Direct Marketing Commission - Enforcing Higher Industry Standards

This investigation related to a complaint regarding a consumer who, despite being registered on the Telephone Preference Service, was contacted by a legal services company seeking to sell its services.  This call was made after the person called had been identified as someone who had consented to future marketing during a lifestyle survey call made by an offshore call centre which was contacting consumers for lead generation purposes. The call centre was acting on behalf of various clients. In this case the legal services lead generation was commissioned by PDV (part of Data Locator Group), a broker of data and marketing leads.

In the survey call there was a specific question related to legal services. The call script did not then go on to ask the person called if she or he wanted a follow up call from the legal services business who sponsored the call and question. The offshore suppliers’ call script listed the legal services client name in a recorded message at the end of the call along with other entities who had sponsored the survey and the questions in it. It did so in a way that did not make any link between a question on legal services and which would have allowed the consumer to make an informed choice as to whether or not a future call was welcome.  The Commission took the view that recordings at the end of a call give listeners no assured or straightforward mechanism for deciding who the call recipient does or does not want to hear from.

The Commission did not think the process described, by virtue of the structure of the call, the speed with which ways of opting out of marketing as a result of the survey call or the actual processes for opting-out, could be thought to have secured specific and informed consent for the legal company to over-ride the TPS registration in place and call the consumer.  In conclusion, the Commission did not think that PDV, as the broker between the off-shore supplier and the end client, had satisfied itself adequately as to the mechanics for securing informed consent.

For these reasons we upheld breaches of:

3.11 When buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned.

4.3 Members must accept that in the context of this Code they are normally responsible for any action (including the content of commercial communications) taken on their behalf by their staff, sales agents, agencies, one-to-one marketing suppliers and others.

The Commission also noted that the off-shore supplier used a number of different trading names when making survey calls to generate marketing leads.  It was concerned that there was no evident  link between trading names introduced at the start of the call in question and trading names that were used previously or subsequently during other ‘surveys’ .  This could only serve to confuse a consumer and might invalidate any consents given to follow-up calls.   The Commission has encouraged PDV to seek advice on this point.

The Commission fully recognises that the industry has now moved into a new era under GDPR rules which require a higher standard and the Commission was told that PDV were embracing this and making necessary amendments to its processes, including the provision of named opt-ins at the point of sponsored questions rather than relying on a list in an end of call recording.

The Commission strongly reminded PDV of its obligations under the DMA Code.

The case is subject to any appeal.

click for more information

The Commission welcomes new GDPR rules which came into force on 25^th May, and which put the consumer firmly in the driving seat.  With the new law in place, individuals have more control over how their data is used, shared and stored and businesses must be accountable and transparent in the way they handle data.   The principles of the DMA’s Industry Code to put your customer first, respect privacy, to be fair and transparent, exercise diligence and to take responsibility are very much reflected in the new legislation. It will be business as usual for the Commission’s investigations, which are set against those principles in the Code, with the advantage that they are now supported by a higher legal standard.  Further details on GDPR can be found on the DMA website at www.dma.org.uk/gdpr.

George Kidd, Chief Commissioner said:

“Its eye-opening how many different organisations are contacting us about the continued use of personal data: eye-opening in terms of how often and, perhaps, how casually we share data, consciously or otherwise.

I hope this new awareness – and who’d ever have thought data privacy would be a hot topic of conversation – is great news. It makes businesses, charities and data professionals think hard and creatively about how to explain the consents they seek to take and use data and about how this might benefit us as we get these requests. 

GDPR should not be about bringing the shutters down on use of data but opening the blinds to let us see when and how this can happen and how it can benefit us as customers, and citizens.”

click for more information

click for more information

This investigation related to complaints received from two individuals whose TPS registered numbers were contacted by DLG to undertake a survey for lead generation purposes.  DLG had obtained the details from two off-shore call centres who were themselves carrying out lead generation surveys for a number of clients including DLG.

These call centres were, in turn, using data provided by other third parties. DLG could not provide the Commission with evidence that they had satisfied themselves that their call-centre partners had the consents necessary to be calling people registered with the TPS.

In this case these seemingly improper calls did result in some of the people called taking part in surveys conducted by the call-centres and giving some form of consent to marketing or survey/lead-generation calls from DLG and others. DLG took the view this last act gave them clearance to call TPS registrants on the basis they had a consent to do so. Calling TPS registrants when consent has not been given is wrong.

In the cases investigated, the offshore suppliers’ call scripts listed sponsor names at the end of the calls – in one case the list was within a pre-recorded message.  Recordings at the end of the call gave listeners no assured or straightforward mechanism for deciding who the call-recipient did or did not want to hear from. The Commission rejected the idea that a willingness to take lifestyle survey calls ending with a recording of all those sponsoring the survey in search of prospective business could, in effect, be taken as consent to any and all  sponsors.  On this interpretation, we thought that the consent mechanism for DLG to make subsequent calls to these TPS registrants was inadequate.

The Commission thought there was a greater risk that UK rules may not be followed when using off-shore suppliers and that this greater risk should be a consideration when purchasing data from different sources.  The Commission did not think the member had satisfied itself adequately as to the source of the data and the mechanics for securing consent and that if they could not satisfy themselves, the Commission thought they should have applied a TPS filter on the basis that they could not be confident that this had been done by others.

The Commission was also concerned that the suppliers’ consent mechanisms were vague, with one call centre using different brand names to call the complainant and the supplier scripts in both cases listing DLG as one of the sponsors of the survey call under one trading name (surveys.co.uk) but DLG subsequently calling under another trading name (Consumer Lifestyles). The Commission thought this was confusing to consumers.  The Commission found breaches of the following provisions of the DMA Code:

3.11 When buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned.

4.3 Members must accept that in the context of this Code they are normally responsible for any action (including the content of commercial communications) taken on their behalf by their staff, sales agents, agencies, one-to-one marketing suppliers and others.

