Sometimes Permission Marketing is too sneaky

I use "Snap", those cute little preview windows for links from snap.com. I like them, you may hate them.

Snap emailed all its users today to offer us a prize if we can design a better mousetrap for them. In return they are capturing more data about us which they will use for marketing purposes. Ok, I like snap, so I gave them my idea.

Then I found that I can only win a prize if I am in the USA, even if they love my idea to bits.

A lot of other people have found the same thing, and it's turned several off snap totally.

The message? Well, apart from "The USA is not the centre of the universe"?

It's simple:

Know your database and know where they are. That way you don't make inappropriate offers to them.

Ease of complaining

I have been comparing the Telephone Preference Service, the Advertising Standards Authority, and the UK Information Commissioner. In fact I was asked by a magazine to write a pan EEA Good Complaint Guide a year or more ago. I must dust that off!

Anyway it's dead easy to complain to the TPS and the ASA. Enter some data online and it's done. So Please Mr Thomas could you make your own form easier to submit. Ok it's come a long way from the old pdf that you had to mail in, but please could we have an online form to submit that goes right into your ticketing system?

"Good afternoon Mr Trent, we're conducting market research"

I had this call at 3:20 this afternoon. I'd have blogged sooner, but I was reporting the caller to the Information Commissioner and the Telephone Preference Service. My number is registered and I always report.

It wasn't a market research call. Before the call started I asked who they were and where they had my data record from. They said that I could find out by writing to

DPS
Imperium House
Ford Lane
West Sussex
BN17 0DF


The phone number the call came from was 08702 402611 according to caller id

The call was to introduce a large number of companies to me and to pass my name to them if I expressed an interest. In short it was another darned lifestyles questionnaire. I haven;t had my chocolates from the last one.

Google has a reasonable number of hits for Imperium House, one of which is very familiar. Satellite Direct - famous for hard selling and a company I have already reported once to the UK Information Commissioner. I wonder if they could be the same company up to new tricks?

The telesales agent was very sweet and tried sweetly to argue with me when i explained that she had committed an unlawful act under the UK law. It seems that DPS are under the misapprehension that market research means that you can ask "Are you in the market for this stuff?"

Will the UKIC act? Well, who can say. But their lack of prosecution of B4U seems to set a precedent of no action.

Permissons are all very well, but Murphy strikes hard

As you know I edit Compliance and Privacy, a task not without headaches. We have a fully permissioned list, all the correct opt outs, everything wonderfully simple. We use an email outsourcer to send emails. And I sent a newsletter this morning.

Three minutes later the site was inaccessible. This comes under the heading of "things that are sub-optimal", so I called my ISP. They're a reactive bunch, and their support team's name is Dan. I didn't even need Dan.

"We have a problem, Pipex are down. And all we're getting is a recorded message, so we are not pleased," was the immediate answer on the phone at reception.

You can be as permission compliant as you like, and then technology lets you down.

The newsletter is designed to drive people to the site, and the site is designed to get them to download dull but worthy reports in order to get them to register. Kind of hard to do that when the site is inaccessible.

Does the Google Toolbar break EEA Data Protection Law?

This one is being discussed on the Data Protection Discussion List (registration is required). A local authority customer service centre uses the spellcheck function i the toolbar to pre-check text fields in forms.

The toolbar uses servers outside the EEA to spellcheck the words. So is that data being exported unlawfully from the EEA? After all, it does send all the words to a Google server to check the spelling. Google is a self certified Safe harbor member, of course. Does that make any difference? Where are the spellcheck servers?

Toothless Information Commissioner has FSA as Jaws crossed with a Rottweiler

Where the UK Information Commissioner's powers are hugely lacking, the FSA can go in and levy huge fines, enormous fines.

I picked up these two articles, today:

UK FSA fines Nationwide GBP980,000 over security failures

The UK Financial Services Authority has fined Nationwide Building Society GBP980,000 for failing to have effective systems and controls to manage its information security risks. According to the watchdog, these failings came to light when a laptop was stolen from a Nationwide employee's house in August 2006.

The Financial Services Authority (FSA) commented that, during its investigation, it found that Nationwide did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. It added that it had taken swift enforcement action to send a clear message to all firms about the importance of information security.

According to the FSA, Nationwide worryingly did not realize that the laptop contained confidential customer information or start an investigation until three weeks after the theft. According to the BBC, the computer has still not been recovered.

Margaret Cole, FSA director of enforcement, said: "Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure."

