Spam annoys me.
More specifically, the effect of spam annoys me. It annoys me that from time to time I find emails I really need have been filtered to a spam folder. It annoys me that from time to time customers don’t receive emails from us because our email is filtered to their spam folder. It annoys me that I’ve had to jump through hoops to get email delivered to members of a community group I’m a part of ’cause Microsoft’s email servers overzealous approach to spam filtering (tell my server the email was accepted and delivered, but not deliver it to the member or even the spam folder of the member – took several hours to figure out they were doing that..)
Anyway, in the UK we have laws that ban companies from sending unsolicited email. Sure, it won’t stop the non UK spammers or those peddling dodgy things, but it’s a start at least. The rules are called The Privacy and Electronic Communications (EC Directive) Regulations 2003 – abbreviated to PECR. The sad thing is, there is essentially no enforcement of these[1]. Most of the spam I get is from small companies that have been sold my address and don’t realise that is not allowed by the regulations. Last month I got new spam email from Scottish Power. I’d expect them to know better than buy email addresses, but apparently they think it’s OK.
From the regulations:
a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b)the direct marketing is in respect of that person’s similar products and services only; and
(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
The text I put in bold, to me at least, makes it clear that if I’ve never communicated with your company I can’t possible have given consent to your company to send me email. The Information Commissioners Office (ICO) appear to agree – “You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.”
Scottish Power made it clear in their replies to my emails (all below) that they think it is acceptable to buy email addresses. Even though they will stop sending to me (’cause I asked them to stop, and I believe they will), the people they bought it from will continue to sell my address to other companies. Scottish Power did not provide contact details for those companies (they named two companies) so did not provide a way for me to unsubscribe from future spam. They claim (in the emails below) they only send to corporate email addresses or opt-in addresses but on this occasion could not find proof of opt in. Maybe that’s true, maybe my address is the only one that slipped through a vetting process, however my instincts are that they’ve bought a load of addresses as ‘businesses’ and used them all.
A long time ago, I read a Mailchimp article (mailchimp are a company that provide email services for newsletters, marketing etc) about whether you should use bought in email lists, the answer: http://caniuseapurchasedemaillist.com/
Scottish Power – here’s a public message to you; Please stop sending spam!
For those who like to know the detail without my summary, here are the emails:
From: ScottishPower Business
Date: 28 April 2016 at 08:13
Subject: Let’s make your business energy simpler
If you are unable to view this email, click here to view online.
We know it takes a lot to run a business – being on
top of every detail matters. That's why, when you switch
If you are unable to view this email, click here
to view online.
[image: ScottishPower]
From: Steve Root
Date: 28.04.2016 07:58:31
To: genesys.routing@scottishpower.com
Cc:
Subject: Fwd: ))) scottishpower1 ((( Fwd: Let ’s make your business energy simpler
Where did you get this email address from please?
From: CONTACTUS@SCOTTISHPOWER.COM [mailto:CONTACTUS@SCOTTISHPOWER.COM]
Sent: 28 April 2016 13:37
To: Data Protection (Energy Retail)
Subject: Fwd: Fwd: ))) scottishpower1 ((( Fwd : Let ’s make your business energy simpler
Hi ,
We have recieved an auto reponse and customer is quering where we got the email address from ,I have no way of tracing this as per email below ,Please advise or contact the customer if possible .
Regards
Kim McLaughlin
Scottish Power Business Energy Team Glasgow
29th April
Dear Mr Root
Thank you for your email of 28 April 2016.
Having contacted our business marketing team, I can advise you that your email address was purchased from a Third Party for use in marking activity.
Following on from your email, I have arranged to have your email address removed from any marketing activity so you will no longer receive emails from ScottishPower.
Many Thanks
Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser
30th APril
Thank you Andrew, can you provide contact details for this company please.
Regards
Steve
2nd May
Good Morning Mr Root
Thank you for your email.
I have received confirmation that your information was supplied to us from our Third Party provider Call Credit. They purchased your data from a Company called Blue Sheep.
Many Thanks
Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser
3 May
Thanks Andrew,
I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?