The Commission did take into account, however, that DLG had acknowledged the need to make further changes and had moved in January 2017 to arrangements under which it would  carry out TPS screening against any lists supplied by call centres where a DLG brand is named in sponsor lists in end of call recordings.

The Commission strongly reminded DLG of its obligations under the DMA Code and have shared its findings with the DMA to highlight the issues of accountability and control of sub-contractors by members and the issue of ‘end of call’ consents.

click for more information

In a recent letter from George Kidd, the DMC’s Chief Commissioner to the new Information Commissioner, he said he hoped to build on the DMC’s strong relationship with the ICO.  Self-regulation, he said, is in part about driving compliance with national statutory requirements within a sector as well as setting sector standards.  He agrees with the newly appointed Information Commissioner, Elizabeth Denham who, in a recent speech about accountability and GDPR, said that “it’s clear that a lot people feel they’ve lost control of their own data. People feel that keeping control of their most important information used to be simple, but that over the years, their sense of power over their personal data has slipped its moorings.”

The DMC has taken and investigated complaints about marketing and ‘lead generation’ activities and it has set out its concerns over the reliance some businesses put on consents to marketing that are as unclear as they are old.  The DMA are taking up this challenge with testing and audits within their newly revised compliance process.   Given the various live issues around data-sourcing, the nature and clarity of consents and the form and content of marketing in some industries, the DMC’s Annual Report gives some assurance as to the generally high and wide levels of compliance with the new DMA Code.

The DMC’s annual report can be downloaded from http://www.dmcommission.com/wp-content/uploads/2017/01/DMC-Annual-Report-15-16.pdf

click for more information

The Direct Marketing Commission warmly welcomes the announcement by BT of new customer services that prevent spam calls.

In 2014 in our Annual Report and in evidence to an All Party political group we argued the case for action at the network level alongside regulation, co-regulation and work to inform and empower people.  It has been a long-time coming but it is good that this is now happening. We would look to all fixed and mobile carriers to look at how this protection can be assured for all.

For our part the DMC has taken and investigated complaints about marketing and so-called “lead generation” activities. We have set out our concerns over the reliance some businesses put on consents to marketing that are as unclear as they are old. The Direct Marketing Association are taking up this challenge with testing and audits. It is important these are set against clear and challenging requirements.

This is part of the “jigsaw solution” that looks necessary here as in other fields of consumer protection. Smart use of technology and meaningful industry expectations sit alongside action to educate and empower users and regulation. For our part regulators must learn from our past experiences.

Treating every sector and every service the same makes no sense when the commercial drivers and the nature of the customer relationship vary dramatically. Anyone looking at how the incentives, personal injury and PPI businesses had to reach out and capture clients should not have been surprised at how some of them went about their business. Sudden shifts in circumstances can stimulate rapid and sometimes unacceptable responses from those who want to get high benefit from the changes.

As soon as the Government suggested a far more liberal regime from taking funds from pension funds the DMC flagged the risk both of rogue activity but also of high volume and aggressive marketing to the millions who might be tempted to take advantage of the changes. Our worry, learning from past events, was that some stampede to win this business would outweigh any duty to respect TPS registrations and regulations on e-mail and other digital marketing. This ability to identify terms and risks is something self-regulation should be good at – and it’s something statutory regulators need to learn if they are to do more than sweep up the damage after it has occurred.

click for more information

Two problems continue to bother consumers in 2016: clarity of consent; and how far that consent extends to third parties according to the Direct Marketing Commission’s annual report for 2015/16.

Complex supply chains and confusion over consent represented the biggest concerns to consumers in 2016 according to the annual report of the Direct Marketing Commission, the independent body which investigates complaints made about DMA Members.

In 2016 the Direct Marketing Commission recorded 230 complaints between 1 July 2015 and 30 June 2016.  Those unrelated to DMA Members were passed to the relevant authority where possible. The DM Commission tackled 48 separate cases in total: 40 consumer complaints and eight business complaints.

During the year in question, the Commission Board formally investigated six businesses, four of which were found, following a complete adjudication process, to be in breach of the DMA Code.

Of the 48 cases, 35 (73%) related to data, privacy and quality. These cases often related to complex supply chains where insufficient due diligence meant the original consent or lack of consent had been overlooked, in breach of the DMA Code.

DM Commissioner George Kidd said, “In almost every case the Commission considered we found ourselves looking at lengthy supply chains that resulted in messages and calls to people who had made clear they did not want these and had not agreed to them,” he said.

Kidd is keen to remind DMA Members that failure to conduct sufficient due diligence could result in reputational damage for the supplier, agency and brand. “It’s simply not good enough just to say ‘I didn’t know’, ‘I work on a basis of trust’, ‘my suppliers filled in a form saying they would behave’ and ‘it’s not my fault; someone let me down’,” he said.

He said that consistent complaints about, “These issues with sub-contractors, call centres and ill-managed data supply chains prompted the Commission to raise matters with the DMA.

“We are delighted the Association has started a process of audit and review of data broker and lead generation businesses to ensure they have the processes and the practices in place to ensure the consents they secure and the data they supply are clear,” he said.

The DMC Annual Report can be downloaded here at dmc-annual-report-15-16

click for more information

The data we collect on our customers and the data they give us is at the heart of everything we do as marketers. Of all of this data, the most important is how and when they gave (or renewed) consent to receive communication from your business.

The collection of this consent is something covered in the GDPR as needing to be ‘explicit’ and ‘unambiguous’. This means brand businesses will no longer be able to use pre-ticked boxes and justify consent through inactivity or silence.

But what happens once you have that consent? The law says that consent is given ‘for the time being’, but with the ICO adding that ‘consent decays over time’ what is the lifespan of consent? Unfortunately, this is where the laws and guidance become less specific.

The ICO has made a recommendation for third party data that consent should be considered invalid after 6 months. In essence, this means that marketers would have six months from the initial collection for first use.

On the topics of postal and all first party marketing data, however, there are no timeframes offered in the ICO’s guidance to date. That’s why the DMA’s Responsible marketing committee is launching a new consultation process open to all members to ask for your thoughts on how long you believe consent should last and how we should go about setting this as a standard for our industry. This may vary depending on the sector, vertical, channel and any number of other factors, but as responsible marketers we should be able to agree on a minimum standard.