And then:

Nationwide customers pay £1m fine

The customers, not the directors, of Britain's biggest building society will pay a £980,000 fine for lapses in data security.

Nationwide was fined on Wednesday after a laptop was stolen from an employee's home in August.

It took three weeks before the society realised the extent and sensitivity of the customer details on the computer.

But Nationwide has told the BBC that it "would not be fair" if the directors paid the fine.

As a building society, Nationwide is owned by its members - the 11m customers - so any penalty, in effect, comes from their money.

Many are not happy that they will have to pay the penalty for their data being compromised.

Jill called BBC Radio 4's Money Box programme to say: "Because it's a mutual society, any fine will have to be picked up by the members, because there are no shareholders.

"It's a double whammy. It's bad enough to think your details may have been spread across the globe unnecessarily. But to be told as a member of a mutual society you are going to be fined, that seems a little unfortunate."

Both of these are highlighted in the news digest at Compliance and Privacy. They make you think. First, why on earth doesn't the UKIC have better powers? Second, what of your laptop??? Is it safe?

Oh Experian, what DO you think of us? Are we REALLY that stupid?

I just got back from shopping. Inside my front door was a little paper bag. It offered me Thorntons Chocolates. I like Thorntons Chocolates. So I looked at the bag, wondering if it came from Thorntons, and the bag gave me not a clue. Our Thorntons closed down, you see, and I thought they might be going to throw good money after bad by giving me and my neighbours a 125gm pack of exciting chocolatey deliciousness.

It mentioned a survey.

My brain said "Another damned lifestyle survey from Experian", and, sure enough, it was another damned lifestyle survey from Experian.

Before I have just the teensiest rant, does anyone actually tell the truth in these things? After all, look at the questions:

• Please may we sell you OUR life insurance?
• May we pester you with Pet insurance?
• When do you expect to die? May we sell you funeral expenses cover?
• Are you fat? Maybe you need a diabetes check?
• Short sighted? That's ok, just scribble on the form, no-one will mind.

You know what I mean. No right minded person would answer any of this rubbish with the truth. Ah, that may be it. Perhaps my neighbours are not right minded people.

So, Experian want me to fill out this three sides, small font, close packed form with my date of birth, marital status, insurance expiry dates, make and model of car, do they? And they will give me chocolate in exchange.

"Mmmmmm. Chocolate......."

Ah, sorry, a Homer Simpson moment just took me by surprise.

Ok, I can fill this out in exchange for chocolate. Now click the picture of the bag. Read bullet point 2.

Yes, I am to leave this data, some of which is probably sensitive data, in a bag, outside my front door, for my neighbours to giggle over and the local chavs to come and abuse.

Well, I think not.

But I want chocolate.

I have filled out the survey. I am the Reverend Fred Fernackapan, and I live with Herr Albrecht Lion (Albert and the lion, anyone?) and have a load of random ticks all over the form in random places.

On the permissions front I just love the way they try to get permission to email me and to sms message me. How do they know that I will give my real email address and my real mobile number? For all they know I just gave someone else's

I also love the front of the form:

"your answers will be made available to responsible companies and organisations for research, marketing and analysis purposes. These companies may wish to contact you or your partner by post, telephone or email with relevant information or specia offers according to your answers"

My last contact with Experian said that they sold this stuff to anyone with money to pay the invoice. I don't recall being screened for suitability.

Seriously, you have to be barking mad to tell the truth on these forms. All they do is open you up to being cold canvassed. They drive a coach and horses through any Telephone Preference Service prohibition and they strip away your rights under the PECR.

I don't expect they'll read the form to see if I deserve my chocolates, though! May Fred and Albrecht both become plump on them.

But Oh Experian, you are encouraging Identity Theft. How insane do you really think we all are?

Zero budget website promotion

How do you launch a new website when your budget is precisely zero? That is a problem facing many small businesses. Zero means zero. This means that Google Adwords are out, even a few pennies a day.

The answer comes down to rational, sensible promotion and also a very different style of Permission Based Marketing.

