A year on from the revelation that the Information Commissioner’s Office (ICO) was owed 42 per cent of the fines it handed out since 2015, it’s been revealed that the non-departmental public body’s collection struggles have continued in the past year.

Since last year’s report, the ICO has only managed to collect one of the 47 unpaid fines levied between 2015 and the end of July 2019, according to data once again obtained by The SMS Works via a freedom information request.

Of the 21 fines handed out more recently, namely between January 2019 and the end of August 2020, the ICO has only managed to collect £1.03m of the £3.2m it is owed – just 32 per cent of all fines issued. It has collected just nine of the 21 fines issued – and that’s despite new regulations making company directors individually responsible for paying the fines.

The SMS Works has found that directors have found loopholes to avoid paying fines such as claiming voluntary insolvency or shutting down their business and opening up under a new name.

Of course, the data obtained doesn’t include the recent fines handed out to Marriott International and British Airways of £18.4m and £20m respectively. Those two major international companies will struggle to find loopholes to get out their fines, both for data breaches under GDPR.

The post More than two-thirds of ICO fines issued since January 2019 havent been paid appeared first on Mobile Marketing Magazine.

The hospitality giant may feel unfairly punished by the fine – because the company itself was not responsible for the breach – but has said it does not intend to appeal the decision.

A cyber-attack on Starwood Hotels and Resorts Worldwide in 2014 is estimated by Marriott to have left the records of 339m worldwide guests vulnerable. Marriott acquired Starwood two years after the breach. The attack remained undetected until September 2018 and was reported in November 2018.

The true number of guests affected is unclear because some guests may have had multiple records. 7m of the records related to people in the UK.

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not,” said Elizabeth Denham, Information Commissioner.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

Marriott said it regrets the incident but makes no admission of liability. It also stated that it continues to be committed to the privacy and security of its guests’ information and has reassured guests that Starwood’s network is no longer in use.

The ICO has acknowledged the work that Marriott has done to mitigate the risk of damage suffered by its customers and the measures it has put in place to improve security.

The fine comes just two weeks after the ICO hit British Airways with a £20m fine for a failure to protect the personal and financial details of more than 400,000 customers.

“Within just two weeks, the ICO has now issued a fine of £20m to British Airways and £18.4m to Marriott. These are the two highest confirmed fines in the history of the ICO in response to significant data security failures by both organisations,” said Chris Combemale, CEO of the Data & Marketing Association. “Given the dramatic fall in revenue that the travel and leisure sector has experienced during the coronavirus pandemic, these fines send a very powerful message to organisations that they must invest in keeping their customers’ data secure. Otherwise they will face penalties that could prove far more costly to the business.”

The post Marriott slapped with £18.4m ICO fine for data breach appeared first on Mobile Marketing Magazine.

The UK Information Commissioner’s Office has created a new code of 15 principles that aim to make the internet a safer place for children, including the prevention of self-harm or suicidal content, sexual grooming risks, and location sharing. The ICO will allow companies a year of transition to abide by the new rules, and then will enforce the code starting in Fall of 2021.

Companies who fail to enforce the safety code will be breaking the law, and will face fines up to £17m, or 4 per cent of global turnover. Some of the 15 principles will require companies to set default privacy settings to high, set default location sharing services to off, and block “nudge” notifications that encourage children to loosen their privacy settings.

“Personal data often drives the content that our children are exposed to – what they like, what they search for, when they log on and off and even how they are feeling,” said Elizabeth Denham, the information commissioner.

Additionally, the ICO warned companies that do not want to attract children to their site to make it a priority that such users can’t gain access: “If your service is the kind of service that you would not want children to use in any case, then your focus should be on how you prevent access. If your service is not aimed at children but is not inappropriate for them to use either, then your focus should be on assessing how appealing your service will be to them.”

“This transformative code will force high-risk social networks to finally take online harm seriously and they will suffer tough consequences if they fail to do so,” said Andy Burrows, the NSPCC’s head of child safety online policy.

Burrows continued, “For the first time, tech firms will be legally required to assess their sites for sexual abuse risks and can no longer serve up harmful self-harm and pro-suicide content. It is now key that these measures are enforced in a proportionate and targeted way.”

The biggest companies that will likely be affected by this new code will be social media giants such as Facebook, Twitter, Instagram, TikTok, SnapChat and YouTube. Hesitant companies should be made aware that the new code is legally backed by a requirement in the Data Protection Act 2018, citing the “age-appropriate design” of websites.

The post The UK will be implementing a new code to keep children safe from online harm appeared first on Mobile Marketing Magazine.