The link below will take you through to a brief survey where you can offer your thoughts anonymously, unless you’d like to leave us your email address to continue the conversation further. The survey will run until 17^th October and if you have any further questions or thoughts you would like to share with the committee, please contact Rosie Atherfold on councils@dma.or.uk or on 020 7291 3300.

By Skip Fidura, Chair of the DMA’s Responsible marketing committee

Tell us what you think

click for more information

The DMA has announced the introduction of an additional compliance audit for all companies that buy and sell data. In line with the DMA’s drive for the highest standards and a responsible approach to data-driven marketing, the audit has been introduced to provide additional assurance to brands and reinforce the importance of only working with DMA member companies.

DMA member businesses that buy or sell data will be asked to go through an external audit that has been designed by the DMA, and will be conducted by an independent third party. At launch, the DMA has partnered with DQM GRC to conduct these audits.

Rachel Aldighieri, MD at the DMA, comments: “In an increasingly connected world, data forms the backbone of many businesses. Customers need to be able to trust that any data a company has on them will be treated in the correct way and that any business is being transparent about how they want to use that information. The updated compliance process ensures that DMA members continue to work to the highest standards and that membership remains a badge of accreditation that can be trusted in a data-driven world. Using an independent third party brings specialist knowledge in this area and ensures objective scrutiny so that the audit process is as stringent as it needs to be.”

Fedelma Good, Director, Information policy & business controls at Barclays, added: “In today’s digital era, every interaction has the potential to create new data on existing or prospective customers. It’s crucial that everyone – whether brand, marketing agency or supplier – embraces fully the objectives of transparency and trust when it comes to the gathering and use of this data so that confidence in digital and direct marketing is consistently reinforced. The DMA’s extension of its compliance process means that when we’re working with another member, we can be sure we’re working with a likeminded business that is accountable and acts responsibly.”

The updated process for those companies buying and selling data who wish to join the DMA will be implemented immediately. Existing members of the DMA that fall into this business category will be made aware of the need for an external audit a minimum of three months before their scheduled renewal date in 2017.

click for more information

Hollywood Marketing has resigned its DMA membership by agreement between it and the DMA following an incomplete adjudication process. The DMA will be making no further comment publicly or privately on the case.

click for more information

Please note that the Commission investigates complaints against DMA members involving breaches of the DMA Code. Any adjudication is based solely on compliance with the DMA Code and it does not, and cannot make comment on the lawfulness or not of the members’ actions.

This case centred on the supply of data of over 2 million consumer records to be used for an SMS marketing campaign.  The texts sent promoted an opportunity to place bets with a gambling company.  The complainant had received two unwanted text messages to this effect over the Xmas period.  The complainant was certain that he had not consented to receive the messages and had uncovered a lengthy supply chain over which his data was passed and which involved three DMA members. The messages the complainant received were mis-matched to an incorrect Christian name.

In considering cases where there is some form of value chain and where the member is using suppliers for a service to provide opted-in data to an explicit channel and sector, the Commission looks for assurance that sufficient due diligence is undertaken to show that supplier arrangements are compliant.  Given the high volume of records required for this order, the ‘sensitive’ nature of gambling and the requirements for the provision of clearly opted-in data, each member in the supply chain had a responsibility to undertake adequate controls and checks.

Verso Group had sourced the data from Evolution DM and sent it on to Digitonic which was to broadcast the data for the text campaign.

The Commission did not believe that Verso managed these contracts responsibly. During the time of the data order, Verso had come to the conclusion that it was not equipped to meet the data requirements from its own telephone survey and chose to out-source the data procurement. Verso could not produce any evidence to satisfy the Commission that it communicated the changed circumstance to its client, Digitonic.  It is not evident that Verso undertook the due diligence necessary to satisfy itself that its data supplier had the necessary consents for the data provided. The Commission also saw evidence of operational failings in the preparation and supply of the data, specifically a failure to correctly align names to the mobile numbers used in the campaign.

The Commission was not satisfied by the responses from Verso to its enquiries and the breaches raised and they saw a lack of willingness to accept corporate responsibility for events.

The Commission welcomed the assurance that Verso are to undertake remedial actions in terms of training staff to ensure there is a member of staff available to make these checks in future, but believed there was a need to test the adequacy of arrangements

Outcome

The Commission found Verso to be in breach of Rules 3.11, 4.1 and 4.3 below.

The Commission formally strongly reminded Verso of its obligations under the DMA Code.

The Commission has shared its findings with the DMA and asked it to use planned new audit arrangements with member companies to satisfy itself that Verso have the processes and sampling and other checks necessary to act as a data broker and lead generation provider. 

3.11 When buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned. 

4.1 Members must act decently, fairly and reasonably, fulfilling their contractual obligations at all times. 

4.3 Members must accept that in the context of this Code they are normally responsible for any action (including the content of commercial communications) taken on their behalf by their staff, sales agents, agencies, one-to-one marketing suppliers and others.

Following adjudication, Verso lodged an Appeal. The Independent Appeals Commissioner upheld the DMC’s decisions.

click for more information

Please note that the Commission investigates complaints against DMA members involving breaches of the DMA Code. Any adjudication is based solely on compliance with the DMA Code and it does not, and cannot make comment on the lawfulness or not of the members’ actions.

This case centred on the supply of data of over 2 million consumer records to be used for an SMS marketing campaign.  The texts sent promoted an opportunity to place bets with a gambling company.  The complainant had received two unwanted text messages to this effect over the Xmas period.  The complainant was certain that he had not consented to receive the messages and had uncovered a lengthy supply chain over which his data was passed and which involved three DMA members. The messages the complainant received were mis-matched to an incorrect Christian name.

