In a nutshell, the Royal Society for the Protection of Animals (RSPCA) and the British Heart Foundation have been fined by GBP25k and GBP18k, respectively, by the ICO for -- it would appear -- rank stupidity. The pair have admitted to being a part of what the ICO calls "a massive pool of data for sale" built by pretty dubious means. Apparently the charities were carrying out wealth screening, through the help of third-party data, to work out who the high fliers among their supporters were. The tricky part is, they then appear to have been actively involved in trading this data among themselves so each charity could target the other's rich list. The ultimate aim was to get a lump sum set aside in a rich person's will.
News commentators have highlighted the very obvious point that it was unlikely to be just this duo that are guilty, and so we can expect further action against additional charities. The ICO has reported that it was shocked at the scant regard for personal data, most notably passing on rich lists so a charity a person did not give permission to talk to them would suddenly begin bombarding them as a high-priority case. It's effectively the opposite of the stories a year ago when poor pensioners were in the headlines for being deluged by begging calls and letters from charities because they were put on "sucker lists" due to previous generosity.
The way they used third-party data to establish wealth and the likelihood to have a few quid available in their will has probably broken rules, but the very obvious, clear breach is swapping of those refined lists without consumer consent. The ICO pointed out that the fines were small, and was very clear that they could have been ten times higher if the guilty parties were corporates rather than entities that could only pay a fine through redirecting donations away from worthy causes.
So well done, ICO -- let's hope some more charities start to sit up and take note. I suspect we haven't seen the last of this case.
The same goes for the new utilities register of customer emails, which the Competition and Markets Authority (CMA) is insisting energy companies cannot remove their customers' details from. The list is there so rivals can email over offers to tempt people off, typically, an expensive standard tariff. You can see the idea there. But what about the legality? Apparently, the CMA will ask every energy supplier to send out a letter or email to customers explaining the nature of the database and how they can choose to go online and take their details off it. Other than that, however, the current implication would appear to be that you are signed up unless you take action to come off it.
Regular readers of this column will know exactly what that will mean a year later when in spring 2018 the massive fines associated with GDPR will come in for any brand marketing to someone who has not freely given their full and informed consent to marketing communications.
Trust me, watch this one. It's going to be a hot potato when GDPR comes in and it's hard to imagine whose advice the CMA has sought in the legality (of more than a year) of a system that opts you in unless you opt out. One can only imagine it will be altered to be GDPR compliant before it is swung into action or we can see energy companies being complained about with, ultimately, the CMA responsible for unwanted spam -- and potentially the massive accompanying fine.