/ Technology

Are you data-aware?

It’s more important than ever to know who is using your personal data, and why. Our guest from the Information Commissioner’s Office explains more.

This is a guest post by Steve Wood. All views expressed are Steve’s own and not necessarily shared by Which?.

New laws introduced a year ago changed the way businesses should be using personal data – the General Data Protection Regulation or the GDPR – strengthened consumers’ rights, putting them at the heart of data protection law.

At the ICO, we regulate this new legislation and increasing the public’s trust and confidence in how their personal data is used is one of our main priorities.

We’ve handled more than 40,000 complaints about personal data since May 2018. We look at every complaint to make sure people’s data are being used in ways they expect.

Know your data rights

We want people to understand how they can be in control of their own personal information. People have the right to ask for a copy of all the data held about them, the right to get their personal information corrected, and the right to ask an organisation to stop using their data.

It’s your right to be informed about how organisations are using your data, even if it happens behind the scenes.

Over the last year our investigations have revealed the invisible ‘behind the scenes’ processing of personal data that happens online.

Why is my app free?

People are starting to ask ‘why is my app or online service free?’ – and realising the trade-off is their personal information.

We always advise those who use social media, online services and any websites to check their privacy and advertising settings and to review them regularly, particularly after any new settings are introduced.

This includes understanding how people use your data to target you with social media adverts. Our new ‘Be Data Aware’ campaign is designed to show people how companies might be using their data to target them online and why, and how you can control who is targeting them.

In 2018, we fined Facebook £500,000 for allowing an app to harvest the personal data of 87 million people without their consent.

We have also taken action against HMRC, ordering it to delete personal data after it collected seven million voice records without consent.

Whether people are liking or sharing a social media post, or accessing a public service, they have a right to expect the law is being followed.

Did you know you have the right to ask an organisation to stop using your data? Do you understand why you receive nuisance calls? And do you know why you receive adverts online?

This was a guest post by Steve Wood. All views expressed were Steve’s own and not necessarily shared by Which?.

What action do you think could be taken by the ICO and others to awareness of data rights?

Comments

The only thing GDPR has achieved is showing us how little control we really have over our personal data and how difficult it is to manage.

Since it came into being, websites have used every devious way possible to make it virtually impossible to find out what they are doing and what we can do about it. Many started off with a simple privacy statement and easy opt-outs, but that soon escalated to wading through many pages, far too much text to be bothered with and controls hidden in their murkiest depths. You are even told to visit other sites that will give you much of the same, so impossible to control.

Many sites won’t even let you continue unless you agree to their data harvesting. Many sites opt-outs don’t work at all.

Then if you regularly clear out temporary files and cookies, you have to start again.

Opting in or out to marketing is another pitfall. You might be happy to receive marketing emails from a company, but not all its partners and this is not always made clear. If I can’t opt out of ‘selective partners’, I don’t opt in at all.

When GDPR was introduced, every operating system should have released a user interface to give us real control over our personal data so we could build up our own databases of who was allowed to pry into our lives and online travels. Websites could ask and be told NO once and for all.

Kevin says:
31 May 2019

Taking a look at Which’s policies I’m quite surprised to find the following. I wasn’t even aware that Which were engaging with commercial retailers to foist more junk on me, since I’m paying a subscription I DON’T expect to be the product:

https://www.which.co.uk/help/our-policies-and-standards/1975/which-privacy-notice

Buried amongst the long list:
*** to develop and carry out marketing activities and competitions;
*** to serve you adverts on other websites about things which you’ve shown an interest in on our own website, or relating to campaigns you have interacted with;

And under cookie policy (by the way set to default ON), at the bottom of the page, expand the list:
https://www.which.co.uk/help/our-policies-and-standards/1979/our-cookies-policy-your-cookies-preferences

Under “Advertising & Targeting cookies”:
An example of the many third parties is Lead Intelligence:
“These are cookies used by Lead Intelligence – a lead management platform that streamlines the lead buying and management process for agencies and advertisers providing them with significantly more insight and reliability.”

Excuses that your data is anonymised are dubious since it’s notoriously difficult to effectively anonymise data, especially now in the world of big data when this stuff is cross referenced so easily. If a consumer rights organisation is adopting a rather cavalier attitude, what are the likes of Facebook/google etc up to?

Hi Kevin. Our apologies for the delay while we consulted the relevant teams to address these concerns. We now have a full response, which I’m able to share with you below. Thank you for your patience.