The Information Commissioner’s Office (ICO) is still owed 42 per cent of the total fine amount it’s handed out for data breaches, spam, and nuisance calling since 2015, showing the difficulty the governmental office has had in enforcing the punishments levelled at companies.

152 fines have been issued since 2015, with 47 – or 30 per cent – remaining unpaid, according to data obtained by The SMS Works via a freedom of information request. The total amount fined in that period was £16.6m, of which £7.05m remains uncollected – that’s 42 per cent.

All the fines levelled at charities and public organisations have been paid, as you’d expect. However, private firms haven’t been anywhere near as accepting of fines.

The claims management industry – the worst of the bunch – has received a total of £3.2m in fines with a staggering 84 per cent remaining unpaid, only £490,000 having been collected. The home improvements sector payments are under 30 per cent, while both marketing and telecoms sit under 40 per cent. The financial services industry is the best within the private sector, paying over 70 per cent of fines.

Looking at payments based on reason behind the fine, just 23 per cent of nuisance call fines are successfully collected by the ICO. Email and SMS spam have payment rates of 64 per cent and 74 per cent respectively, while fines for data breaches are paid 85 per cent of the time.

The three largest unpaid fines are two of £350,000 and one of £400,00 from companies that are all no longer trading. This is a problem the ICO has faced in collecting fines, but a law change could pave the way for it securing all the money it’s owed.

“Some nuisance call directors liquidate their firms to avoid paying fines from the ICO,” an ICO spokesperson said in a statement. “In December 2018, the law changed to make directors themselves responsible for nuisance marketing. This should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails.”

The three unpaid fines, of course, do not include the big fines currently facing British Airways and Marriott Hotels. The paid have been charged with paying £183m and £99m respectively for failing to protect customer data, although both are currently appealing their fines and thus don’t yet officially owe the money to the ICO.

Unlike most, if not all, of the £7.05m owed to the ICO, the fines levelled at British Airways and Marriott were handed out under the General Data Protection Regulation (GDPR). As is now well-documented, the regulation enables to the ICO – and other data regulators across the European Union – to fine organisations up to €20m or four per cent of their global turnover.

The post More than 40 per cent of ICO fines havent been paid appeared first on Mobile Marketing Magazine.

In a recent survey conducted by FigLeaf, a privacy-first company, it was found that 68 per cent of consumers in the US and UK don’t believe online privacy is possible, while another 52 per cent of consumers don’t trust Facebook and Google’s recent remarks about making their platforms safer. Ironically, the survey also revealed these same doubtful consumers are still open to sharing information with brands they trust or are more familiar with.

When it came to privacy, respondents said they put the most trust in banks, followed by government entities. At the bottom of the list was social media sites including Facebook, and mobile operators. The survey then went on to point out key differences in privacy preferences, based on the consumers age and gender.

“The findings of this survey offer marketers and advertisers an opportunity to adjust to the changing privacy landscape and engage consumers in new and more authentic ways,” said Pankaj Srivastava, COO and CMO of FigLeaf. “Consumers have voiced the fact they are not unwilling to share personal data. They simply want greater insight into how that data is used, and they want more choice and control over when they share personal information and with whom. Brands that comply with these wishes, and demonstrate a willingness to respect and protect the individual’s personal information, will be rewarded with deeper engagement and lasting loyalty.”

In comparison, more than three-quarters of both genders revealed they have changed the way they behave online. 28 per cent of women and 29 per cent of men agreed they are confident they know every company and website that is accessing and storing their data. Only 37 per cent of men were concerned about sharing their location data, compared to 48 per cent of women.

When answering who should be responsible for an individual’s privacy, 45 per cent of US consumers said it should be a combination of the individual, the companies who collect the data, and government regulators. Separately, 28 per cent of respondents over 30 years old said most of the responsibility lands on the companies. 58 per cent of those under 30 years old said the individual consumer should take privacy into their own hands.

Across all UK and US respondents, it was found that 62 per cent of consumers believe a privacy tool is the best measure against having their data collected and stored. Other methods of improving privacy included restricting online activity (32 per cent), deleting social media (16 per cent) or demanding stricter penalties for companies that violate privacy (38 per cent).

The post More than half of consumers don’t believe online privacy is possible – report appeared first on Mobile Marketing Magazine.

The TCF was reviewed for 12 months, during which time it was subject to feedback from all sectors of the digital advertising industry and nine meetings with Data Protection Authorities from around Europe.