The sensible promotions include:

• Submission to search engines. Beware the paid for services, just submit, manually, and wait the 4-6 weeks it takes
• Submission to dmoz.org. Frankly I'm not even going to link to it. This service was once viewed as essential, but nowadays Google is all, so just choose a category and submit without expecting a result. It's edited manually, and one site of mine in a popular category took 9 months to be included
• Sensible optimisation of the web site itself. Every link leads somewhere, no links lead to errors, and no obsolete pages lead to the dreaded "Error 404". Novice webmasters need to learn and understand the 301 Redirect.
• Make sure the site is W3C standards compliant. Spidering happens better of the bot is not confused
• Create Press Releases and submit to the free press release sites. We did this for Train Spotting World (launched on 14 February 2007) on the same day. Today is the 16th, and Google already picks us up with 24 results. Come back in a day or two and there will be more, and some but not all link to the site.
• Create an RSS or Atom newsfeed, and submit it to the feed directories. This is slower than press releases, but provides better overall inbound links and publicity long term
• Create a Google Site Map (see its "Webmaster Tools") and submit it. Google loves sitemaps and indexes you better (but not faster) if you have one.

And then you work on publicity, and this is the hard part, and where permission comes in. I mean real publicity where word of mouth will spread your business message, not the fake publicity of those press release sites.

• Find relevant forums and ask the moderator if you may describe your site there. If you fail to ask they will abuse you roundly. Google will pick up the abuse before it picks up your promotional message. Life is fair that way.
  
• Find relevant email groups and find a good reason to use what you are doing as an example, and ask if you may post. If you don;t ask then either all your effort is wasted, or you get labelled as a spammer. And Google will pick up the label before it picks up your message
• Use your blog! You can be as direct as you like, but stay on topic within the confines of your own blog
• Consider carefully whether to use a big place like Wikipedia. If you're a wiki-virgin do not even consider it. This is a site to be "in the light with the wise virgins". Do not create a wikipage about your site or business. It's new, so it certainly will not be notable, and they'll delete it and say very direct things about your business. Instead you should consider where you might add value and propose a link in that area.

You can't use an existing email list to say "this is my new venture/site/thing" because that list was not permissioned for this new use (0.9 probability), and people will accuse you of spamming. But you can send your existing newsletter to that list and include a small item on your new site, and, of course, a link. You have permission to do that!

Slightly off topic, but still marketing and privacy

A long time in the planning, my business partner and I have just switched on a new website. Like all such things, it's a gamble, but today's business environment requires a lot of good ideas, some of which turn into winners.

We've created a business that needs

• No landing pages, so no complex Fair Processing Notices
• No databases with people's personal details - we don't even need their real names - so no need to notify the UK Information Commissioner. I've never found an exempt business before, but the UKIC confirms that this is one
• No online purchases from us, so no scope for credit card fraud

All we need is ordinary, sometimes not so ordinary, people to pursue their hobby. And we make it possible for them to do that easier, better and to communicate with other like minded souls worldwide.

Of course you could accuse us of being suddenly affiliated with Spam, but it's the Hormel Foods variety in sandwiches, not the internet variety in your mailbox, and that is very unfair. After all, show me a small boy who has not wanted, at some point, to be an engine driver, of steam engines, of course! Well, ok, a few wanted to be firemen - with hoses, not with stokers' shovels, and i suppose a few always wanted to be chartered accountants, but trains claimed so much attention it's a darned shame that we can't say we like them without being accused of being an anorak, or worse a foamer (blame the USA for that one).

The business is Train Spotting World, which is the first of a series of fandoms. I, we, are excited about it, so I though I'd share the press release with you:

It says:

St Valentine's Day, Wednesday, 14th February 2007. Train Spotting World is the first of a family of special interest "Fandoms". It runs on the same software as Wikipedia, from the Wikimedia Foundation, and allows members and non members alike to create articles and reports about the global phenomenon of train spotting and love of railways.

The early articles are drawn from public domain sources around the globe. Spotting World's founders, Bernd Heller and Tim Trent, have spent long hours making careful selections of the initial set of articles, and there will be several thousand already present by the end of Valentine’s week.

Asked "why Train Spotting?", Heller said "A huge number of people have this interest worldwide, but there is nothing that caters for them in this way. Spotting World is designed to give the enthusiast a place to share that enthusiasm with others, and also to provide a wealth of information for anyone who drops in. It's a community, run by the community."

Everything on Spotting World is, just like Wikipedia, released freely under the terms of the GNU Free Documentation License, a true collaborative effort. But does the Wikipedia look and feel worry the founders? Trent says not. "Spotting World is not an encyclopaedia," Trent said. "Obviously we respect copyrights and decent behaviour, but we don't have the bureaucracy of an encyclopaedia, nor the need for rigorous citations and proofs. Spotting World articles have no particular need of a formal, encyclopaedic tone, no need of neutrality, and may be wholly 'Original Research'. What we’re providing is a virtual place for enthusiasts to share enthusiasm. Of course there is a serious side, but we expect it to be fun and light, too."

