin. You cannot use cold email blasts to anyone who is an "individual subscriber" without their permission. How easy it would be if it were obvious who is and is not an individual subscriber! How much better if the PECR were framed under Data Protection law instead of telecommunications regulations!

It's easy, honest! An individual subscriber is basically the bloke or blokess who pays the bill. So, at home I am that bloke. By inference so is my wife and my son since each is a private citizen and each lives here, and it's a home. Since I blog as myself and use an email address that is not a corporate one, that address is definitely one of an individual subscriber, too. And then it gets complex. A sole trader, even under a trading name, is an individual subscriber. Yes, I'm one of those, too, so my email address as a sole trader is that of an individual subscriber. A partnership, except in Scotland, is an individual subscriber. So a firm of solicitors is a partnership and is an individual subscriber, as are all its partners and staff, unless it is a Scottish partnership. And what of LLCs and LLPs and stuff?

OK, it may be simple(!) to define, but weeding this individual subscriber stuff from an email list is as near impossible as makes no difference. It is best to treat all email lists as though they are red hot. Use long tongs!

I will make a bet with you: No list vendor who compiles their own email lists is obeying the law. No-one on those lists has given permission in a meaningful and informed manner. And even if they did tick a bx suggesting that their email address could be passed to a third party they will still accuse you of spamming them.

Why am I so confident? Because I have asked at many conferences "Have any of you ever said 'yes' to the question 'May we pass your email address to other organisations who will use it for marketing purposes?'" and not one single audience member has said that they have. Well who would? The question means "We would like to make a load of cash from selling your email address to people who will then spam the bejasus out of you." No sane person would do that, would they?

So avoid self compiled email lists, however reputable the list compiler may seem. Instead head for vendors such as Mardev whose email lists are built up from magazine circulation, and who email on your behalf. Use trade association lists because they are compiled with care and due reference to members' permissions, and compile your own, fully permissioned list.

---

A summary:

• Avoid email lists that you can buy in unless you can be sure of their pedigree. Use ones with accredited service providers instead
• Screen against TPS for the UK cold phone calls
  
• The PECR has pretty much made the FPS obsolete. Screen fax lists for permissions
• Obey snail mail propermissions Otherwise it is wholly valid to buy/rent in any lawful list
  

HBOS makes quite a statement

Even before you get to marketing, and permissions and campaigns, what can you do if you can;t trust your bank to get it right?

According to the BBC:

An Aberdeen woman who asked for her bank statement was sent details of 75,000 other customers.

Stephanie McLaughlan, 22, was shocked when Halifax Bank of Scotland (HBOS) sent her the unexpected financial details by mistake.

She received five packages each containing 500 sheets of 30 customers' names, sort codes and account details.

HBOS apologised and said it was carrying out an investigation into the "serious" but "isolated" incident.

Well, of course it was isolated! But, if you can't trust them to send just the one bank statement, what can you trust them with? I certainly do not trust them to respect my permissions for marketing.

Though perhaps I should, now that this error has happened. They'll be a bit more careful, won;t they?

As a side issue, do we really need to know Stephanie's age?

Staggering press apathy regarding lack of prosecution of B4U

The decision of the UK Information Commissioner not to prosecute B4U for persisting in holding obsolete and inaccurate personal data on public display on its website b4usearch.com despite having issued an enforcement notice has resulted in a total news silence. A search using Google shows currently 100 or so articles covering the original enforcement, and one, this blog, carrying the news that the prosecution has been abandoned.

B4U's business is data. It was possible to get that data removed, but, to do so, you had to give extra data to them in order, they said, to identify yourself accurately and to be removed, data they did not have on file already. And, given their disregard for enforcement notices, where was that data going to end up?

Lack of enforcement followed by prosecution by Richard Thomas's office encourages the collection and retention of data, even obsolete data, on a massive scale. And the temptation when you hold it is to sell it.

And, when it gets sold, it can appear in data lists that you rent and market to, which you acquire in good faith, market to in good faith and lose your reputation in good faith.

Since email is being abused by major UK (and other) corporations, where next?

Email is a low priced medium. But it certainly is not low cost. And bad emails and bad adherence to permissions cause the most appalling ill will from the recipients to the corporation which sends them.

The major problem is that email is perceived as cheap.