In considering cases where there is some form of value chain and where the member is using suppliers for a service to provide opted-in data to an explicit channel and sector, the Commission looks for assurance that sufficient due diligence is undertaken to show that supplier arrangements are compliant.  Given the high volume of records required for this order, the ‘sensitive’ nature of gambling and the requirements for the provision of clearly opted-in data, each member in the supply chain had a responsibility to undertake adequate controls and checks.

As of 1^st May this year, Green Button became a separate legal entity to Evolution Direct Marketing Ltd – the Commission’s adjudication was based on its status and relationship with Evolution at the time of this investigation.

Evolution (trading as Green Button) sought to source data in order to send this over to Verso which in turn sent the data to Digitonic, the text broadcaster. The supplier was known to Evolution (Green Button), but only through a partnership delivering an unrelated campaign. In the absence of any documented materials, the Commission could not see how Evolution (Green Button) assured itself that the data was owned and controlled by the supplier as claimed and felt able to forward it to Verso. As part of the investigation Evolution (Green Button) confirmed the data the sourced and supplied to Verso was not generated and owned by its supplier, and that the original provenance of the data could not be ascertained.

The Commission concluded that there was insufficient due diligence undertaken, and did not think that Evolution’s (Green Button) awareness of the issues and risk in procuring this type of data was reflected in its arrangements.

The Commission accepted that Evolution (Green Button) had undertaken remedial actions and produced revised due diligence materials and that there was no intent to supply data of this nature again. The Commission also noted the declaration that in future data would not be accepted from amalgamated sources and record samples would be obtained to include screen shots of opt-ins and corresponding dates.

Outcome

The Commission found Evolution to be in breach of Rules 3.11 and 4.1 below.

The Commission strongly reminded Evolution of their obligations under the DMA Code. 

3.11 When buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned. 

4.1 Members must act decently, fairly and reasonably, fulfilling their contractual obligations at all times.

click for more information

Please note that the Commission investigates complaints against DMA members involving breaches of the DMA Code. Any adjudication is based solely on compliance with the DMA Code and it does not, and cannot make comment on the lawfulness or not of the members’ actions.

This case centred on the supply of data of over 2 million consumer records to be used for an SMS marketing campaign.  The texts sent promoted an opportunity to place bets with a gambling company.  The complainant had received two unwanted text messages to this effect over the Xmas period.  The complainant was certain that he had not consented to receive the messages and had uncovered a lengthy supply chain over which his data was passed and which involved three DMA members. The messages the complainant received were mis-matched to an incorrect Christian name.

In considering cases where there is some form of value chain and where the member is using suppliers for a service to provide opted-in data to an explicit channel and sector, the Commission looks for assurance that sufficient due diligence is undertaken to show that supplier arrangements are compliant.  Given the high volume of records required for this order, the ‘sensitive’ nature of gambling and the requirements for the provision of clearly opted-in data, each member in the supply chain had a responsibility to undertake adequate controls and checks.

Digitonic were contracted by the gambling company to undertake the text marketing campaign on its behalf, and had sourced data from Verso Group. Digitonic had received paperwork indicating that the data would be supplied from Verso’s own telephone survey, which was opted-in to texts from the gambling sector. It later transpired that Verso did not provide data from its own telephone survey, and the data supplied was incorrectly formatted with the result that some texts were sent mis-matching mobile numbers with incorrect Christian names.

The Commission concluded that Digitonic had processes in place of a good standard, that were transparent and that demonstrated an intent to comply.

Outcome

The Commission did not find Digitonic in breach of the DMA Code, but asked Digitonic to look at whether sampling or other tests should be used to underpin their documented processes to validate the data they procure.  The Commission was reassured that this was an area to which consideration is being given.

click for more information

In 2015 the actions of data brokers came under tremendous media scrutiny. The work of the Direct Marketing Commission (DMC) over 2014 to 2015 has reflected these developments while investigating those DMA members that have been the subject of complaints.

Between 1 July 2014 and 30 June 2015, the DMC received 262 complaints direct from the public. Of these, 60 related to DMA members and the remainder were referred to the appropriate statutory or self-regulatory body. There were five formal investigations and most of these involved issues that had affected many of the general public and had been the cause of hundreds of complaints to other bodies or media criticism.

In two cases the Commission upheld breaches of the DMA Code. In three cases the Commission set out where it thought reforms were need to ensure compliance with the DMA Code. In all cases the changes were agreed. In each case the Commission shares its findings with the DMA and it has been an active contributor to initiatives by the Association to ensure DMA membership is seen as proof of a commitment to standards and trust in the market place.

Complaints have typically been around consent to marketing calls and messages, how and when it was given, and how the data was then used.

“The DMA Code says members are responsible for the proper sourcing, consents and cleansing of the data they trade and that members are responsible for the actions of their suppliers. The DMC wants to make sure that these rules are applied.  We see it as a problem if things go wrong and members tell us they relied on the assurances of others that consent has been given for the use of data but did nothing to check that this was true. 

“It’s simply not good enough for people to buy and sell data if they have no means of satisfying themselves that the people involved have given consent for the information to be shared in the way proposed. 

“Consent is something people give, not something that is taken,” said DMC Chief Commissioner George Kidd.

From 1^st January 2016, the DMC has appointed two new Industry Commissioners to help in its work – Fuel CEO Charles Ping and Fedelma Good, Director of Information Policy and Strategy at Barclays, who replaces retiring Commissioners David Coupe and Danny Meadows-Klue. We thank David and Danny for their hard work and commitment to the DMC.

Both Charles and Fedelma are data specialists. Fedelma Good began her career in banking in Dublin, gaining her MSc in computer science, and then moving to London where she further built her career with Deloitte, Equifax, Acxiom and running her own consultancy before going back to banking, this time with Barclays as Director of Information Policy and Strategy.

Charles has more than 25 years’ experience as a client, a supplier and running an agency. He is also a former chair of the Direct Marketing Association, and for the past 10 years has been a non-executive director of the Advertising Standards Board of Finance, which regulates non-broadcast advertising.