As the site says:

"It's not an encyclopaedia. There are no heavy rules or processes except to respect copyrights owned by others and to behave to others as you wish others to behave to you."

"It's what you make it to be. If you want to write reports of a great day at Grand Central Station or at Clapham Junction, great. If you want to upload your pictures of the Flying Scotsman, Mallard or the Golden Arrow great."

http://train.spottingworld.com

We're using normal marketing techniques to launch the business and drive traffic to the site, and at that point the community takes off. And, if they like what they see, the site is funded entirely by advertising.

There's another part to this story, too. I have never met Bernd in person. I've spoken to him twice on the phone, and those two conversations were about something else entirely. We've designed a business before using instant messenger and email, and we've designed this one the same way. It means long hours after we each finish our day jobs, bed doesn't happen before at least midnight, but we can create complex concepts much easier than if we were in the same room or were on the phone.

Landing Pages and SSL

With identity theft showing up as a major consumer concern all over the place in surveys, how much does the user who arrives on your landing page worry about the security of their data while it's being transmitted to you?

We know that most website owners don't care. Look at this survey, held over the past few weeks about SSL certificates:

The scary thing is the number of people who have no idea what they are! And this is on the webmastering end, not the user end. But as a webmaster or website owner, can you afford not to know?

At present the answer is a qualified "Yes". At present people will give ordinary contact details willingly enough to pretty much any website. It's only when asked to part with cash that they start to think about little padlocks.

So, today, the marketing landing page is fine without SSL. How long that will last, especially in view of IE7's ability to make the browser address bar go green for a supervalidated site, I'm not sure.

The Fair Processing Notice - do we really need it?

For several years I have been helping my clients ensure that the people who sign up for their mailing lists, or to be sent things, know precisely what will and will not happen to their data. We've worked together to build carefully worded, slim, plain English notices that we display at the point of collection. When you sign up you are in no doubt at all about what will happen, where your data will be passed, or not, and all other relevant things.

Even the most complex requirements can be met with care and attention to detail. Looking at the web one finds good and one finds bad. This is an excellent example from the Telegraph, who have a very simple view about data. If it is not permission based they simply do not want it. And they make sure you have seen the link to their privacy policy because it's above the submit button.

This notice is scrupulous about the data it collects and what the company will do with it. It has to be. The paper has a very strong brand, and is a paper that is trusted by its loyal readership. Permission Based Marketing is as much about brand protection as it is about getting a strong return on investment from the data you use for marketing purposes. Lose trust and you lose loyalty. In the newspaper world advertising revenue is based upon circulation, which is based on loyalty.

I had thought that the Fair Processing Notice would be universal. After all it's mandated by the Data Protection Act 1998 (Data shall be processed fairly and in accordance with the data subject's rights [I paraphrase]). It makes great sense, has a positive impact on the expectations of the individual who gives up their personal data and is an excellent marketing tool.

My thoughts are not echoed by the UK Information Commissioner, though. On his site you may request publications. On that page, however hard you look, there is no Fair Processing Notice at all. To the right is the foot of the page. It's clear, simple, has the relevant information needed to deliver a postal package, and also asks for the email address as a mandatory field.

I don't care who's collecting the data, when email address is mandatory, or collected at all, my antennae go on abuse alert. I want to know precisely what will happen with my email address. I've never trusted governments, and I see no reason to start to do so just because this is the site of the regulator of data matters. Caesar's wife should be above suspicion, and I see Richard Thomas's department very much as Caesar's wife. So I asked them why there was no FPN, and to explain their rationale.

They replied:

I understand that you have emailed to enquire why there is no fair processing notice on the ICO web page where the public can request an ICO publication. This is because the information is used to send out the publication. The information is retained only for a number of days to allow this to take place. We have never taken the view that an organisation has to explain what would be the obvious purpose for supplying their information. The statement on that page also links to the Commissioner’s privacy policy that explains the use that is made of cookies, how the information will be used and how to decline cookies and remove any that already exist.

It's a good reply. It makes sense. The reply shows that the processing complies with the law. But it also says in the reply what I believe it should say on the site, where there is plenty of space to say it. That is a marketing no-no.

It goes on to say "We have never taken the view that an organisation has to explain what would be the obvious purpose for supplying their information." Well, why not? The obvious purpose that you read into a page is not the obvious purpose that I read into it. And why the email address?

