Illegitimate interest
Two years on from the introduction of GDPR, most companies here in the UK seem to have got the message. After the initial flurry of privacy policy updates, the flow of unwanted communications slowed to the point where the remaining culprits stand out like a sore thumb.
My tolerance for misuse of my personal data has likewise decreased, not helped by me falling victim to an exceptionally large payment card fraud linked to a data breach earlier this year. I’ll reserve further comment as that case is subject to legal action.
For now let’s talk about a lesser but more pernicious scam: marketing in the guise of service emails.
You’ve almost certainly received them, and in the wake of COVID-19, they are becoming increasingly common. Deprived of the opportunity to “drive engagement” (otherwise known as “constantly trying to grab your attention like a needy and greedy child”) by these pesky new rules, marketing departments have cooked up a new plan: send as many “service emails” as possible to make sure their company and brand are “top of mind”.
These emails are also known in the business as “transactional emails”, although as you’ll see below, some companies disregard the notion of linking communications to an actual transaction.
You’ve got money.
One offender worthy of naming and shaming is PayPal, for the 52 emails they have sent reminding me “You have money in your PayPal account.” Every month they sent this drivel despite the fact that I had opted out of marketing. Where the unsubscribe links should be, the sorry excuse:
This PayPal notification has been sent to [redacted]. Your monthly account overview currently doesn’t include marketing messages. If you want to be informed about our updates and special offers, change your settings here.
This is a problem in the same way that dropping an empty Coke can on the street is a problem. Your action alone won’t ruin the neighbourhood, but littering laws exist for a simple reason that even a child can understand: when everyone does it, we end up living in trash.
How many accounts do you hold that have a balance of some kind or another? Bank, savings and credit accounts, pre-paid cards, mortgage, pensions, travel cards like Oyster, gas and electricity — the list goes on. My bank accounts alone look like an elaborate money laundering scheme as I have gradually split my money into separate pots to try and make it harder to blow it all on expensive hi-fi gear and the like.
By this reckoning, I could get around 30 emails per month along the lines of PayPal. Their actions are unfair to individuals, and also to their competitors who play by the rules.
Eventually I got fed up with this, so I tried gaming the system. In March I transferred the entire balance of my PayPal account—a grand total of 39 pence — into my bank account, leaving PayPal sitting at a big fat zero. Problem solved? Nope, they’re not falling for that trick!
The following month I received another engagement email of the same sort but with the subject changed to “Your monthly account update.” and the copy:
“It’s not a marketing email” they cry in the footer, even though it has their branding, a call to action and the first thing I saw after logging in was a full-screen advert.
Three months on they are still sending me updates about that same 39p withdrawal. Seriously?
So I have decided to assert my rights as a data subject.
I get it, most of us don’t want to bother — that’s exactly why they’ve been getting away with misusing my data for years. Sure I could just delete my PayPal account, but I doubt they’ll miss me, and then I need to figure out how else to get paid on eBay when I sell all my obsolete Sonos gear (a subject worthy of its own post).
I sent a formal complaint to their Data Protection Officer (DPO). This is better than complaining to customer services because the DPO is expected to understand the law and consider each request on its own merits. It’s easy to find the privacy policy on most websites and search for the word “contact”.
The case is pending, so I will provide an update in a future article.
Visit us in store (er, no thanks).
Yesterday I received spam of a similar kind from Argos, a company who I used to order some garden furniture for delivery last August.
I wrote to their Data Protection Officer citing Article 21 of the GDPR: Right to object, along with Regulation 22 of the PECR. It might sound like you need to be a lawyer to complain, but the handful of regulations cited in this post should be sufficient for the vast majority of spam situations and the complaint letters will have similar content.
Unfortunately, the law is open to interpretation when a company argues that an email isn’t marketing, because they can then rely on “legitimate interests”—Article 6(1)(f). I will counter this with the guidance provided by the Information Commissioner’s Office:
When can we rely on legitimate interests?
Given that individuals have the absolute right to object to direct marketing under Article 21(2), it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual). The lack of any proactive opportunity to opt out in advance would arguably contribute to a loss of control over their data and act as an unnecessary barrier to exercising their data protection rights.
(My emphasis.)
In my view the lack of an unsubscribe mechanism is even worse than the example cited by the ICO. Even if the Sainsbury’s Group (owner of Argos) deny my request by claiming that it isn’t even marketing, by using my right to object I have shifted the balance of “legitimate interests” in my favour because sending emails after the data subject has specifically said they don’t want them is much harder to justify than sending them in the first place without an opt-in mechanism, marketing or not.
I am hopeful that the ICO will side with me in the ensuing complaint about emails already sent, and confident they will do so if the emails do not stop.
Time not well spent?
Complaining like this is time consuming, so I created a template on Google Docs and can usually turn one around in under half an hour. With no scientific evidence whatsoever, I am convinced that saving it as a PDF and attaching to an email is more effective than complaining in an email body. Anyone can fire off a quick email but when you write a letter, you mean business. Even when there’s no paper, stamp and envelope involved.
Still, half an hour is still one hell of an investment compared with clicking an unsubscribe link. So I have started attaching demands for compensation. Meet your new friend from the GDPR family: Article 82: “Right to compensation and liability”. Section 1 spells it out clearly:
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
The inclusion of non-material damage means that you don’t need to suffer any financial loss in order to claim. Any form of distress or inconvenience could conceivably be covered.
How much compensation you would be entitled to is hard to guess and case law does not seem well established. I think companies prefer to settle and avoid setting a precedent, which is fine by me although I hope at some point someone will step up and see this through the courts. I will cite a couple of examples without naming names.
Last year, a financial institution was using the “service email” scam to skirt the rules and sent me “updates” that I had not opted into. They also committed the second most grievous sin besides having no unsubscribe link at all: requiring a login in order to unsubscribe.
I made a somewhat noisy complaint to their customer services with their press email copied in, making a general reference to the GDPR and threatening to take my business elsewhere. I did not make it clear what outcome I wanted, besides “I trust that you will resolve the above issues as swiftly as possible for the benefit of all your users.” It short, it was a polite but angry snotogram, and it yielded an offer of £25 in compensation, which I accepted. In hindsight, I believe I could have asked for and received at least double that.
This year a small, organic retailer phoned me a couple of days after my first delivery, and then again the following week despite me having asked the first caller to take me off the list. I had upped my game considerably by this time and the complaint machine went into action.
For an hour’s work I created a letter citing articles 6 (lawfulness of processing), 21 (right to object) and 82 (right to compensation) under the GDPR. The letter included an appendix showing a screenshot of their marketing preferences, which clearly state they will only use my phone number for processing the order. Incidentally, this is another reason why the PDF format works — it ensures images are displayed exactly as intended.
I made it clear that the calls and the loss of control over my personal data was a source of anxiety and inconvenience (the second call interrupted a meeting) and I suggested that £100 would not be an unreasonable amount of compensation. The company admitted to an error with their CRM system and a few days later, £100 was in my bank account.
While most of the letter should show how they have breached the regulations, the request for compensation should include a few words about how it affected you personally.
A tussle for control
Let’s be clear — I’m not expecting to gain much from these complaints. Any financial compensation is only going to partly recoup the lost time and effort. Yet there is an important principle at stake: our personal information belongs to us, and companies that take away our control over how it’s used should expect to meet with stiff resistance.
To this end, I will take my case against PayPal and the Sainsbury’s Group (owner of Argos) to the Information Commissioner's Office and hold these and other organisations to account. If they had to pay £100 for every customer, I rather suspect they would provide an unsubscribe link. :)