If email is cheap then an email campaign is cheap. The costs of printing and dispatch are removed. And, with a large campaign, those costs are considerable, and reducing them turns email into a highly cost effective campaign transmission mechanism. But the major problem is that people think that any fool can write an email that will attract business.

The truth is that every fool can write an email that will destroy business. Good copy writing and good design are not in everyone's grasp, and they are best left to the skilled, or outsourced to the skilled. That's a "whole nother topic"

This has huge relevance to getting and using permissions. And permissions have 100% relevance to stopping email abuses.

The steps are very simple when turning from an email abuser into a welcome guest in my mailbox:

1. Design and conduct a simple and attractive campaign which offers me something I perceive to be of value, and whose cost to you is proportionate to the value of my permission for you to market to me by email
2. Execute that campaign, recognising that studies show people to say "Yes" on the 7th time of asking, but have due regard to the laws of diminishing returns as you approach that 7th timeRecord
3. Record the permissions given to you
4. Act on the permissions, and only on the permissions. "No means no."
5. Do not even think of using the data for a purpose you have not declared when gathering the permission. Instead you have the ability to ask for further permissions, so ask for them, again in return for an attractive offer
6. Take the moral high ground. Make PR capital out of your ethical Permission Based Marketing stance

Of course, you'll get a couple of reactions:

• Chief Marketing Officer: "My database will shrink. Those people who don't give permission will still buy from us in the future. I simply cannot afford to lose them"
  
  Well, yes you can Hell will freeze over before people who do not let you market to them will buy from you. Of course there are exceptions. So what? It costs you more to keep shoving stuff down these people's throats than any return you'll receive. And a database of rubbish costs more to administer than a clean, accurate database

• Sales Director: "The quality of sales leads from Marketing has gone up. The quantity is down, but my sales team is starting to get a much higher return on the time they invest in following them up. There is still some trash, of course there is, but we're enjoying following the leads up and we're making more money."
  
  Hardly surprising, because, when you push against an open door it tends to open. People who have given permission for marketing tend not to give sales teams a hard time. They know what they want and ask for it clearly

The topics here are ones I'll develop over time, and I'll be including examples. Nothing confidential, of course. A few simple things that have been released into the public domain. These will also include results achieved by a major corporation or two

Email is a low priced medium? Absolutely, but get it wrong and it has a huge and appalling cost, not least of which is your job.

Privacy is a paradox

There are almost too many issues to consider with data and privacy. All of the issues come together at so many places, and marketing is but one of the points of convergence. But its all too easy to get distracted with all sorts of other channels, just like browsing through an encyclopaedia.

Marketing people have an overriding need: to create a sales pipeline in order to allow the sales teams to work more cost effectively. As a marketing consultant my role is to help my clients to understand how to work within, but not how to circumvent, data privacy laws.

Governments have a different view, it seems. Coloured very little by party politics, governments appear to want to have as much data on their citizens as possible. They have the best of motives, naturally. And "those with nothing to hide have nothing to fear", as we are assured so often in letters to the editor by "Outraged of Cheltenham" in support of yet another restriction of our liberty.

I find that the work I do in helping clients gather permissions for Permission Based Marketing raises my hackles more and more against government abuses of our rights. After all, we go to great lengths to protect people's rights about being marketed to or not, needing to opt in or opt out, and presenting a consistent face. And this infinite trouble and care runs wholly against my instincts when we get, for example, the huge data sharing liberties that SWIFT has been criticised for in Europe, and yet is compelled to do by the US Government in some sort of drive against terrorism, and also the rather banal "Are you now or have you ever plotted to overthrow the government of the United States of America" questions we are now expected to answer when travelling to the USA.

This all makes me feel quite torn. Data privacy legislation was introduced in Europe as a measure to assist international trade. Quite reasonably the governments who introduced it are themselves subject to that legislation. So when the appear to break it, or give themselves excuses to break it my hackles rise. Not just my "citizen's hackles", but my marketers hackles, too. After all, if I have to show clients how to stay within the law, how can I sit idly by when a government breaks it?

All this was prompted by my search for the Big Brother Awards. I've been reporting under the pen name "Peter Andrews" for Compliance and Privacy some of the activities of Privacy International, notably their reporting of SWIFT for alleged breaches of data privacy law, so I look at their site from time to time. And my eye was drawn to their article "PI and ACLU call for repeal of EU-US agreement on data transfers", which seems to me to be highly relevant, not just to my citizen's but also to my marketer's hackles.