And it says "The statement on that page also links to the Commissioner’s privacy policy that explains the use that is made of cookies, how the information will be used and how to decline cookies and remove any that already exist."

Yes, it does. And it does it below the "Submit" button, which is a major problem. Web pages are served, generally, top to bottom. People also only scroll down as far as they need. Anything below the submit button can be dismissed as "not having been seen". When you submit your data you enter into a contract, but some of those terms have not been presented to you. Many lawyers will argue that this makes the contract an unfair contract.

So I replied:

I suppose the interpretation of what is obvious is important here. I had always taken the view that the public never understands what is obvious and should probably be told things with precision and explicitness.

and was happy to receive a reply:

it is difficult to get the balance right. However so many organisations have a difficult time with a lot to explain. Research does seem to show that brevity does increase the likelihood that a fair processing will be read and aids understanding. You will probably know that we are concerned at the relatively low level of awareness that the public have of how their information will be used (despite the fact that fair processing notices have been given for years). This is one of the reasons the Commissioner has promoted layered notices and is keen that they take on a visual format that is easily recognisable.

So the public has a low level of awareness, and yet the regulator's own site does nothing to increase that specific awareness at the point of data collection despite being concerned about it.

Well, I know I'm pedantic here. But isn't this a huge missed opportunity and a whole weird example of how not to collect data?

So, do we really need a Fair Processing Notice?

I think we do. I think the UKIC is giving himself bad advice for his own site. Everyone has the right to know, explicitly, what will be done with their data. Without that knowledge there is no contract, no brand protection, no increased Return on Marketing Investment, no competitive advantage.

Testing a new service

My opinion is that it's a retrograde step. After all, a blog has an RSS or Atom fed. So "Surely all those who want to read it will just subscribe to the feed?"

But this blog is about Permission Based Marketing and I've just been shown a new service by Zookoda that takes a blog feed and wraps it on a regular email to those who subscribe their email addresses. So I'm trying it out.

It's confirmed opt in. The only field I'm taking is the email address. I'm struggling to find where the Fair Processing Notice should go, but that will come, and, of course, there are no subscribers as I post this!

I've added the signup form to the left margin, the system wont let me post in in the blog text. But I can post the number of subscribers here!

So what is spam? And why do people think my marketing message is spam?

I looked for a definition. We all know what it is, we just can't always say what it is. So I found Spam Defined in a link from the SPEWS site.

Internet spam is one or more unsolicited messages, sent or posted as part of a larger collection of messages, all having substantially identical content.

Looks good. Except if you read it. One message can't be part of a larger collection of messages without being more than one message. This reminds me of Danny Kaye in The Court Jester with the famous Chalice from The Palace dialogue. My brain starts to hurt.

So, let's get it right.

Ignore the law. Let's decide that email spam is a message that I did not expect, from a source I never expected, offering me something that I may or may not find I want, for money.

This looks ok. We have unsolicited because I didn't expect it. We have commercial because it's an offer of something in return for cash. So we have an Unsolicited Commercial Electronic Communication.

Nothing about more than one message. Nothing about whether it's B2B or B2C, absolutely nothing about 'individual subscribers' or 'sole traders', just a plain, simple definition.

There is a supplementary definition, though. It's spam if it arrives in my inbox and feels like spam. So the duck test applies too.

There's no answer to why people think your marketing message is spam (if they do think so), but the highest scoring guess has to be "Because you never got permission from the recipient," so it doesn't just look like spam it clearly is spam.

Which is why, if you've been following this blog, you want to make darned sure that your email is outsourced. But outsourcers will kick you off very fast indeed if you're dishonest, unless, of course, they are, too. Look at Constant Contact's declaration for every data file you upload to them. Well you have to click the thumbnail to read it, obviously.

If you lie and they get spam reports they "review" your account by stopping you from using their service. That's fair, decent and honourable. It protects them, it protects their other customers and it protects the recipients in as careful a manner as it is possible to. They can't stop you from lying, but they can provide consequences that stop you from doing it again.

Web bugs, email tracking, permissions and the law

All commercial bulk email has some form of tracking system associated with it. It doesn't matter whether it's the newsletter you signed up for or the body parts enhancement spam that you wonder why you're getting. Everyone tracks their email to you somehow. Well, probably with the exception of the imbeciles who send out the Nigerian 419 scam stuff; they don't care whether you read it or not!

The major tracking mechanism is bounces. Forget the old adage "never open or reply to unrecognised email because it validates your email address", that doesn't matter at all. If a bulk spammer sees that your email address does not bounce, then they have you as a valid recipient. You're going to get spammed to hell and back. All you can do is to filter it and get over it.

