Regulations and regulators

13. Ofcom and the Information Commissioner's Office (ICO) both have regulatory and enforcement responsibilities in the area of nuisance calls. Live marketing calls and texts fall under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR),[15] enforced by the ICO. These Regulations apply if callers are sending marketing and advertising by electronic means such as by telephone, fax, email, text message and picture (including video) message and by using an automated calling system.[16] The use of personal data is governed by the Data Protection Act 1998 (DPA), also enforced by the ICO. While both the DPA and the PECR are relevant, the latter are wider as they apply even when personal data (like a customer's name) is not processed by the caller. Ofcom noted that PECR does not "directly"[17] deal with abandoned and silent calls but Ofcom has powers to tackle persistent misuse of electronic communications networks (under the Communications Act 2003). The most serious breaches of the PECR can result in the Information Commissioner imposing Civil Monetary Penalties of up to £500,000 in cases likely to cause "substantial damage and distress."

14. Since only declared marketing calls fall within these regulations there is a loophole that sometimes allows marketing under the guise of "surveys" to go unregulated.

15. The Telephone Preference Service is a free service that allows people to register their landline and/or mobile telephone number if they no longer wish to receive unsolicited live sales and marketing calls to those numbers. Created by the Direct Marketing Association (UK) Limited in 1996 to help consumers manage the number of calls they received as telemarketing grew more popular, the TPS was given statutory force in 1999.[18] It is a legal requirement that organisations screen the list of telephone numbers they wish to call against the TPS file before making any unsolicited sales and marketing calls. The TPS has no enforcement powers: it is the Information Commissioner's Office (ICO) that has responsibility for enforcing the legal requirements relating to the TPS. The TPS collects complaint information from people still receiving unsolicited sales and marketing calls to the numbers they have registered on the TPS and passes this to the Information Commissioner's Office. The TPS will also contact errant companies to remind them of the legal requirements relating to registered telephone numbers.

16. Registering a landline or mobile telephone number with the TPS will not prevent recorded messages, spam SMS, silent calls or scams. However, unsolicited recorded marketing messages are prohibited under PECR and complaints about these are the responsibility of the Information Commissioner's Office (ICO).

17. Which? told us that over 19 million numbers are signed up to the TPS though a survey found that 57% were not satisfied with the service.[19] BT describes the TPS as a "good and useful scheme"[20] but notes that it only seeks to prevent sales and marketing calls, not service messages from businesses with whom a customer has an established relationship. This can sometimes lead to unrealistic consumer expectations. BT also told us that, although the effectiveness or otherwise of the TPS has been singled out as being an area of specific focus, "we believe that there are many other areas of the E Privacy rules which are flouted by marketers, and which can cause just as much, if not more, harm if disregarded; automated calls about PPI and debt management being an example."[21]

18. Richard Lloyd of Which? told us that the perceived ineffectiveness of the TPS was attributable to the failure of regulators to use the data it generates to initiate adequate enforcement action and to a lack of awareness among consumers about when TPS protection applies.[22] We discuss this further below.

19. In addition to Ofcom and ICO, there are sector-specific regulators with an interest in particular types of nuisance call. The Claims Management Regulator (CMR) sets out the Conduct of Authorised Persons Rules which govern the conduct of Claims Management Companies. Another regulator with an interest is the Office of Fair Trading. The OFT is responsible for consumer and competition issues and can also enforce the Consumer Protection from Unfair Trading Regulations, which prohibit certain types of unwanted calls and texts.[23]

Consent

20. Consent is a key component of direct marketing. Article 13(3) of the EU Directive on Privacy and Electronic Communications (2002/58/EC) permits Member States to choose between an opt-out system for unsolicited direct marketing calls (such as we have in the UK, under the TPS register system) or an opt-in system (whereby unsolicited calls would not be permitted without consent). David Hickson, Fair Telecoms Campaign, commented:

The UK took the view that consent would be assumed unless people registered with the Telephone Preference Service. That was some years ago. If the proposition were to be put today that consent to receipt of unsolicited direct marketing calls be assumed unless you took the trouble to opt out, it would be laughed away. [24]

21. Whichever approach is adopted, opt-in or opt-out, to be valid, consent must be knowingly given, clear and specific. The ICO's written evidence refers to "poor or unlawful"[25] practices where clear consent has not been so given. Purchasers of marketing lists invariably rely on assurances that consent has been validly obtained; in some cases consent would appear to have been fabricated. Richard Lloyd of Which? told us: "Registering with the TPS is you opting out of receiving direct marketing calls where that data is being shared. It is worse than that because in many standard terms and conditions you are giving permission. For example, with some major banks you are giving permission for your data to be shared. So this issue of for what purpose and for how long your consent is given is absolutely crucial to tackling the problem." [26]

22. The ease with which consent to receive marketing calls can inadvertently be granted, for example as part of standard terms and conditions, amounts, in our view, to unfair processing of personal data. This makes it in direct breach of section 4 of the Data Protection Act.

