The song was written by Bob Dylan in 1962. Dylan has stated that all of the lyrics were taken from the initial lines of songs that he thought he would never have time to write. This blog has had so many working titles (see below) that it seems to fit.
My story starts when I bought a Senior rail card. I did it online. As a fully paid up member of the grumpy old men’s club and having some knowledge of Data Protection and marketing issues I made sure I opted out of any “from time to time we may pass on” and “carefully selected third parties” sneaky data collection statements. The process was easy. The card arrived; I used it frequently.
Then the mailings arrived. It’s my normal practice as a GOM and DPA nerd to contact organisations who direct market me and ask them where they obtained my name and address. I call it a Subject Access Request in my letter. Over the autumn in surge in mailings revealed that The Association of Train Operating Companies had been the originator of many mailings through their sale of my details to Medialab.
As a side issue it’s remarkable how the marketing industry reacts when I make subject access requests. Their first reaction and often their only reaction is to instantly remove me from their database and apologise profusely. To me this isn’t how to respond to a subject access request. In fact one charity when I queried this said that their industry code of practice only required them to remove my name not provide me with the normal things that SARs provide. When I replied pointing out the relevant sections of the DPA the request was escalated to the CEO who decided that Yes they would go further than the Code of Practice and give me what I asked for. Thanks Chiefie.
On to Medialab. They acknowledge on their website (which is currently being re-designed) that they have many lists including all Rail card holders. The actual phrase is We buy data and media across various channels to generate customers with real lifetime value. The blurb says that Senior rail card holder are all over 60, all opted in and are all suitable targets for offers involving wine, charities, gardening, food etc. Leaving aside the obvious fair processing and reasonable expectations it appears that Medialab and actively pushing their list obtained by ATOC for purpose a for purposes b, c, d etc. So apart from buying the lists which ATOC says are all consenting adults they are conspiring with service companies who are looking to target their marketing. You could even make a case that Senior Rail card holders are a vulnerable group. When I bought my Rail card I definitely did not consent to receiving offers about wine, charities, gardening, food. Just because I am old doesn’t mean I have to conform to my chronological stereotype. I thought buying a railcard was about cheap train travel. If some one who targets poor obtaining and re-use statements on websites has missed the fact that he has consented to his data being sold on how do ordinary people spot it. (If in fact there was a FPN – ATOC can’t prove they had one…)
Second aside. I was once engaged by a well known cuddly well respected Society with its HQ in London to deliver a training session on Data Protection. They were nice people and the Chief Exec sat supportively in the front row. When we arrived at the point of discussing whether data acquired for purpose A by Data Controller A could not be used for an incompatible purpose B by Data Controller B the chief Exec intoned “I think you’ll find that most big organisations share data to see if there are any opportunities for cross marketing”. When told that this was probably a breach of the act his support for me ended and he left the room presumably to set up another breach of Principle 2.
Back to ATOC. I kept on at them – they weren’t very punctual but I generously put this down to Xmas holidays. Eventually after me disputing my giving of consent I asked them to provide documentary evidence that I had consented to passing my data to 3rd parties. This elicited the following email.
“I am sorry to hear that you have received emails and phone calls from third parties that you were not expecting. I have reviewed your account and can verify that your name and contact information has now been removed from our supplier database and that only Medialab has access to this. You should no longer receive any emails related to your Railcard purchase.
Unfortunately we are unable to provide material confirmation as to your original acceptance of these offers as once an online application is completed this information is fed directly into our database and this live information serves as confirmation of customer opt-ins. We are able to obtain evidence of opt-ins for paper applications and the equivalent of this for online applications is the live record and your record now reflects your request to be removed from our mailing list.”
To wrap it up. The volume of mailings has slowed down. ATOC has taken me off their list but can’t prove I consented to them selling my details. Marketing companies still hold my data and are probably selling it to anyone who thinks old people are an easy touch. The mailing and marketing industry doesn’t know what a subject access request is.
So I’ll leave you guys to ‘Choose an Alternate title’ (which in itself a 1967 song…)
When is consent not consent? – When you can’t see it
When is consent not consent? – When you can’t prove it
Marketing databases are black holes. Data is irretrievable except for marketing companies.
The invisible consent mystery.
Who do you believe? A data controller who can’t prove he has consent or a data subject who knows he never gave it.
Wanted Old person who likes travel to test an online application form.
Senior Rail Cards on the wrong track.
Pssst! Wanna buy a list of old people who’ll buy anything…
Grumpy old DP expert taken for a train ride.
Charities just don’t get it. Direct marketing organisations know they’re breaking the law but hey! it adds to turnover. Everyone makes money from Senior rail cards.
Of course the new EU General Data Protection Regulation (GDPR), when it comes into force in 2018, will require a rethink of of how companies obtain and record consent to marketing.
Give your career a boost in 2016 and prepare for GDPR by gaining a qualification.
See http://www.actnow.org.uk/dpp.
Image credit: http://www.pophistorydig.com/wp-content/uploads/2012/03/Hard-Rain-art-2-280.jpg
How about ‘Gotta get a Message to You’ by the Bee Gees from the same era which could apply to both yourself and the data controller in the situation you have described. Many years ago i.e. the late 1990’s, I subscribed to a well known national charity and opted out of allowing my details to be shared. Cue a deluge of mailings from other (mainly national) charities. It has taken me the best part of 15 years to slow that deluge down to a trickle mainly by requesting each one to delete my details. I quickly stopped supporting my original charity and now only support small local charities. Whenever I’m accosted by a chugger, my standard response is ‘I’ll consider it if you can tell me how much your Charity’s Chief Exec earned last year’ which will end the conversation.
Yours
‘Return to Sender’