After all, if US corporations need Safe Harbor self certification in order to pass their data from the EEA to the USA, then why are governments allowed carte blanche to transfer this data?

And yet, surely I support these measures, since they are stated to assist in the defeat of terrorism?

What has happend to Privacy International's "Big Brother Awards"?

It's pretty unlikely that they've been muzzled, after all, especially since they are highly active in trying very hard to protect the rights of the private individual when faced with overwhelming government intrusion, globally.

As you can see, the award is prestigious, and would grace any foyer! Their website says:

Each year, the national members and affiliated organizations of Privacy International present the "Big Brother" awards to the government and private sector organisations which have done the most to threaten personal privacy in their countries. Since 1998, over forty ceremonies have been held in sixteen countries and have given out hundreds of awards to some of the most powerful government agencies, individuals and corporations in those countries.

However, it also only shows a shortlist for the UK 2005 awards with a big label saying "the awards are delayed". Emails to the organisers on the topic have gone unanswered. So, if anyone reading this knows, please add a comment and let us know what is going on.

Email marketing abuse is rife among top UK companies

That is the startling headline from OUT-LAW News. This is not good news for their prospective customers and ultimately is bad news for the continuing prosperity of the perpetrators.

The study was of 200 companies across 13 sectors, including banking, general insurance, retail and mobile telecoms, and the results show a cavalier disregard for the Privacy and Electronic Communication Regulations, and for their own reputations.

According to CDMS (the organisation who performed the study), 69% of companies studied are compliant with the legislation, a modest improvement of three percentage points since its last survey in 2005.

Ian Hubbard of CDMS said: "Companies who have not complied are putting their carefully built brands at risk, by putting out the message to consumers that they apparently don't care about legislation designed to protect their prospective customers' privacy."

That means that a staggering 31% are not complying with the law. And the managers need to understand that it is the criminal law they are breaking.

It really is not hard to get permission. It's often pushing against an open door. All you have to do is look at your marketing operation subtly differently. But 31% have not even bothered to try.

Whitelists are not just about email

I passed this blog to a group of colleagues because I wanted to show them the item on B4Usearch.com. It seemed much more time efficient than either writing it out again, or even copying and pasting.

I had an email from one that saddened me. She said "I can't get blogs on my network (they get filtered out)".

But a blog is truly not a frivolous thing. Ok, some are frivolous as they come, but that isn't what I mean. I can see why you would consider filtering non work related blogs, I suppose. Though people do need a few moments in their day to relax! But why don't the world's Chief Information Officers make it simple and not sinful to ask for a particular domain to be whitelisted? It's pretty obvious when it's about business.

Pictures and Sensitive Data

This one has long perplexed me. Sensitive data includes ethnicity and health. And a picture shows pretty much one's ethnicity and one's health.

Sensitive data is about things like ethnicity, health, sexual life, trade union membership and a good few other things. So, as examples, I have posted a couple of pictures. There are no copyright or legal issues, I've licensed them commercially for this use.

One is a young couple whose ethnicity is clearly displayed. Actually, both are couples whose ethnicity is displayed! One is a couple who appear to be in some sort of pre-erotic situation leading to the implication that they are probably lesbian. So both of these pictures display sensitive data. They also display, by implication the health. All four people look healthy.

Ok, we have no idea of their names, but the law says that a picture is capable of identifying a living individual, either by itself or in combination with data already in the hands of or likely to come into the hands of the onlooker. Well, broadly, anyway.

Now, if the law is convinced that a picture is personal data (capable of identifying..... etc), then why isn't it sensitive data?

I know I'm anally retentive, but I truly do not see the logic there, and Richard Thomas's office has not convinced me

How does the UK Information Commissioner compare to a Traffic Cop?

Not a question that gets asked much, that one. But let's look at the way he prosecutes people. Or, in fact, at the way he hardly ever seems to do it. He's a very nice man indeed. Being investigated by him must be a bit like being told off by a favourite uncle.

Take the Birmingham based B4U corporation. As the opening paragraph I wrote for Marketing Improvement says:

Web business b4usearch.com has fallen foul of the wrath of Richard Thomas, the United Kingdom Information Commissioner over the processing of personal data on their website. The Information Commissioner's Office (ICO) has ordered the website b4usearch.com to stop using personal information from electoral registers published before 2002, after finding the site in breach of the Data Protection Act.

