Earlier this year, I received SMS Spam from Paddy Power. I went into full-on Taken mode! I have a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for spammers like them ☺
It culminated with barrage of complaints and an interview on BBC Radio 4.
A few months on, it's time to see what my complaining has achieved. First up, a pretty good response from the Direct Marketing Commission.
May I thank you for raising your concerns about the supply of your mobile data which led to your receipt of an unwanted text message from Paddy Power.
The DMC has looked into this matter and we have liaised with each of the members involved in the supply chain leading to your receipt of the unwanted text. Our investigation has highlighted specific areas where we could see a concern around direct marketing practice which led to your receipt of the SMS message. Whilst you may have opted-in to have your data shared, the companies involved relied on a tolerance that is not in place today, to retain and use data long after consent was given. Additionally, a sub-contractor made errors when placing names onto the marketing list which meant you were not suppressed from further marketing.
GoldSixty7 (DataTrada) was responsible for the suppression of your data. They supplied your data to Datatonomy and received your data from DBS Data. They have confirmed that you were not suppressed as you should have been, and apologise to you for the error. We have reminded the company of their obligation under the rules of the DMA Code which asks that members operate and maintain a suppression system. Whilst they did have a system in place, an error meant that the feed of data which contained your record was not updated. The data in question was used only once and the error has been rectified but it should not have happened.
DBS Data had sourced your data from USM Digital in 2012. This we understood to have been ‘opted-in’ in 2007. We were concerned about the consents people have given to the use of their data and how long data is held and we questioned the due diligence undertaken by DBS Data. Changes to guidance in late 2013 had encouraged DBS to review their policies and procedures in relation to compliance and consents, and part of this was a review of opt-in and consent statements and ensuring that consents remained current and compliant. Additionally, DBS have further reviewed their due diligence and made other changes since the case was made known. We have reminded DBS of their obligations under the Code to ensure that data is properly sourced, permissioned and cleaned; that any personal data collected should be adequate, relevant and not excessive for the purpose for which it has been collected; and that they accept that in the context of the DMA Code that they are normally responsible for any action (including the content of commercial communications) taken on their behalf by their staff, sales agents, agencies, one-to-one marketing suppliers and others.
The issue with data journeys is a recurring one. We have flagged this with the DMA who are looking strategically at the safeguards that might be possible after data and general or very limited consent for its use is given, when it is checked or cleansed and when and how it can be shared with or sold to others for marketing purposes.
May I thank you again for your efforts to highlight a problem in the industry.
Ok, so they didn't rain down fire from above - but it looks like they did a thorough job of investigating. Hopefully it will have put the fear into the responsible companies.
Next up, the Advertising Standards Authority.
I’m sorry to tell you that we are unable to deal with your complaint directly on this occasion because text messages from Paddy Power are sent from their Head Office which is based and registered in Ireland. Our Codes can only be applied to advertisers based in the UK or using a UK platform to advertise; unfortunately, advertisers who are based abroad are under no obligation to act in accordance with the UK Codes of Advertising that we administer.
However, you may be interested to know that we have an agreement with a European-wide (and beyond) alliance of advertising regulators, EASA, and will therefore refer the matter to our counterparts in Ireland for consideration.
Ah, national regulators always seem to have a problem with international businesses! Well, let's see what the ASA Ireland have to say...
The function of the Advertising Standards Authority for Ireland is to ensure that advertisers comply with the requirements of the Code of Standards for Advertising, Promotional and Direct Marketing in Ireland and to investigate complaints concerning advertisements that may be considered to be in breach of the Code.
We have reviewed your complaint referred to us by the ASA in the UK. The Code applies to advertisements carried in the media (e.g. press, radio, television, cinema, brochures, direct mail, etc.) and to promotions and promotional material. Our Code does not cover data protection issues. These issues are covered by the Data Protection Commissioner in Ireland. The Data Protection Commissioner has responsibility for enforcing legislation which deals with unsolicited marketing. If you wish we can refer your complaint to them directly ...
Ok... being passed from pillar to post here. Nevertheless, I've asked them to refer the complain to the DPC in Ireland.
In the meantime, let's see what the UK's Information Commissioners Office has to say...
I fully appreciate your concern regarding this, especially that you are still receiving the spam after two years.
The emails that you are receiving are covered by regulation 22 of Privacy and Electronic Communications Regulations 2003(PECR). In regulation 22 of PECR, an organisation cannot transmit, or instigate the transmission of, unsolicited marketing material by electronic mail to an individual subscriber unless they have previously notified them, the sender, that they consent, for the time being, to receiving such communications.
The data protection act 1998(DPA) gives rights to individuals. One of the rights is that an individual can request an organisation to stop using their details for direct marketing, this is covered by section 11 of the DPA. This is known as a section 11 notice. To exercise this right an individual needs to write to an organisation to advise under the DPA they wish for their personal data not to be used for direct marketing. We expect that in normal circumstances electronic communications should stop within 28 days of receiving the notice. If, after a reasonable time, the email do not stop, you are able to enforce your right via a Court of Law, on your own behalf. You can also ask this office to look into the matter.
If an individual wishes to report a concern to the Information Commissioners Office(ICO), the individual must bring the concern to the ICO within 3 months of receiving the final response from the organisation the concern is about.
For us to consider a concern we would need a completed report a concern form, a copy of your letter to the organisation, and their response, (if they have responded), and a copy of any other supporting evidence in relation to the issues you have raised.
*sigh* OK, time to fill in yet another form!
I hope you appreciate all this hard work, dear reader - I do these things so you don't have to ?