The DMC’s annual report can be downloaded from http://www.dmcommission.com/wp-content/uploads/2008/08/DMC-Annual-Report-2014-15.pdf

click for more information

This case looked at the concerns raised by a single complainant who had been in receipt of a number of unwanted emails where the sender email addresses had seemingly been created to give the impression the messages were coming from well-known legitimate businesses and the email content was unrelated to those businesses. The complainant had followed a link which led him to believe that AWM were involved. Over the course of the investigation, it became clear that some of those emails had been for marketing campaigns run by AWM.  AWM was using affiliates and sub-affiliates who each had databases of individuals which had allegedly consented to e-mail marketing for certain goods and services.

The complaint led to an investigation where the DMC looked at AWM’s business model and its relationship with its affiliates and sub-affiliates in general and did not restrict itself to only examining the single complaint received.

The adjudication addressed the case with particular reference to Code rule 4.3 which states that “members must accept that in the context of this Code they are normally responsible for any action (including the content of commercial communications) taken on their behalf by their staff, sales agents, agencies, one-to-one marketing suppliers and others.

The DMC recognised that AWM operated largely on the basis of trust in affiliates and in their trust in sub-affiliates and on feed-back from their campaign-clients or direct affiliates if something goes wrong. The DMC also noted however that AWM had made or were in the process of making some changes to their processes to ensure tighter controls and told the DMC that they were open to other reforms to assure compliance.

The DMC has made it clear to the DMA that it sees the need to apply the related provision that members must take responsibility for the data that is traded via the actions of their suppliers and sub-contractors. This message is now of key importance to the DMA and the application of Code rules across its compliance process.

We upheld a breach of rule 4.3 above and formally reminded AWM of its responsibilities under this part of the DMA Code.

click for more information

This case was referred to the Commission from the Direct Marketing Association following a recent investigation undertaken by the Fundraising Standards Board (FRSB) into a complaint from a TPS registered consumer who had received an unwanted call from Insight CCI, a telemarketer fundraising on behalf of Breast Cancer Campaign.

PDV Ltd, acting as a broker, had confirmed that it had supplied the complainant’s number to two selected clients, one of which was Insight CCI, after it had been supplied to them by a company based in India called Dynaxon IT Services. Dynaxon had conducted a telephone survey designed to create ‘opt-in’ leads for a variety of charities and commercial companies.

The Commission concluded that PDV had relied on assurances and documented processes signed with their off-shore supplier to comply with the UK TPS regime. Dynaxon, in turn, used another sub-contractor to provide a database of UK numbers to call and to check this database against the TPS register. PDV knew little of the sub-contract arrangement, had not themselves visited Dynaxon and did not seem at the time to have arrangements in place to test effectively whether the processes thay had set were being followed. At the time PDV did not themselves check the leads supplied by Dynaxon against the TPS register, although once they became aware of the problem, PDV assumed responsibility for this.

PDV’s supplier was a young and offshore business, that itself relied on data from a third party that supposedly had responsibility for compliance actions. PDV accepted the arrangement had not worked properly, that the original TPS complainant had been called wrongly and that this was not likely to be an isolated incident. We were also concerned about the overall vagueness of the information given to those who were called in terms of what consent they were being asked to give in agreeing to receive future marketing calls as a result of answering survey questions.

Given PDV is a data brokerage of some size and with a number of offshore partners the Commission thought PDV would have been more aware of its responsibility to ensure data is properly sourced, cleaned and permissioned and understood it was responsible for the behaviour of these suppliers specifically in terms of how they source data, check to ensure calls are not made to TPS registrants unless they have given prior consent, and that permissible calls are clear in terms of the marketing permissions they secure.

The Commission found four breaches of the DMA Code rules relating to the buying and renting of personal data. The Code says that members must satisfy themselves that data is properly sourced, permissioned and cleaned; they must take responsibility for action taken on their behalf by their suppliers; they must follow all legislation relating to the processing of data and they must act decently, fairly and reasonably.

PDV assured the Commission that changes were now underway to improve its audit process on its suppliers and presented revised processes and checks. The Commission welcomed these changes, and informed PDV that off-shore suppliers should be subject to a robust risk assessment and a high level of scrutiny if PDV and its clients are to be assured that data suppliers are operating to the standards set. The Commission concluded that these changes and assurances were critical to continued DMA membership. It has made this clear to PDV and invited the company to make changes and present these to the DMA. The Commission suggests the DMA review the matter in three months. If the DMA do not see changes during this period that would give an assurance that PDV and suppliers are Code-compliant, the Commission’s advice to the DMA would be to suspend membership until matters are on an acceptable footing.

It is clear that there is a great deal of public concern about the collection of personal data, where it comes from and how it is traded. The Commission appreciated that the issues with managing suppliers and the more specific issues with offshore call centres were not unique to PDV. The Commission will support the DMA in any work needed to reinforce the fundamental message that data companies have responsibility for the data they trade. Data must be properly, sourced, permissioned and cleansed and members will be held responsible the actions of their suppliers and sub-contractors when these duties are passed to others.

Following a review of amendments to PDV’s procedures, the DMA was comfortable that their recommendations had been incorporated and therefore decided to allow PDV to remain in membership.

click for more information

George Kidd, Chief Commissioner has received this year’s Roll of Honour award from the DMA for his services to the direct marketing industry.

George Kidd said: “I was surprised and delighted to be added to the Roll of Honour. I see it as recognition of the work of the Commission as a team and of the ways in which the DMA has focused on the user experience of direct marketing, investing hugely in an amazing new Code that deals with the big picture issues of privacy, honesty, taking responsibility for services and conduct and diligence in managing data. In less than ten pages the Code sets standards we can all understand, that few could debate and that we can all follow. There are lessons here for lawmakers: less is more!

Please here see link to DMA website.

click for more information

A data journey is the path travelled by a consumer’s data throughout its use. We think that visualising the data journey allows us to see how data has moved from one step to another and we can signpost different clauses or possible breaches at each step identifying problems.  Please see here for an explanation of this process and an example of a case that we investigated.