23. A key problem lies in the sale and trading of personal data, often in cases where little or no consent has been indicated. Richard Lloyd told us:

When you register your data, perhaps online with an insurance company, or you enter into any legitimate transaction, and unwittingly or otherwise in the past you have given consent for your data to be passed on to trusted third parties or to others from whom you may have an interest in hearing, that has opened the floodgates to your personal data being traded and traded and traded and passed on to firms that may be much less scrupulous about the use of your personal data than the firm or the organisation with which you originally did your business.[27]

24. The unfair trading of personal data is in clear breach of section 4 of the Data Protection Act 1998 and we expect the Information Commissioner's Office to be resolute in tackling this issue. Even if this means having sometimes to deploy sanctions short of fines, such as naming and shaming and the issue of enforcement notices, this ought to be considered given the wide contempt in which the data protection principles appear to be held.

25. Evidence from Which? notes that it is very difficult for a consumer to retract consent for their details to be used or sold on to be used for direct marketing purposes. A need for more evidence to quantify the problem of trading data is also identified.[28] Which? wants the Privacy and Electronic Communications Regulations (PECR) to be extended to include any company that collects or sells on data. In an initial response, the Government points out that selling personal data, "in certain situations", will be unfair and thus a breach of the DPA.[29] However, the scope of PECR is arguably wider in that a telephone number by itself may not constitute personal data falling within the DPA. We believe there is scope for unscrupulous businesses to circumvent, if not completely ignore, the Data Protection Act 1998 and we therefore recommend that the Government should legislate to proscribe the unfair processing not only of personal data but also of contact data, particularly telephone numbers.

26. Written evidence from Which? states: "there continues to be confusion as to whether 3rd party consent is sufficient for a company to call a consumer who is registered with the TPS."[30] Third party (i.e. indirect) consent is where a person consents to be contacted by "selected third parties" for marketing purposes. Which? has suggested legislation to make it explicit that generic consent given via a third party is not enough to override the TPS. However, as the Government pointed out in response, ICO guidance now makes clear that generic third party consent "is not enough to override the TPS and that the ICO is likely to consider enforcement action where an organisation fails to screen against the TPS."[31] We encourage the Information Commissioner's Office to act against companies that make a habit of calling people registered with the Telephone Preference Service with whom they have no clear and direct business relationship. The Government should consider whether supporting amendments should be made to the consent requirements in the Privacy and Electronic Communications (EC Directive) Regulations 2003.

27. Which? has made 11 recommendations on dealing with nuisance calls to which the Government has provided an initial response. In relation to Which?'s recommendation of an expiry date on third party consent, the Government notes that ICO guidance already advises that third parties making contact by phone, email or text for the first time "should not generally rely on consent over 6 months old."[32] However, there may be some legitimate exceptions to this. We are not convinced that formally codifying in legislation a fixed expiry date for third party consent to receive marketing calls would add significant additional protection to consumers.

28. It is more pertinent to ask whether third party consent has been granted in the first place. Which? recommends that businesses subject to a complaint should be required to show consent to direct marketing has been obtained, rather than expecting the ICO to show that it has not been.[33] We do not believe that such a measure will add significant burdens to legitimate businesses since they ought to have satisfied themselves that potential customers with whom they have no direct business relationship have already agreed to receive unsolicited marketing.

29. In September 2013, the ICO published guidance on direct marketing. This includes a section on proof of consent. We welcome recent guidance published by the Information Commissioner's Office which makes clear that organisations should be in a position to demonstrate they have an individual's consent to receive their marketing messages. We believe this is necessary to comply both with the letter and the spirit of the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

16   http://www.ico.org.uk/for_organisations/privacy_and_electronic_communications/application  Back

17   Ev 60 Back

18   Under the Telecommunications (Data Protection and Privacy) Regulations. The Telephone Preference Service Limited (TPSL), the company that runs TPS is a wholly owned subsidiary of the DMA, which has won the contract from Ofcom to run the TPS on three occasions since 1999. Back

19   Ev 39 Back

20   Ev 51 Back

21   Ev 51 Back

22   Q 18 Back

23   Ev 39 Back

24   Qq 20-21 Back

25   Ev 85 Back

26   Q 23 Back

27   Q 13 Back

28   Ev 39 Back

29   Ev 73 Back

30   Ev 39 Back

31   Ev 73 Back

32   Ev 73 Back

33   Ev 39 Back