Do bulk spammers care about tracking open rates? I doubt it. All they care about is the 0.01% response rate and maintaining it. So they'll remove bounces (after they have bounced about a dozen times to be sure) , and just get on with spamming you.

We've lumped in legitimate commercial email messages with spammers. That's the problem. A legitimate bulk email attempts to track:

• Delivery Rate
• Open Rate
• Click Thru Rate
• Conversion rate of Click Thrus

Delivery Rate is done by measuring "Sends" against bounces. Very simple, non intrusive, and ruined nowadays by good anti-spam software which may or may not report a bounce.

Open Rate is measured by seeing how many people open an HTML email in a browser-like email client, such as Outlook, and thus who download certain uniquely keyed graphics from the email despatch service's server if their client is set to open graphics. It is calculated as a percentage of those emails delivered.

As a statistic, Open rate is flawed. People who do not open the graphics but read the email are not counted. It's also a pointless statistic. Who cares if an email has been opened? Come to that, while I realise that some people care passionately about this, if you care, please use the comments on this blog to say why you care and what, precisely, you care about.

Click Thru Rate is something we do care about. It's the first figure that lets the sender see if the message was successful. If my email interested you enough for you to click the link then it must have caught your attention. And Click Thrus are via encoded urls that let me see precisely who has clicked which link.

Unless you choose to decode the link and remove the tracking information, when you click it I know you've clicked it. It has nothing to do with graphics, nor with not accepting HTML emails. It's there, in your face, and your choice to click. You can see the link, even if masked with HTML.

Is this either ethical or lawful?

I'd say it is both ethical and lawful, others argue that it's neither. My view is that nothing is concealed, there is nothing sneaky or underhand, and that it is also an expected outcome of a click.

If I make a sales call to you and say "Hi, I see you downloaded our report on Green left Handed Widgets, pray allow me to sell you one" then I have a simple view: if the Fair Processing Notice (what will happen to your data when you subscribe) says this will happen then that is 100% fine. If not then I would object to receiving such a call myself, and would say that the call was made after unfair use of my data.

Conversion rate of Click Thrus is uncontroversial. It is the simple statistic, having tracked your behaviour on my landing page after you have clicked thru to determine if you completed the action I hoped for, or if you abandoned it.

There's no reason for you to agree with me on any of these items. Where you disagree, tell me. Where you agree, tell me. Perception is often reality. If I'm technically correct but everyone perceives me as incorrect then I have to yield to perception because perception makes spam reports, and spam reports kill you, eventually.

UK to Jail Data Thieves

Yes, you heard it. From the nation that has no jail space for paedophiles and that can now jail you for retuning your car radio (Top Gear this week), now we can add data thieves to our overcrowded jails.

The Register carries the article, and Richard Thomas is delighted. And, as the register says:

"People have a right to have their privacy protected from those who would deliberately misuse it and I believe the introduction of custodial penalties will be an effective deterrent to those who seek to procure or wilfully abuse personal data," said Lord Falconer, Secretary of State for Constitutional Affairs.

But, how will this stop the major abuses of data, day in, day out, but large corporations who simply don't care? No-one's going to jail the chief exec of a huge plc, are they? This is just puff and window dressing. And it's hitting soft targets. Isn't it about time Richard Thomas went after a difficult target? What about a FTSE100 target? No-one cares about a scruffy little company stealing data.

Do you pass leads to resellers via distributors?

It's a pretty normal activity. You get the enquiry, you sell through distribution and you have a very arms length relationship with your end user facing resellers. You pass the sales lead to your distributor and they then pass it to the reseller.

The question is, what's your Fair Processing Notice like at point of data collection? If it doesn't say you're going to be passing the data to an unspecified third party then, technically, you can't do it! Which is, of course, insane.

Data protection law was never meant to stop people from doing business. They just wrote it to make you jump through hoops if you sell through distribution.

Now, to be fair, no-one will complain to anyone about your passing the lead to the organisation that can fulfil the enquiry, and even if they do, can you really see the UK Information Commissioner acting against you? We'll find Lord Lucan first, probably riding Shergar! But being safe is best.

Have a look at what you say you are going to do with the data you capture, and make sure it tells the individual who is trusting you with their data precisely what will happen.