George Kidd, Chief Commissioner said: “There is a need in this day and age to look beyond the behaviour of one party that is complained about and understand the whole process. With food it might be how produce gets from the field to the plate. In our case, it is a data journey. Only by understanding how someone’s data is obtained, what they understand of that and then how the data is added to, bundled and sold on, can we understand why and when we get calls, e-mails and other marketing messages from unexpected sources.”

click for more information

The Commission recently conducted adjudications on two companies which were the subject of extensive coverage in the Daily Mail earlier this year. The allegations in the newspaper were serious and the Commission looked carefully at the conduct of the two businesses which were allegedly sharing sensitive data inappropriately and without adequate consent.

George Kidd, Chief Commissioner said: “These key investigations highlighted the importance of transparency when buying and selling data, in particular, data which is perceived to be sensitive. Businesses need to do their due diligence to assure themselves that the data they are buying is properly sourced and permissioned before they pass it on to other parties. When data is bought and sold across an extended supply chain and it is not clear as to the source or origin of that data, this will result in the public frustrations which we have seen from consumers and which have been highlighted in recent press coverage”.

Please see here for links to our two adjudication summaries – B2C Data and Data Bubble.

click for more information

The Direct Marketing Association had asked the Commission to consider the circumstances around the buying and selling of alleged sensitive financial data by B2C Data Ltd.  This followed articles in The Daily Mail which alleged that B2C Data Ltd was selling data on the pension and financial details of thousands of people without knowing the source of data the company was sourcing from third parties and without checking on the identity or plans of those to whom data was sold.

The investigation looked at B2C Data Ltd’s arrangements, how they source and gather their data, and how they ensure any data supplied is in line with regulations and collected with the appropriate consents.  It also looked at the arrangements that the member had in place for selling the data to third parties and any due diligence that is undertaken.

B2C Data Ltd co-operated with the DMC investigation. They were however unable or unwilling to disclose the sources of the data supplied to them to the Commission and though they provided a number of sample consent forms from their suppliers, many of these were found to be vague and not compliant with recent guidance from the Information Commissioner’s Office.

In some cases the suppliers were running web based services where anyone using the service had, in effect, to give consent to their data being shared with third parties simply and automatically by virtue of being on the site.  Additionally, there was insufficient evidence to substantiate the B2C Data claim that they did screen their data every 28 days against the Telephone Preference Service as claimed and as required in the DMA Code. Commissioners therefore upheld a breach of the Code rule 3.11 which states when buying or renting personal data, members must satisfy themselves that the data has been properly sourced, permissioned and cleaned. In this case the member company breached parallel requirements: failing to ensure their data suppliers provided adequate consent and for not substantiating that they had checked this data against the TPS before offering it to third parties.

The Commissioners also found a breach of the Code rule 4.4 which states that members        acting as an agency or supplier for a non-member’s one-to-one marketing activity must advise the non-member to act within the Code. The Commission found no evidence that this was included in correspondence or contract terms.

The Commission believe companies should be more aware of the types of data they are trading and when these might be perceived as ‘sensitive’ by consumers. They see a risk to the public and to public trust if data with this “potential” is sold without the suppliers having any knowledge of the purchasers or the purposes for which the data would be used.

Whilst there was no evidence to show that the data in this case constituted details of a highly personal nature or sensitive personal data as defined by the ICO there was a concern that the member had not been alert to the potential issues of data with quite apparent sensitivities.  The agreement and contract did not reflect any limited uses and or any unacceptable uses or purposes for the data.  Had this been in place, the Commission would have been more assured as to the member’s due diligence on its buyers.

This company however, has now ceased trading following an insolvency action and the issue is therefore closed.  However, should B2C Data Ltd have remained in DMA membership, given the seriousness of the Commission’s findings, the decisions are likely to have resulted in calls for significant change and evidence of change for their membership to continue.

This case again highlighted broader issues for the industry where businesses are unwilling or unable to provide information on the sources of data and the nature of the consents given by individuals to the use of their data. The use of non disclosure or confidentiality agreements is a barrier to buyers and sellers satisfying themselves that the data is safe to use. Alongside this, the selling and buying of data of a ‘sensitive’ nature and permission statements which may not reflect industry guidance can have serious effect when they are used across an extended value chain and result in the public frustrations we are seeing with increasing frequency. The DMC will be exploring these issues with the Direct Marketing Association.

click for more information

The Direct Marketing Association had asked the Commission to consider the circumstances around the buying and selling of alleged ‘financial and medical’ data by Data Bubble.  This followed articles in The Daily Mail which alleged that Data Bubble was selling or renting data on the pension and medical details of thousands of people without knowing the source of data the company was sourcing from third parties and without checking on the identity or plans of those to whom data was sold.

The investigation looked at Data Bubble’s data arrangements, how they source and gather their data, and how they ensure any data supplied is in line with regulations and collected with the appropriate consents.  It also looked at the arrangements that the member had in place for selling the data to third parties and any due diligence that is undertaken.

Data Bubble co-operated fully with the DMC investigation explaining where they source data and their due diligence arrangements in relation to their customers. This included information on the company who supplied the data they were marketing as a broker and how that data was sourced. The company provided information making clear they did not seek or offer information that might be described as “medical records”.

From the responses given, and in the absence of any further materials, the Commission did not find evidence that Data Bubble’s actions and processes had breached rules of the DMA Code in relation to their responsibility for data supplied to them or for their contract for its use. The investigation did, however, highlight some issues around Data Bubble’s relationship with their data suppliers and lessons in terms of how best to deal with data that might be considered sensitive from a consumer’s point of view.

The Commission was concerned that confidentiality agreements between the broker and its suppliers meant that they could not reveal or may not know the actual source of the data they bought. Whilst Data Bubble seemingly used reliable and trusted suppliers and undertook due diligence on the data they bought and sold, in an extended value chain this was a worry as it meant there was a limit as to the assurances that could be given to buyers on the data’s provenance. This was reflected to an extent in initial uncertainty over the source of data on “ailments” that might be relevant to a business offering pension services and the extent to which Data bubble were reconciled to not getting answers on sources from their principal suppliers.

