Culture, Media and Sport CommitteeSupplementary written evidence submitted by the Department for Culture, Media and Sport

1. Placing an expiry date on third party consent, where a person consents to be contacted by ‘selected third parties’ for marketing purposes, so it can only last for a set amount of time.

Issues of notification and consent are complex, potentially spanning PECR and the Data Protection Act (DPA). The Government is considering whether there might be scope to make consent in relation to overriding the TPS, time limited such as eg, 12, 18, 24 months, but this is likely to add burdens upon business and possibly consumers. We do not believe that this should be the main focus of any regulatory solution. ICO guidance advises that generic third party consent will not be valid for calls and texts. The focus should be on trying to limit the use of generic third party consent. We could see the benefit of time limits for third party consent when it is clear and specific. ICO guidance already advises that third parties making contact by phone, e-mail or text for the first time should not generally rely on consent over 6 months old. However making this change in the legislation is different to providing the guidance, as we accept there could be some situations when beyond 6 months is justified.

2. Requiring businesses that are engaged in direct marketing to demonstrate that consent has been obtained rather than the ICO having to ‘prove a negative’ by showing that the business does not have consent

There is a risk that this adds burdens to legitimate businesses without impacting on “rogue” companies. The ICO can already ask companies to demonstrate this aspect that they have consent when considering a complaint against a company. The Government is considering strengthening the law on the use of notification of consent by third parties eg companies within a group or affiliated companies and the need to name third parties. It is therefore being carefully considered alongside work to better understand the data selling industry. However, this may be of some assistance in reinforcing the existing position.

3. Extending the PECR to include firms collecting and selling on personal data, not just those that conduct direct marketing.

The ICO can already take action using their Data Protection Act (DPA) powers and are focusing on those that collect/sell personal data (lead generators and list brokers). Also, ICO is exploring a range of options to ensure organisations fully understand the requirements of the law and how to protect consumers’ personal data. This would change the focus of scope under PECR and we believe this issue can be dealt with appropriately under the DPA. ICO guidance already says that selling personal data, in certain situations, will be unfair and will breach the DPA.

4. Lowering the threshold for the ICO to take enforcement action under PECR.

We have received a business case from ICO and are considering how this might be implemented. The case seeks to lower the legal threshold for issuing a monetary penalty to for example calls that are likely to cause “nuisance, annoyance, inconvenience or anxiety”. The issue impacts on both the PECR and the Data Protection Act (DPA) and is being carefully considered.

5. Strengthening enforcement action against companies who call people registered with the TPS, and making it clear that companies cannot call those people if they gave consent via a third party.

Protections for consumers under the PECR 2003 is already substantive, with ICO able to issue a monetary penalty of up to £500,000 to any company that willfully disregard the rules. ICO guidance now makes clear that generic third party consent is not enough to override the TPS and that the ICO is likely to consider enforcement action where an organisation fails to screen against the TPS.

6. Requiring all businesses making marketing calls to send their Caller Line ID so people can see a company’s telephone number and therefore report nuisance calls to regulators.

Being able to withhold Caller Line ID is a legal right of all callers. To curb unsolicited marketing calls the DMA’s code of practice requires all outbound marketing calls to include a calling number. Also, Ofcom requires calls made by predictive diallers (how most marketing calls are made) to include a calling number. However, this is an interesting proposal, which may make a further difference and Government will consider this further.

7. Providing spam filtering technology on mobiles to stop unwanted texts.

Whilst, this is good idea, technology is still emerging and various apps are available that can help to filter texts. However, the “7726” GSMA spam reporting service enables consumers to report spam both easily and quickly.

8. Developing a short-code on landlines that consumers can dial after receiving an unwanted call that would send information to the regulators and network operators. This would allow Ofcom and the network operators to gather increased intelligence on nuisance callers and identify those who are persistently misusing the networks.

Short code reporting already exists for SMS, but this takes advantage of more modern mobile networks, in addition functionality across mobile network operators is broadly equivalent. It would not be straightforward to translate this into fixed networks due to the wide variation in network systems and technologies. However we understand that this is an issue that Ofcom is likely to explore further in due course.

9. Improving ICO guidance regarding the collection and processing of consent. Specifically, much stronger guidance on 3rd party marketing consent: there continues to be confusion as to whether 3rd party consent is sufficient for a company to call a consumer who is registered with the TPS.

The ICO on 9 September updated its guidance, which makes issues clearer for both consumers and business. Also, ICO has stated that it will consider whether to make a business case for further legislative changes, including consideration of whether consent requirements in PECR should be amended. 

10. Amending section 393 of Communications Act to designate the ICO as a recipient of information from Ofcom.

The Government will be implementing this measure as soon as possible. This will permit Ofcom to share information with ICO. We propose to do this by adding the ICO (and the Insolvency Service) to the list of “relevant person” under s393 (3) of the Communications Act 2003, which sets out with whom Ofcom can share information.