Entries Tagged 'Consumer' ↓

So many reasons… But companies frequently just want to know what the regulatory sanction will be if they don’t.

And the Information Commissioner’s Office seems to be keen to show that it intends on keeping up momentum when it comes to enforcing the DPA.

The Data Protection Act 1998 has been in force now for some years, and yet I am surprised daily by the number of large businesses who do not have their “data” house in order. Maybe this is partly the fault of the lawyers for not standing their ground when it comes to compliance - it is very easy to dismiss minor breaches of the Act as low risk.

Well, perhaps no more.

Not only has the Ministry of Justice published the draft legislation making breach of s55 an offence which can attract a custodial sentence, the ICO has issued an annual report which promises to make it tougher for those organisations who do not seek to handle personal information well (and easier for those that do).

And putting its money where its mouth is, the ICO has required undertakings from two more organisations.

What is particularly surprising here is the nature of the breaches. Many organisations may currently believe that there will need to be a major leak of personal data or similar issue before complaints will be heard by the ICO, or that a minor breach would need to lead to significant damage to many individuals before it would be escalated above a slap on the wrist.

But no.

No more marketing please

The first breach involved an individual who found it difficult to stop one company sending her marketing communications.

Clearly, “unsubscribe” requests should always be honoured by companies and it is hard to see why this should slip through the net.

However, there is one aspect of dealing with “unsubscribe”s that I’ve found that many clients (and lawyers) struggle with.

When a request to cease sending marketing information to an individual is received, the organisation should not just remove that individual from their marketing database.

Why not? Well, this can cause problems later down the line. For example, what happens if the organisation later purchases (which I wouldn’t necessarily advise…) a marketing database which includes the details of this individual? They will have no way of knowing that that individual had asked not to receive marketing from them in the past.

Instead, the details of that individual should be suppressed - maintained on the database but clearly flagged as “no marketing”.

Secure systems

The second breach involved new employees sharing log-in details before they were set up on the IT system. Why does this matter? Because if employees gain access to customer details under a generic or shared log-in, there is no audit trail to follow - no way of telling who has dealt with the personal data at any particular time.

There was no suggestion here that any damage had been caused - but the data controller had not complied with the 7th principle - the obligation to keep personal data secure.

Only the beginning

OK, so being required to give an undertaking to the ICO might not be that severe a sanction; but I think we’re seeing a clear message from our friendly regulator. Where you are a large, consumer facing organisation, the ICO will react to complaints even if damage hasn’t been caused (yet), and even though the breaches may seem trivial. Why? Because these types of breaches could lead to problems in the future, and with the number of customers these organisations have, breaches need to be nipped in the bud.

It is all too easy to disregard data protection compliance, particularly when there is no immediate penalty for doing so. However, consumers are becoming much more aware of their rights, and I can only see the importance of protecting personal data and privacy growing as time goes on.

The OFT is consulting on revisions that it has made to its guidance on the Unfair Terms in Consumer Contracts Regulations 1999.

The guidance makes interesting reading and is a godsend for those of us who deal with consumer contracts. In particular, it contains an annex which sets out examples of clauses which were rejected by the OFT as being in breach of the regulations, and the final clause accepted by the OFT.

Reponses are required by 22 May 2007.

The Office of Fair Trading: Unfair contract terms guidance

ISPA have published guidelines to ISPs on how to deal with spam, a growing problem, with 3 key strategies:

1. Attribution of emails - ISPs should not relay emails for non-verified third parties, and should be able to attribute email genertated on their systems to a user.
2. Abuse management - ISPs should have in place a system for users to report Spam, and to ensure that these reports are dealt with.
3. Customer information - ISPs should make sure that customers understand what Spam is, what action will be taken if they send it, and then follow up by publicising the action they take against those who abuse the system

ISPA publishes anti-spam standard - 04/Apr/2007 - ComputerWeekly.com

Yesterday, the European Commission published its long awaited “Green Paper on the Review of Consumer Acquis” - the body of rights held by consumers in the European Union.

The review covers the 8 main directives aimed at protecting consumers, including the familiar roll-call of the Unfair Terms in Consumer Contracts Directive, the Consumer Sales and Guarantees Directive, the Distance Selling Directive, the Doorstep Selling Directive and the Package Travel Directive. It pulls on a number of surveys which show that despite attempts at harmonisation, trade between member states in consumer goods is not what it could be - many businesses would like to sell to consumers in other member states but are fearful of doing so because of varying regulatory requirements, and many consumers who purchase goods from another member state are running into difficulties when their rights vary state to state.

The main objective of the review is to remove this stumbling block, allowing consumers and businesses within the European Union to trade without concern as to where the other party is based, primarily to benefit consumers by allowing for consistency, but also to reduce the burden of SMEs by creating a more predictable regulatory environment within the European Union.

The green paper is consulting on a number of issues including the proposed approach (either a vertical approach requiring the revision of individual directives, or a horizontal approach requiring the implementation of a framework addressing issues for all consumer contracts), the definitions of consumer and professional (recognising that there is not currently a consistent approach to this), the potential introduction of a general duty to act in good faith, and detailed questions regarding unfair terms, withdrawal, delivery, remedies and other issues.

Responses to the consultation are requested by 15 May 2007. The green paper can be found here.