Thanks
10th May
Thanks Andrew,
I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?
Thanks
10th May
Good Morning Mr Root
I am awaiting a response to an email that has been sent to our marketing team. This has been chased up today. As soon as I receive a response I will be back in touch.
Thanks
Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser
16th May
Hello Andrew,
I'm still curious.
Thanks
Steve
18th May
Good Afternoon Mr Root
I am sorry that I have not been able to come back to you with the information you have requested.
We are keen to understand exactly how and when your details were collected so that we can provide an accurate response.
We are awaiting a full response from our data provider. I have asked for this to be pursued again today and have expressed the urgency. Thank you for your patience, I will be in touch with you as soon as we have the required information.
Kind Regards
Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser
26th May
Hello Andrew,
I restate my question:
"I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?"
Maybe it's time to escalate this?
Thanks
Steve Root
31 May
to: Andrew Healing
to: richard.taylor, marion.venman
OK, still no response as to why Scottish Power think it's OK to ignore the PECR regulations.
I'll guess a couple of email addresses and see if that helps find an answer...
31st May
Dear Mr Root
We received your email address from our data provider as “consented data”.
We have noted your wishes that we do not contact this email address any further.
We are reviewing our processes to ensure we adhere to both the PECR and Data Protection requirements.
Kind Regards
Andrew Healing
Iberdrola Group|Global Retail Operations
Data Protection Adviser
1st June
Hello Andrew,
Thank you for replying but you still ignore my question:
"I'm really curious how your company's decision to buy addresses, like mine, correlates with the requirements of the PECR regulations. Can you help me understand your interpretation please?"
The PECR regulations are very clear and having a job title of 'data protection advisor' I'm sure you know this but to spell it out;
http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made
Use of electronic mail for direct marketing purposes
22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b)the direct marketing is in respect of that person’s similar products and services only; and
(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).
And from the ICO
https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
In brief…
You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.
The rules on electronic mail marketing are in regulation 22. In short, you must not send electronic mail marketing to individuals, unless:
they have specifically consented to electronic mail from you; or
they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent
... and so on.
Is your current answer "We are reviewing our processes to ensure we adhere to both the PECR and Data Protection requirements." an admission that Scottish Power currently do not abide by the PECR regulations?
As I said, on 26th May, perhaps it is time for you to pass this up your chain of management if the company wishes to make statements like that.
Regards
7th June
Fermie, Andrew
to me, Andrew
Dear Mr Root
I am writing further to the issue you have raised about PECR and your correspondence with Andrew Healing about it. Thank you for taking the time to raise this with us.
We have been unable to obtain the assurances we would expect in relation to this case. Specifically, we would expect either that the record can be demonstrated to be a corporate record or the gathering of a valid consent can be shown. I am sorry that this has been the case in this instance. We will be taking appropriate action to safeguard against any recurrence.
As well as doing all we can to make sure our practices are compliant with both PECR and the Data Protection Act, I also understand the real annoyance and inconvenience that can arise from unwanted marketing activity. And if we do get it wrong, I am keen to ensure we have the measures in place so that we don’t get it wrong again. If someone indicates they do not wish to receive any more marketing from us, we ensure we have processes in place to that end.
We have confirmed to you that you will not receive any further unwanted marketing from ScottishPower. I can also give you my personal assurance that we take the marketing rules seriously. I have answered the question you asked and, for the avoidance of doubt, this cannot be equated to an assertion that “ScottishPower do not currently abide by the PECR Regulations”. We have contractual arrangements in place designed to help ensure that we do and I cannot go into any more detail than that.
I would appreciate it if you could let me know if there is anything else that I can do.
Regards
Andrew
Iberdrola Group|Global Retail Operations
UK Operations - Data Protection Officer
Steve Root
7 Jun
to Andrew, Andrew
Thanks Andrew,
I've no other questions.
Regards
Steve
[1] I did email the ICO, but they make it clear they won’t investigate every instance of spam and will only start taking an interest if lots of people complain about a specific company.
According to cloudflare, my blog traffic this month.
According to google analytics, my blog traffic this month.