Consumers are about to gain new rights which may lead to complaints about data collection and usage.
With all eyes on Brussels for sign of agreement on the General Data Protection Regulation, many data practitioners have assumed it will be early 2016 before they know what the new framework will look like. But why wait until then when you get into trouble with a regulator from 1st October this year?
The cause? Having data collection practices, privacy statements and data protection policies which could be considered unfair to customers. A new piece of legislation, the Consumer Protection from Unfair Trading Regulations, prohibits misleading actions or omissions and aggressive commercial practices. Many observers (and not a few lawyers) believe this could be applied to data capture techniques which bury privacy notices and opt-outs in the small print.
Introduced to address practices ranging from ticket booking and cancellation fees to barriers to switching suppliers, the new Regulations also impact on “aggressive commercial practices”, such as persistent unsolicited phone calls, faxes or emails. Yet another nail in the coffin of outbound telemarketing, it is entirely possible that digital marketers could also be facing a consumer complaint if they overuse the email channel.
Significantly, it would be down to the company to prove its activities were not misleading or aggressive. Successful claims could see the customer getting a discount of between 25 and 100 per cent of the value of the goods or services, or the right to claim for damages for distress. With the Information Commissioner having already achieved a lowering of the threshold for what constitutes distress, this should serve to put on notice any digital marketers whose activities border on spam.
But it is in the realm of data capture where there is a genuine risk of falling foul of the new law. It has been pointed out that a growing number of brands seek to differentiate themselves on the basis of their data protection practices (think of last year’s focus on privacy by Microsoft, for example). If those companies do not live up to their promises, they could be facing a complaint.
Fairness and transparency are key principles of the Data Protection Act, of course. But with the proposed Regulation moving the basis of the value exchange towards informed consent, this changes the nature of what might be considered fair and whether existing notices really do give full disclosure about how data will be used. It could even be that a challenge gets made on the grounds that individuals are asked for too much unnecessary information just so they can enter into a contract.
Pressure to acknowledge a shift in the data exchange increased in June when Ofcom published a report it had commissioned, “Personal Data and Privacy”. Looking at informed consent, it reached the sorry conclusion that, “consumers rarely read terms and conditions at all.” Online, the vast majority of website visits last less than 15 seconds, and only 0.05 per cent of visitors will ever have looked at the T&Cs, let alone understood them.
The report acknowledges the existence of the “privacy paradox” - consumers state how important data protection is to them, yet few actively do anything about it. But regulators and legislators see it as their job to protect consumers from themselves where necessary. Which increases the possibility of them taking a hardline over whether consent can ever be informed if an individual did not read the small print before ticking an opt-in box.
Given the pressure on the charity sector over its use of personal information (see page 31), conditions are ripe for a media storm or social media backlash against brands hiding their privacy notices where the sun does not shine. It is time to take a long, hard look at your data strategy and consider just how fair it really is.