The TCF 2.0 enables consumers to not only grant or withhold consent but also to exercise their ‘right to object’ to data being processed. Furthermore, consumers gain more control over whether and how vendors may use certain features of data processing, such as using precise geolocation.

Meanwhile, publishers are able to restrict the purposes for which personal data is processed by vendors on their websites on a per-vendor basis.

 “The original TCF was launched to help a complex industry value chain manage their obligations under new regulations, notably the GDPR. With the number of constituents involved and disparate regulatory interpretations across multiple jurisdictions, it was essential that the evolution of the framework was handled sensitively, with the final specifications able to be adopted in a manner consistent with differing business models in a wide range of operational markets,” said Townsend Feehan, IAB Europe CEO.

“Whilst the TCF will continue to evolve to meet the needs of our dynamic industry, I am confident this update addresses all the feedback we have received from many DPAs throughout Europe, as well as the needs of each part of the digital advertising value chain.”

To create the updated framework, the TCF steering group drafted new policy documents and engaged with IAB Tech Lab, which managed the technical specifications. This steering group was made up of representation from 10 national IABs, 55 organisations, and EU-level associations, publishers, media owners, technology providers, and media agencies.

TCF 2.0 will operate alongside TCF 1.1 until the end of Q1 2020, giving publishers and consent management platforms time to adopt the improved framework and giving vendors time to implement the code needed to adhere to the protocol.

The post IAB Europe releases updated GDPR-related transparency and consent guidelines appeared first on Mobile Marketing Magazine.

In particular, the report addresses the use of personal data in real-time bidding (RTB) within programmatic advertising – an area which has received several complaints in the past year from privacy activists.

The process of RTB sees advertisers on an ad exchange, network, or supply side platform (SSP) receive an impression call when someone visits a website. As the site is loading for that user, ad spaces on the page are auctioned off by the publisher and the slots are filled by the advertisers that have bid to reach people that match criteria. As such, advertisers gain access to information about the user without their direct consent.

The report, which will be passed to the ad tech sector, takes issue with a single visit to a website potentially handing over a person’s personal data to ‘hundreds’ of organisations. The ICO will give the industry six months to get in line with its guidelines for GDPR – as well as the Privacy and Electronic Communications Regulations (PECR) – compliance before conducting another review.

“We are clear about the areas where we have initial concerns, and we expect to see change. But we understand this is an extremely complex market involving many organisations and many technologies,” writes information commissioner Elizabeth Denham in the report.

“With that in mind, we’ll continue engaging with the sector, further exploring the data protection implications of the real time bidding system. We’ll continue collaborating with Data Protection Authorities in other European countries too, who are also looking at complaints in this area.”

According to the ICO, the rules on the use of cookies laid out in the PECR take precedence over the GDPR rules. Under the PECR, organisations are required to provide ‘clear and comprehensive’ information about why any cookie or similar technology is being used and obtain prior consent which is up to the GDPR standard. The report highlights that most industry initiatives focus either solely or primarily on GDPR compliance rather than PECR.

It’s also now been made clear that the processing of any ‘special category data’ – which is any data relating to politics, religion, ethnic groups, mental and physical health, and other highly sensitive data – is entirely prohibited, unless there has been explicit consent. As such, the ICO points to both IAB Europe’s Transparency Consent Framework (TCF) and Google’s Authorised Buyers as being non-compliant because their ‘consent mechanisms’ are not ‘appropriate’ for the processing of special category data.  

When it comes to all other data, due to the PECR, legitimate interest cannot be used as a reason for its collection within RTB.

The ICO goes on to take issue with a lack of transparency in RTB, claiming it “often lacks clarity and does not give individuals an appropriate picture of what happens to their data”, and the data supply chain as a whole, highlighting the potential for data leakage due to the nature of data processing within RTB.

The report isn’t all doom and gloom for the ad tech industry. It makes it clear that the ICO is aware of ‘various ongoing initiatives’ that are looking to change the way the RTB ecosystem works, including changes to the criticised TCF.

However, going back to the doom and gloom, the ICO doesn’t feel any of these initiatives are yet to be ‘fully mature’, doesn’t feel they address its concerns, and doesn’t think the current market would adopt any of the measures voluntarily.

Looking ahead to the next six months, the ICO will conduct further analysis into the processing of special category data without explicit consent and the complexity of the data supply chain.

It will further explore the data protection implications of RTB, continue to engage with key stakeholders, and cooperate with data protection authorities across the European Union.

Depending on the state of the industry in six months’ time, the ICO will undertake a further industry review.