This seemed even more important when the data was deemed ‘sensitive’.  Though no evidence was found that the data in this case was ‘sensitive medical data’ the Commission thought that when selling data that had a ‘heath’ angle, the member would benefit from understanding more about the specific sources of the data in order to assure buyers of its provenance. The Commission found Data Bubble had been clear in its invoice that the data provided was supplied on condition that its use was related to a pension marketing exercise. Rules on the limits applicable to the use of data were also included in the company’s terms and conditions. The Commission did, however, think a broker firm set up to trade in data should have been more alert to the potential issues with data with apparent sensitivities.

The Commission thought the case highlighted broader issues for the sector if players were unable or unwilling to provide information on the sources of data and the natures of the consents given by individuals to the use of their data. If applied as an industry “norm” this practice had serious implications for those trading in data and those using it for marketing to the general public. Public frustration is understandable when those who contact them are unable to say when and how their details were obtained and why the marketing firm believes it has their consent to make a call or send a message.

The use of confidentiality agreements or non-disclosure policies are an obvious barrier to others satisfying themselves that the data is safe to use. While the Commission did not find a compliance issue in the Data Bubble case the exercise highlighted the need to look afresh at how data is traded.

click for more information

The Information Tribunal has awarded Reactiv Media an fine of £75,000, increased from £50,000 during an appeal hearing held in York last week. Reactiv had consistently called consumers registered with the Telephone Preference Service (TPS).

The story begins last year, when Reactiv Media, then a DMA member, was investigated by the Direct Marketing Commission (DMC) for making nuisance calls about spurious PPI claims to consumers registered with the TPS.

The DMC concluded that Reactiv should be expelled from the DMA in April 2014.

George Kidd, chief commissioner of the DMC said, “Other telemarketing companies have worked with us and turned past problems around. Those who use companies like Reactiv Media to generate leads share a responsibility. They should not be encouraging firms to bend or break rules that are there to make sure the public’s wishes are respected when it comes to telemarketing.”

Reactiv Media then came under the scrutiny of the Information Commissioner.

Between 13 November 2012 and 31 December 2013, the TPS received 481 complaints about Reactiv Media, and referred those complaints to the Information Commissioner. The Information Commissioner received a further 120 complaints.

In July 2014, the Information Commissioner issued a fine of £50,000 to Reactiv Media for ‘bombarding people’ with nuisance calls. The full notice is here.

Reactiv Media then appealed this decision.

In the appeal decision, which reported its findings on 13 April, the tribunal concluded that Reactiv Media displayed, “A culture of denial and minimisation of the breach, weak governance of the company and a tendency to blame others rather than accept responsibility. There is little evidence of robust policies and procedures coupled with a culture which properly respects telephone subscribers and their right to privacy.”

In addition, when the Information Commissioner awarded the initial fine, it had limited access to Reactiv Media’s financial records, and was “Hampered in its consideration by the lack of co-operation from the company.”

The appeal hearing gave greater access to the company’s finances, and concluded that not only should the sanction stand, but the fine should be increased by 50% to £75,000.

Assistant manager of the TPS, Arthur Cummins, was a key witness. “Mr Cummings, Assistant Manager of TPS demonstrated the robustness of the procedures used by the TPS to ensure that only eligible complaints were processed. He confirmed that Reactiv had been in the top 20 most complained list for five months in 2013, most recently in October 2013 but had not figured subsequently. He gave clear and convincing evidence which the tribunal accepted.”

By Ed Hall, DMA PR & Content Manager

click for more information

From April, new pensions rules will give hundreds of thousands of those aged 55 and over direct access to their pensions and large sums of cash for the first time.

In the first four months, pensioners will remove an estimated £6 billion of cash from their pensions, which will in turn create many new selling opportunities for brands. However, lessons from PPI and accident claims should serve as a warning.

With this in mind, the DMA has created a toolkit for marketers.

This guide will help ensure your marketing activity meets the expectations of consumers.

We have included helpful at-a-glance information for brands to share with their customers including some to help them understand what to do, should their retirement be disturbed and they receive unwanted one-to-one pensions-related marketing.

Advice for brands to share with customers

Consumers generally object to nuisance calls, which are usually the result of poorly targeted or irrelevant marketing. Such calls are often illegal and in breach of the DMA regulations.

Annoyance is an issue but problems can be worse, particularly for vulnerable consumers. Consumers must be reassured that they can opt-out of future telemarketing calls if they wish.

The DMA runs the Telephone Preference Service (TPS) on behalf of Ofcom. Consumers can register their mobile or home telephone number to the service free of charge and opt-out of future marketing. Consumers can sign up to the service here

If a person continues to receive unwanted nuisance calls in spite of TPS registration then they may complain to the Information Commissioner’s Office (ICO), which is the regulator in charge of enforcement, to report the offending business. The more information a person can provide to the ICO the better, in particular:

• the organisation responsible for the call
• the number the call came from
• the date and time of the call
• the nature of the sales/marketing that occurred during the call

Complaints can be made directly to the ICO by ringing their helpline on 0303 123 1113 or by visiting their website

Financial Scams

Beyond nuisance calls, financial scams are another potential problem. Such calls may start as nuisances, but develop into something else. Such calls are likely to fall outside our remit, and may be more appropriate for the police. However, there are two more sources that can be helpful for consumers:

• The FCA’s Smart Scam Investor for advice on avoiding scams.
• The Pensions Regulator also offers advice on how to avoid pension scams.

Government assistance

The Government will provide free, impartial advice to anyone who wants to know more about the pension changes, to help people make informed choices.

This advice will be available:

• Face to face at the Citizens Advice Bureau
• Online at GOV.UK
• Online at Pension Wise

Lead generation activity and marketing calls

Firms engaged in lead generation work should be up-front about the purpose of calls and be clear about the identities of those parties they intend to share information with. They should not call TPS registered consumers unless they not only have consent to do so, but can also demonstrate they have this consent.