B4U ignored the enforcement notice, or rather, they stated that it had not arrived. And they went way past the enforcement notice's date of 1 August. I checked my own data in August, and, because it was still there, I added my own complaint to the pile.

After a while I had a call from a very nice investigating officer from the Information Commissioner's office, and duly gave a witness statement. I like the idea very much of enforcement having teeth. In Ms France's day as Data Protection Registrar it was like being gummed to death!

The investigator was very gung ho about the intended prosecution, even though, at that point, B4U had started to take its obsolete data offline. "It's an offence, and they need to be prosecuted for it," he said.

Today my mail brought a note. "Prosecution will not happen," it said. "B4U have taken their data offline, so we will not be prosecuting them."

Which is all very well, but the offence had been committed. The enforcement notice had been ignored. Richard Thomas has now proved that he can be ignored with immunity, hasn't he?

Now compare him with a traffic cop. Drive, if you can, round the M25 at 120mph, and notice (except in that nasty camera section, when you have just lost your licence) a blue flashing light in your mirror. Bring your car smoothly to a halt on the hard shoulder, turn the hazard flashers on and get peacefully out of the car to stand on the side away from the traffic. And imagine the following conversation:

"Well done, sir. You stopped extremely well, though you were driving way above the speed where you would normally lose your licence automatically. But since you showed such good sense in stopping and since you drive so well, I think you should be on your way without a stain on your character"

"Thank you, officer"

"Just promise me, sir, that you won't let me catch you again."

Just how likely is that to happen, do you think?

Exactly. Not likely at all. Yet The Information Commissioner does it every time. The traffic cop does it never. We don't respect speed limits either, but we're much more likely to respect them than a badly enforced law.

Why, oh why, call it Data Protection?

It's just a bleat, really. But it's data privacy that we care about. Technical teams handle data protection.

Data protection is a small part of data privacy, a very small part. It literally protects the data from destruction and unauthorised access. And, oddly, it deals with the precise mechanisms for the true destruction of data whose shelf life has expired.

So why, why, why, did the UK call it the Data Protection Act? We have the Privacy and Electronic Communication Regulations, so why not the Data Privacy Act?

Customer Service and Data Protection

Recently the Data Protection discussion list held a survey of its members. The question asked was "Customer Service Agents often quote data protection law as a rationale for doing or not doing something. In your experience are they...."


Not wholly surprising, really. They use the name of the law to prevent anything else from happening - just like the double glazing company would not let me talk to satisfied customers. They will not be getting my business, by the way.

There were some interesting expansions in the free text, too. I've extracted a few:

• This is a missed opportunity for improving customer service and the 'bottom line'. DP is certainly about treating the customer properly.
• It reflects more on the levels of training and awareness they are given by their companies than it does on the individuals.
• Staff are often told by their management that the reason for not doing something the customer wants is "because of the Data Protection Act". I suspect that the management often do not even know if this is the case. They just assume that the customer will take that at face value and stop asking. In this day and age, it is insulting, annoying and very damaging to the relationship with your customers to assume this. What I find amazing is when you challenge them on this, they often insist on sticking to their script and even terminate the call, rather than deal with the issue.This

This all points back to removing the words "Data Protection" from the corporate vocabulary. The only people who should be concerned with the name of the law and sections of the law are the Privacy Officer and the legal counsel. Everyone else should be conducting business, not playing lawyers.

Data Transfer out of the EEA - Almost everyone does it. Unlawfully

One of the main things I get asked to do for my clients is to help them regularise their data transfers out of the European Economic Area. That really isn't as hard as it sounds. OK, the Data Protection Directive 95/46/EC says you can't do it unless loads of conditions are met, but it isn't hard to meet those conditions. It just means work and attention to detail.

If you want to look at the various options, I set them out in a detailed discussion. Ther options are straightforward and simple:

• Ignore the law
• Just Get Permission
• Safe Harbor
• Model Contract Terms
• Binding Corporate Rules

That probably is not the point. The real point is that we do it all the time, and we have to consider it.