“In the meantime, we expect data controllers in the ad tech industry to re-evaluate their approach to privacy notices, use of personal data, and the lawful bases they apply within the RTB ecosystem,” the report reads.

“Following these initial activities, we will continue to focus on both RTB and ad tech in general, and may issue a further update report in 2020.”

Commenting on the report, Rowly Bourne, CEO of Rezonence, said:  “As can be sometimes be the way with government work; it’s a touch a case of stating the obvious – that you need explicit consent – with the latest ICO report. But nevertheless, it’s good to have clear guidelines for ad-tech.

“We shouldn’t expect much change quickly. It’s taken the ICO over a year to provide UK guidance on the GDPR, and they plan to spend the next 6 months consulting with the industry before advising again — which would still fall inside the two-year grace period so potentially another 12 months before we see anything concrete — but the findings are nevertheless the hard truths we needed to hear.

“It’s also encouraging that it addresses ad-tech and digital marketing specifically, with it being clear is that much of the sector falls short of compliance, and may always do. Most of the general public have not heard of tech outside of GAFA, so are unlikely to give explicit consent to the 7040 AdTech vendors the Lumascape recognises.

“Interestingly, it has in fact been the big tech players — Apple’s Safari ITP 2 and Google Chrome following suit — who’ve begun to move the needle when it comes to privacy, and the same could be true with this report. These browser wars, along with the potential killing of cross app tracking could end much of the immature  ad-tech behaviour that the ICO mentions.

“Only time will tell whether this leads to any action, or ends up as merely another ‘report’, with no action coming off the back of it. Nevertheless, I expect the industry to pause and think, potentially with some consolidation, and would not be surprised to see brands scurry to premium content and an increase in direct IOs in the short-term.”

The post ICO slams ad tech industry for failure to comply with data protection laws appeared first on Mobile Marketing Magazine.

42 per cent of US news sites, including titles such as The Chicago Tribune, still block European visitors from viewing their sites, according to Top10VPN.com. A further nine per cent of US titles are offering a limited service for people in Europe.

However, the number of US sites blocking EU visitors differs greatly depending on which state the site originates from. For example, 80 per cent of news outlets from California and Nevada are accessible to EU users, while 90 per cent of Nebraska’s news sites are blocked with the EU.

“It’s understandable that many US regional news outlets have taken the view that there’s not enough upside from incurring the expense of complying with regulations imposed from across the Atlantic, and are simply avoiding the issue altogether by blocking visitors from the EU,” said Simon Migliano, head of research at Top10VPN.com.

“Whatever the benefits to EU citizens from GDPR, it surely can’t have been the intention of EU lawmakers to restrict the flow of important information like this. As a consequence, not only are US travellers and expats prevented from keeping up-to-date with their local news, but journalists and researchers are also unable to access these valuable and diverse sources of information.”

The post Over 40 per cent of US news sites are still blocked in Europe a year after GDPR appeared first on Mobile Marketing Magazine.

Cast your mind back to last spring. Those months leading up to the introduction of GDPR were the most frenzied for internet-based businesses since the Y2K bug loomed over the turn of the millennium. The May deadline came and went, with the industry collectively holding its breath as it shuffled up to and over the precipice of 25 May. But what happened then?

From a legal perspective, very little. According to a report from DLA Piper, from 25 May 2018 to the start of February this year, 59,000 incidents were reported to the various regional Data Commissioners. But just 91 fines have been imposed – with Google’s €50m fine by France’s CNIL accounting for almost 90 per cent of their cumulative value.

The reason for this is two-fold. Firstly, it is simply too soon for significant action to be taken and fines to be handed out. Even in simple cases, where it appears obvious that a company has breached the terms of GDPR, its national regulator is required to ask for a written response from the data commissioner, which could take up to a month to come through. A first-time response isn’t guaranteed either and regulators may have to ask again before receiving a response. Even then, the accused brand may ask for more time to present its case, which delays proceedings further. Lawyers must then collate all of the information for the case and develop a watertight argument before bringing it to court. So even in the simplest cases, any punishment for GDPR could take a minimum of six months. Even when it’s something like a subject access request (SAR), a month has to pass before the complaint can be made. This helps explain the lack of enforcement we’ve seen to date.

The second reason for this is the lack of clarity of what compliance actually looks like from a legal perspective. It strictly comes down to how the regulation has been interpreted in individual states’ legislatures. Although it was an EU regulation, the laws governing compliance and enforcement are actually determined by member countries themselves. Right now, most countries have not finalised their own interpretation of the regulation. That’s why a variety of studies since last May have shown that most organisations still aren’t sure if they are compliant or not. In the UK for example, the ICO still hasn’t come up with its own definition of what GDPR compliance looks like, meaning brands remain unclear on which systems and platforms should be implemented to help them deliver brilliant yet compliant marketing communications.