An unrelated rant! Wikimedia software is sucky

There are two faces of Wikimedia:

1. The kind, friendly, user facing face
   
2. The grinning evil fiend that you find when trying to install and manage a wiki

I like the first. I am strange. I relax at times by editing controversial articles on Wikipedia. So I am a truly sad person, like so many other truly sad people. It's a bizarre form of fun and I enjoy the uniquely combative atmosphere there while trying all the while to build and reach consensus for what appear to be simple edits.

The second is...... Evil.

The software is free to use and licensed for free use. And installing it is deceptively easy. My business partner installed it in no time at all. Wisely, he opted for PostgreSQL instead of MySQL (better scalability, "real" SQL, better all round), and equally wisely we set about copying over stuff we needed from Wikipedia (yes, you may do that if you attribute it correctly).

Since then we've been having conversations along the lines of "The developers are crazy". We found "The eclectic musings of a bitter software engineer." I first read it as "electric musings", but that's just me.

This thing is a mess! How Wikipedia works at all is beyond us, especially if it uses MySQL. Wikimedia says it uses PostgreSQl, but its management tasks seem hardwired to MySQL; we almost reverted to MySQL - something that is a big no-no. If you want to do something simple and logical, you can't. The amount of time it takes to do something that really ought to be pre-configured is unbelievable!

But it IS "Double Opt In"

It is if you want to be laughed at! And the point is not to be laughed at. The people you negotiate with in order to get un spam-blocked have a very rigid view of what is correct and what is "not".

When we opt in to one of these allegedly "double opt in" email lists we give our details and opt in. We do this once.

The email server sends a token to us. We confirm the intent to subscribe by using the token and taking action.

We have thus "Confirmed our Opting In".

Did you see any "double" there? No, nor did anyone else.

The term is, always was, and always will be "Confirmed Opt In".

Even Permissioned email marketing can kill your brand

Even the best permission based list that is nurtured with great care and treated with respect can kill you. One bad email campaign can get your corporate website taken off the air by your Internet Service Provider. It takes very few spam complaints about the IP address you use to send the emails, and the spam vigilantes are all over you like a rash.

Remember that people forget. They gave you permission, and they forgot who you are. And your lovingly crafted, subtly worded, painstakingly created, drop dead gorgeous message arrives. And they click "Report as Spam" because:

• They forgot you
• They are having a bad day
• They have a religion of reporting every third email as spam
• They hit the wrong button
• Separate from your email you upset them somehow
• etc
• etc etc

It's a bit like "Three strikes and you're out". A small but finite repeated number of complaints to the vigilantes and they start to let your ISP know that you are a potential spammer. Well SPEWS doesn't (well, it does, but it works very quickly, so quickly that people often miss or ignore the warning). SPEWS blocks the email address of your outbound email server. At this point you wish with all your heart that you had used an email outsourcer, because, if you had, you'd be home, free!

But you didn't. Against all advice you decided to email from your regular email server. "It'll be fine, our list is fully permissioned!" And now you are finding that your ISP has taken your web site down and is not giving you any access at all, even to take a backup, until you explain yourself.

Why are they doing this?

Because their business is suffering because of spam blocklists and blacklists. It isn't your IP address, it's their IP address, and they want it unblocked. Their other customers are starting to complain and are considering voting with their feet because your action has compromised their email's arrival with their recipients.

"But our list was permissioned!"

Well, was it? People like SPEWS insist on "confirmed opt in" (marketing people often call this "double opt in" and get laughed at a lot). If your list is confirmed opt in you may persuade the ISP to ask the vigilantes very nicely to remove the blockade. Or they may explain to you that you are more trouble than it is worth, and ask you reasonably politely to take your business elsewhere.

And while all this is going on your site is down.

People notice. and they start to put two and two together. A few blogs appear mentioning that your company is spamblocked. Blogs go out in RSS feeds and are picked up surprisingly widely. Google notices, so do Yahoo and the rest. And now you're in trouble.

If I am about to do business with you I look you up online. Long after you've solved the problem the articles are still being picked up by search engines. And your reputation is laid bare for all to see.

Does it matter that your list was permission based and you just hit a few people who forgot? Does it matter that you're ethical?

Not at all. What matters is that you weren't forward thinking enough to separate your email marketing from your website. What matters is that you did not take out this simple insurance by using an outsourcer and making it their problem

SWIFT roosts on rocks and hard places

SWIFT is in a very difficult position. It's subject to EC directives and laws in EU member states about data privacy and data transfer, and it's subject to the US paranoia about homeland security and the requirement to transfer tranches of private data out of the EEA unlawfully. The way out? none known.