If your firm uses data supplied by third parties (such as lead generation companies) then your marketing activity is not exempt from TPS responsibilities. Your firm could be held responsible for calls made to consumers registered with TPS without named consent. Action could include action by the ICO and dismissal from the DMA if our laws and Codes are wilfully broken.

Responsible marketing

DMA Code – Marketers should use the DMA Code and how-to guides when creating their marketing campaigns, especially when targeting the over-55s. The DMA Code contains five aspirational principles:

1. put the customer first;
2. respect privacy;
3. be honest and fair;
4. protect your customers’ data; and
5. take responsibility for your actions.

Good one-to-one marketing is an exchange between business looking to prosper, and the customer looking to benefit.

Telemarketing guide – The DMA has produced channel-specific guides, and marketers should read these to learn about industry best practice. Telemarketing will come under intense scrutiny once these pension changes come into force. Marketers need to uphold the highest possible standards.

Picking up the phone and having a conversation can be a tremendously powerful way to convert a consumer into a customer. As the experiences around PPI demonstrate, it’s also easy to get it wrong. Getting it right is more important than ever. The Telemarketing Guide will help you get it right.

Vulnerable consumer guidelines – Those aged 55 and over are more likely than the rest of the population to be considered vulnerable, due to age-related illnesses. Marketers should factor this into any campaign aimed at older consumers. This guide is for call centre staff who may come into contact with vulnerable consumers. It includes a step-by-step guide to spot a vulnerable consumer during a telemarketing call, and how to best communicate with that person. The guide includes details for managers on how to ensure their staff behave responsibly in their contact with vulnerable consumers.

Data guide – This guide gives marketers the lowdown on data privacy and the best ways to collect and use customers’ data for one-to-one marketing.

Ad mail guide – Rules and regulations for ad mail and the right ways to target the right letter boxes

Email guide – Email is generally something consumers have opted into, so consumers have already consented to contact, which makes email less of an issue. This guide contains great tips for using this channel effectively.

Mobile guide – Like email, SMS is another opt-in channel, so consumers will expect contact. The mobile guide takes marketers through many of the other communication channels available via mobile and other devices, including proximity marketing, geolocation and more.

click for more information

The Direct Marketing Commission is formally investigating two companies following allegations in the Daily Mail that personal data was shared inappropriately and without the consent of users.

The two companies are:

• B2C Data Ltd, based in Milton Keynes
• Data Bubble, based in Bradford

DMC Chief Commissioner George Kidd said:

“The allegations in the Daily Mail are serious.  People must be able to trust those with whom they share their data.  We will look carefully at the roles and conduct of these two companies and advise the DMA on our findings quickly.”

The DMC will determine whether either company has breached the DMA Code. All companies that are members of the DMA are expected to follow both the spirit and the letter of the DMA Code.

click for more information

Congratulations to the Direct Marketing Foundation for commissioning research into complaints about one-to-one marketing.

I am not saying I buy into all the numbers and every conclusion in the report – particularly the millions of complainants implied when the sample data is extrapolated. But I feel the research tells us a lot.

It shows direct marketing is all but universal – 95+% of those surveyed were getting mail, e-mail and calls. Unfortunately, two-thirds or more of those surveyed had an issue with the marketing received. And only one in four to one in ten “complainants” were satisfied with the outcome of their complaint.

That is an awful lot of hacked-off people. What does the report tell us about why?

It tells us we have little feel for the cumulative effect of all the marketing that is going on. Firms may make no more than 2 repeat calls a day or send e mails only every third day ….but any single individual might be getting 10-20 calls a day and 50 -100 e-mails a week when everyone’s messages are tallied.

It tells us different forms of marketing have different impacts on people and that these differences in tolerance are still there when the volume of marketing goes up or down.

It tells us people place huge value on relationship and relevance: that they are far less likely to complain and far more likely to engage if they have a past relationship with the entity that is marketing and the material is relevant. Unsurprisingly, they also respond best when there is a value-exchange: when there is something for them as well as something for you in the engagement.

It tells the industry it should be more honest in its messaging. I see too many cases at the DMC with invented and transitory trading names to conceal lead generation as the real purpose of a call or mailing to understand. I see why the public are sceptical and cynical. Are you really doing yourself a favour with this sort of badging? It makes business sense for customers to get to know you. If you don’t want them to do that perhaps we or others should be looking at the sense in your business?

It tells the sector that it needs to listen more: 91% of those surveyed said it should be easier for people to opt out of receiving marketing, and 82% said they feel badly towards organisations that send irrelevant material.  Are you pouring money down the drain when you needn’t?

There’s a message here saying preference services need to work. If they do not the complaint levels will be higher than if the service had not been there in the first place.

Reading across the report there are a couple of big-picture messages I took. The first is that “one size does not fit all”. It has been painfully obvious through the PPI personal injury debacle that there are firms in this and perhaps every sector who have no long-term ambitions, little or no brand to promote or protect and whose “business model” is anchored in reckless prospecting or marketing designed to confuse or mislead.

It’s all very well Which? saying every firm should have a director charged with data responsibilities and for Future Foundation to laud O2’s complaint handling. Not everyone is O2. Not every business aspires to be O2.  What works for mobile networks does not work for funeral directors and what works with them does not work with affiliate marketers for pension-miss-selling claim management companies! Regulators need a better understanding of the dynamic of markets and the drivers in them.

This goes to my second thought – we need to look generally and then on specific issues at the best way to put the customer first. Future Foundation seem to want more and more of us to complain in the expectation the Government and its agencies will get tougher and tougher and the world will become a better place. I do not think this old-school approach works.

I believe in a Pre-empt, Prevent, Protect agenda – working to build understanding, compliance and coverage as DMA has with its new Code, doing risk assessment work as we have started to do with possible new cold-call activity and heading problems off through prevention where possible and far faster targeted “protection” work when necessary. In that regard the mechanical way state regulators seemed to respond to the PPI issue could be a case study in how not to do things. Doors are being bolted but many of the horses have gone. Let’s learn a little!

click for more information