PRIVACY, DATA PROTECTION AND SECURITY ARE CENTRAL TO CUSTOMER TRUST AND THE HEALTH OF YOUR BUSINESS. KEEP UPDATED HERE AND COME BACK SOON.

Marketers beware: ‘irritation’ fines being called for

The Information Commissioner’s Head of Enforcement has published a blog about financial penalties that shines a bright spotlight on the ICO’s thinking around how to… Read More

490579441
The Information Commissioner’s Head of Enforcement has published a blog about financial penalties that shines a bright spotlight on the ICO’s thinking around how to deal with nuisance marketing. The backdrop to the story is the overturning of the record Monetary Penalty by the Information Tribunal, which the ICO imposed on two company directors who were sending out spam SMS marketing messages on an industrial scale. The basic problem in the case – as far as the Tribunal is concerned – is that the financial penalty regime requires ‘substantial’ harm to be caused by the offending practice before a fine can be imposed. In the Tribunal’s judgment, a spam SMS causes only minor irritation. To get around this problem the ICO argued that the aggregate affect of many thousands of irritating texts amounts to a substantial harm. The Tribunal was having none of this, and the fine was unwound.

So where does this leave the ICO? In a nutshell, ICO is saying that the financial penalties regime for direct marketing problems has been destroyed by the judgment. In the ICO’s view, the law is now ‘bad’. There is only one thing that can be done to restore the law to a credible state, which is to amend it, to lower the threshold for fines.

I’m not going to tackle the substance of ICO’s arguments here. It’s the insights that the blog gives into the mind of the regulator and the likely impacts for marketers (if the law is amended) that are most interesting to me.

If the ICO’s case for amendment of
the law is accepted by Parliament, it will place marketers into an unprecedented zone of legal peril. Nuisance level fines are unprecedented in this country. The triggers to fines will be so low that every business that engages in electronic direct marketing will be at risk if the recipients of their messages complain en mass.

Do people complain en mass? Sure they do. ICO tell us every year that complaints are increasing. And, of course, it would be easy for pressure groups to drum up significant volumes of complaints. The initiative launched by Max Schrems in his Austrian litigation against Facebook is a good example of this dynamic. There are plenty of others.

And where should the lowering of the threshold end? If it is right to lower it for directing marketing, what about for other data protection matters? Security breaches are more serious than direct marketing problems, aren’t they? Well that depends on your point of view, but why not impose nuisance fines for them? What about data accuracy? Or how about international data transfers? Aren’t many thousands of people irritated by the transfer of their data to foreign jurisdictions?

The ICO might be right in its case. Or it might be wrong. That’s not the point of this analysis. What is sure, if the ICO is right, is that data protection regulatory risk will increase exponentially. That’s something that data controllers everywhere ought to be aware of. This is part of the ‘Regulatory Bear Market’ that I keep talking about.

Of course, a simple retort to these concerns is that no one acting lawfully will be fined. That’s correct, but the realities of direct marketing, data protection, regulation and enforcement are somewhat different from the purely theoretical aspects. When the totality of the situation is considered, a number of core realities become visible. For instance, there isn’t yet a bright line test to enable people to be sure whether they are acting on the right or wrong side of the law. Consider the recent debates about the meaning of consent for the setting of cookies and you’ll see that an authoritative consensus view hasn’t yet emerged. Also, consider the realities of databases and data acquisition: legacy systems, old data, aged consents, list broking, mergers and acquisitions, joint ventures. How many organisations are certain of their consent profiles for all aspects of marketing? Also, consider the corporate attitudes to monetisation. How many want to ‘push the envelope’, or want to abut the ‘creepy line’? These are just some of the many difficult aspects of data controllership that feed into assessments of lawfulness.

In other words, the organisations that will be vulnerable with a lower threshold for fining will be more much that the deliberate, industrial spammers.