I picked up this article in Compliance and Privacy a while back, and see that they are covering it again today: "Swift data privacy not under our jurisdiction - ECB" is the headline on their financial pages.

So, broadly, as the European Central Bank says: "The request by the European Data Protection Supervisor to bring data protection compliance within the remit of central bank oversight would not be in line with the allocation of legal responsibilities." or "Someone else's problem, thank you very much."

Nice "duck and cover" move, that.

Attitudes to the law

It's not only The UK Information Commissioner's fault. let's be clear on that. Except for Spain and sometimes Sweden, not one of the European regulators seems to care about data export. And the clients I deal with tend to be global corporations whose data resides somewhere in the world that is not the EEA and is in global systems. And this data is used, among other things, for marketing purposes.

Permission and trust cut both ways. If I can trust you with my data then I can trust you to give me value for my money when I buy from you.

So explain to me why some of the largest IT corporations don't even bother to regularise their overseas data transfer arrangements?

The grapevine whispered to me that a large software company has recently been advised by its senior legal counsel not to bother to go for Safe Harbor (actually I agree, because they are not US Centric), not to bother to go for Model Contracts (again I agree, because they have many, many subsidiaries globally, and Model Contract Terms are unwieldy), and not even to bother with Binding Corporate Rules because "If IBM didn't bother, why should we?".

Now I haven't checked with IBM to see if they bother, but I know they are not going through the BCR process in Europe. The other corporation's defence is to be "Look, go and bother IBM, they're bigger than we are" if the regulator comes calling.

That seems to me to say "We don't care about what we do with your data. When you give it to us we'll abuse any of your rights" Do you want to be marketed to by an organisation who says that?

Well, no, nor do I. And here is where the Information Commissioner and his European counterparts are wholly and comprehensively to blame. A plea to Richard Thomas: "Start to enforce the law, Richard. It's becoming a laughing stock, and your lack of enforcement is to blame. Get a few corporations into court and get them fined. Start to look active and threatening."

Permissions and memory

Today must be "newsletter day". My inbox is filled with the little things, which is odd since it is not yet 8am. So, apart from the fact that there are a load of people who think I'm going to read stuff that's come in overnight and is amongst the client stuff that's come in overnight, I'm also looking at the list and wondering whether I actually subscribed to some of them. I obviously didn't subscribe to the "ill equipped, buy our pills and get better equipment" ones, honest!

That's the challenge with permissions. They lapse in the mind long before they lapse in the database. And that's where regularity comes in.

If I sign up for your newsletter, make sure I get it regularly, and make sure it's interesting. This (altered to protect the innocent), is one in this morning's pile. And this one is what set me thinking:

[Anonymised corporation] is pleased to bring you the January issue of [named newsletter], our newsletter for customers and partners. In this issue, you will find informative articles about the company, our technology and our commitment to customers.

[url to a pdf file]

Highlights include:

· Continued profitable revenue growth for [Anonymised corporation] in Q4

· [Anonymised corporation] will demonstrate our [stuff] at [Some Conference] 2007

· [Some University] relies on [Anonymised corporation] to provide secure network access to thousands of students

· [Anonymised corporation] Service Units debut

· The Extended Leadership Team drives a new corporate culture

· And much more

[url to a pdf file]

Stirring stuff! I've dropped them an email previously, I remember, to mention that this is so dull as to be a waste of the electrons it's transmitted by, but no reply! That's actually the only reason I remember it, and I only subscribed because I edit a news site on compliance and privacy and they have an interesting product line that I want to cover, sometimes.

The point is that the newsletter makes them forgettable. I have a peripheral interest in them, but not enough to care, and truly not enough to waste a load of time loading a pdf when they could have sent the payload out in a well constructed email that pulled me to their site. This one pushes.

It pushes me to the site (no, I'm not going coz I don't do "pushed"), and it pushes me to unsubscribe because of that.

The only reason my permission hasn't expired is that they might have something of interest to say. Except this isn't a newsletter. This is trade puffery and self hype.

To keep permissions you have to offer something else. You have to have a view on your industry and show me, in your newsletter, that you understand the industry as a whole, and do not just care about yourself. You actually have to cover in a positive light what your competitors are doing. That makes me want to hear from you. That keeps permissions fresh.

And you have to personalise the newsletter. And then keep it regular. And remember that self promotion is certainly allowed, but that a newsletter has to contain news. If it's just puff then we may not unsubscribe, but we will not read it. Or we'll report it as spam.