For example, I'm working with a new business right now - indirectchannel.com - to set it up, and to make sure that it runs lawfully. Even without a business footprint we've had to do two things in order to make sure it trades within data privacy law:

1. Register it with the UK Information Commissioner (why do they use the term "Notify"?) so it is correctly on the Register of Data Controllers
2. Create a correct, simple, easy to read Privacy Policy for the website

Of course the register lags a few weeks behind the notification, and any changes in notification take those few weeks to catch up, but the important thing is that that piece of paper - the registration form - is in the departmental in tray in Wilmslow, because failing to notify is a strict liability offence (A bit like going too fast past a Gatso camera, except that the UKIC warns you a few times before issuing a speeding ticket)

The thing is, we often forget that we transfer data overseas. So the question is: "Where is your web server?"

If you collect no data online, none of this matters. But collect a single item of data "capable of identifying a living individual", and do this via a web server located outside the EEA, and you are, in all innocence, in breach of the law unless you state it clearly, and state it at the point of data collection.

How many businesses, especially small and startup business have any real idea where their web server is located? It isn't always (often?) at the same location where the organisation they rent it from is based. I used to rent one from a corporation in Belgium. After a while we realised that they owned no servers at all, but provided support from Russia for servers that they rented in low cost data centres globally. Or did they rent them? Maybe they just resold space on them? Whatever they did, we were transferring personal data pretty much anywhere in the world without knowing where ourselves!

Hiding behind Data Protection

I hate it when some half knowledgeable soul decides that the Data Protection Act 1998 prevents them from meeting my needs!

At home we are having the double glazing people round to measure up and quote. Always a strange exercise, allowing someone into your home who is going to sell you something, I asked this evening's planned lot for references. After all, if they can't provide them I don't want to buy from them.

"I'm sorry, sir, that would break the Data Protection Act."

Well, no. It most assuredly would not. What it would do is show whether they had done good work or not, so I now distrust them prior to the visit. You know what it is with double glazing companies!

What can they do in order to solve this?

1. Easiest is to ask each customer if they are happy to act as a reference, even if only for a small number of calls.
2. Failing that, give me an address where I can knock on a door, not knowing the name of the people.

In neither case is the law broken. But number 1 shows attention to the needs of their prospects and their customers.

I have an abiding loathing of customer facing staff who hide behind a supposed knowledge of the law when all they mean is "no". So does the Vodafone UK data protection guru. She has outlawed the words "Data Protection" from use in the organisation.

Why?

Because it turns all who think they know something into mini lawyers. What a business needs is business aware people to go out and conduct good, clean, ethical business.

I'll probably return to that topic

More regulation, as if by magic

How we are supposed to keep up with the welter of legislation is beyond me. Before Christmas my ISP, of all people, notified me that the Marketing Improvement website needed to show its official registered company number, and its VAT registration number, together with its address.

Apparently this is to enable people to contact business properly and avoid scams on websites.

That is not going to work, though, is it? People don't bother to check SSL certificates to see if they are valid, so why on earth would they bother to check the other details? Do people even know they can look companies up by number on the Companies House website? And, what's more, do they care?

All this is wholly distracting from the business at hand, which is to sell goods and services for a fair price to those who wish to buy them. There is not one single piece of added value in stuff like this. All it does is gives yet another stick to beat the trader with.

And the worst thing about this?

I had to hear it from my internet service provider, not from any other route.

OK, I found out about it properly and in detail afterwards, but who really knew about it and the fact that it had to happen from 1 January 2007?

Why have I started this blog?

Looking at pretty much every blog, that question comes to the foreground. It just gets pushed to the background. But why would anyone blog? And, even if there is a valid reason, why on earth (a) would I blog and (b) anyone else care?

The answer is that no-one cares, and people only read it if it has something to say. That's kind of scary. I know I have a lot to say, some of it even on Permission Based Marketing, more on Data Protection from a marketing perspective. But who cares enough to read it?

In fact, unless the United Kingdom Information Commissioner gets his enforcement act together and starts to use a big stick, something I know he is starting to do, then there is no point in Permission Based Marketing and the UK Data Protection Act 1998 together with the Privacy and Electronic Communication Regulations might just as well be repealed.

Why?

Simple.

However good the intention of the legislators, however well drafted the law, unless it is enforced no-one respects it. In the UK it isn't enforced thoroughly. When enforced it's enforced well, but it isn't done thoroughly. It's not so much a coach and horses you can drive through it and get away with it, you can get the entire King's Troop of the Royal Horse Artillery through it and no-one will notice.

That will be a recurring theme, I think!

Will I blog often? No idea. Nor do I know if it will be regular. But when I have something to say, then I'll say it