This lack of clarity has understandably hindered brands’ efforts to determine their longer-term marketing strategies. In the short term their more immediate focus has been on re-permissioning, but again, the lack of a clear framework to conform to – or precedent, in terms of how to adapt their strategy – has led many to get their strategies around consent wrong. Hundreds of brands sent needless emails to consumers requesting their sanction to remain in touch when they had already given it, meaning they ended up losing potential subscribers already within their wheelhouse. Likewise, many continued to contact consumers without them having opted in for communications, raising the risk of customers defecting from their favoured brands.

However, databases have by and large remained consistent, and consumers have continued to proactively engage with their preferred brands. One channel that has however been impacted is email, as predicted prior to GDPR’s introduction. In the immediate aftermath of 25 May, deliverability queries skyrocketed and many brands struggled to take the data they’d collected from their re-permissioning campaigns prior to the deadline, and apply it to their existing data sets. At a consumer level however, we’re yet to see the full impact of the regulation on behaviours, as many still aren’t clear on the data protection rights they are entitled to under the GDPR. A recent European Data Protection Board survey found that only a third of EU citizens are ‘well aware’ of what the GDPR entails – so expect longer-term changes in customer behaviour to impact the viability of this channel.

For firms looking for reassurance about the extent of their GDPR compliance, there are existing frameworks than can help to embed the type of best practice it mandates within organisational processes. The EU-U.S Privacy shield, for example is an international charter designed to help businesses comply with data protection requirements when transferring personal data from the EU to the US in support of transatlantic commerce. It provides a voluntary-self-certification process, which requires a public commitment to comply with its requirements. This commitment can then become enforceable under US law. In the UK, the Data & Marketing Association’s DMA Code also goes a long way towards providing an industry code of conduct which preserves adherence to GDPR, but right now there isn’t a comparable code for other countries under the GDPR’s jurisdiction.

Clearly, GDPR compliance will evolve as countries begin to interpret and enforce it more effectively. However, the preoccupation with this regulation overlooks another major regulatory change which may come in the next few years. The EU’s long-planned e-privacy regulation represents the next cliff hanger for ecommerce firms, because it is likely to fundamentally alter the laws governing B2B email marketing by providing clarification of the what the process of securing ‘soft op-in’ from consumers looks like. The existing regulation governing this area was last updated in 2008, and urgently needs updating to align with contemporary practices. While many aspects of data privacy and protection were integrated into the GDPR regulation, email marketing specifically was not covered within it. Brands must therefore pay attention to the impact the new regulation will have on their business when it’s implemented, given email marketing’s continued popularity.

Clearly, what constitutes GDPR compliance is not yet clear, and will differ based on local interpretation. Businesses therefore need a steadfast industry code of conduct that is principle-based, and creates a solid framework to help them navigate both the ambiguity which exists prior to its enforcement, and how it is eventually enforced in their locality.

The post None the wiser: Why we’re still in the dark about the impact of GDPR appeared first on Mobile Marketing Magazine.

According to CybSafe’s research of 250 UK business decision makers, just 57 per cent of organisations believe they are compliant with GDPR. More alarmingly, 56 per cent of respondents admitted that their business had failed to request content to store sensitive data, while 16 per cent had knowingly ignored subject access requests.

The figures make for concerning reading and show the EU’s regulation has failed to truly put the EU population in control of their data.

The research also found that just 39 per cent of businesses view cybersecurity as a high priority within senior management. Meanwhile, only 37 per cent have amended their cybersecurity policies or processes because of the legislation, and a lowly 32 per cent said that cybersecurity training had become a priority.

“GDPR may have benefited consumers by emptying their inboxes of unwanted mail, but in terms of sparking action amongst businesses, it hasn’t been universally impactful,” said Oz Alashe, CEO and founder of CybSafe. “While things have changed for the better in some areas, a large number of organisations are still falling well short of the standards that the legislation has laid out. One whole year on from its introduction, this is disappointing to say the least.

“It’s vital that businesses do take GDPR seriously, and not just because they fear a fine. Enforcing GDPR properly helps businesses protect their reputation and their precious information. The legislation is an opportunity to clean up data, to understand what data needs to be retained, and to reduce the risk of being the victim of a data scandal caused by poor privacy practices.”

The post UK businesses are still falling way short on GDPR compliance: report appeared first on Mobile Marketing Magazine.