Like most organisations, Which? carries out a number of marketing activities via post, email and digital channels. This is always carried out to support our own products and services, and never to facilitate other companies targeting you. Beyond our base of members we want to continue to promote our products, services, tools and advice to a wider range of consumers. As a not-for-profit charitable organisation all the money we make from our commercial operations, including the revenue from our membership subscriptions, is used to support the activities of the Which? Group, not least the campaigning and lobbying work we do on behalf of consumers.

We use platforms such as Google, Bing, Facebook and Amazon as primary sources to locate new people likely to be interested in what we offer, and to serve them with relevant adverts on those platforms. We also use them to serve adverts on people who may have visited our site(s) to encourage them to return. Users can of course opt out of such activity by switching off cookies in our websites or the platforms’ websites as appropriate. Cookies dropped in relation to this activity allow us to effectively track our performance and ensure that our limited marketing money is spent efficiently. On occasion we do use other 3rd parties to conduct such activities on our behalf – you mentioned Lead Intelligence as an example of such a 3rd party, but we can report that this arrangement is no longer in place and we have updated the Cookies Policy to reflect this.

The only cookies defaulted to On are those classified as “Essential & Performance” cookies. Cookies relating to Insight and Advertising & Targeting are defaulted to Off at the point of entry to the site – as per our initial Cookie message, these will only be dropped if you click OK or continue to browse or use the site. Plus, you can of course turn them off at any time via the Consent tool.

We can assure you that data collected via cookies is anonymised with nothing classified as personally identifiable.

@gmartin, George – good morning 🙂
“The only cookies defaulted to On are those classified as “Essential & Performance” cookies. Cookies relating to Insight and Advertising & Targeting are defaulted to Off ….“.

I’ll take issue with this. I have never thought about cookies on the Which? site, nor thought to try and find them. So have not changed mine. However, when I just looked both “User experience and insight cookies” and “Advertising and targeting cookies” are set to “active”. Not of my doing.

I’ll also be quite unkind in response to this statement: “As a not-for-profit charitable organisation all the money we make from our commercial operations, including the revenue from our membership subscriptions, is used to support the activities of the Which? Group, not least the campaigning and lobbying work we do on behalf of consumers.“. A pity, then , that those activities included a failed venture in India and a failed mortgage advice operation that wasted getting on for £40 million that would (should) have been more prudently used, let alone the trivial £2.4 million paid in bonuses to support….. four staff.

Sorry, it’s a dull morning 🙁

p.s. this comment would be more appropriately made in a Convo only available to Which? Members as it is critical of the organisation’s competence and rewarding ethos, something best kept from public view – if only there were one.

I find the ICO to be ineffective at enforcement. For example, Three (mobile network) fails to make usage history available online to prepaid customers, only to postpaid customers. If one makes a GDPR request to Three for one’s personal usage data (including charge data), then Three sends the usage history, but incorrectly populates the charge column with 0 for every item of usage, which is blatantly false data, particularly on a prepaid account with no bundles where every item of usage is individually chargeable. When I reported this to the ICO, the ICO’s response was pathetic and it made no effort to require Three to comply with the GDPR, despite this affecting a large number of customers.

I also made another complaint to the ICO about Uber on 12th February 2019, to which I have still not even received an acknowledgement from the ICO. I am consistently disappointed with the ICO.

A few questions for Steve Wood

Why are some companies allowed to ask employees to give them Power of Attorney over their own personal bank accounts as a condition of being made manager?

They can’t even withdraw money for food and water without permission from company accountants and senior managers after they agree

Why aren’t tracking pixels, which are tiny invisible pictures 1×1 pixels in size, loaded by advertising company websites, addressed properly in ICO policy? Most of you know about tracking cookies, but I never see tracking pixels mentioned, and those have been around for years

If you visit a website using a browser that has all cookies turned off, you will still be tracked because adverts also load the invisible pixel picture from the advertiser’s website

Saying no to cookies doesn’t stop the tracking picture from being sent to your computer

Castle says:
4 June 2019

Earlier this year I was sent a number of unsolicited marketing emails from the same company. Since I wasn’t a customer of the company I sent them a Subject Access Request, (SAR), to find out where they had got my details from. The company refused to reply to my SAR unless I provided them with a copy of my passport, which I naturally refused.

I asked for help from the ICO who have now replied to tell me that the company is right; if you don’t provide a copy of your passport then the company doesn’t have to reply.

Kevin says:
9 June 2019

Taking a look at Which’s policies I’m quite surprised to find the following link. I wasn’t even aware that Which were engaging with commercial retailers to foist more junk on me, since I’m paying a subscription I DON’T expect to be the product:

…/help/our-policies-and-standards/1975/which-privacy-notice

Buried amongst the long list:
*** to develop and carry out marketing activities and competitions;
*** to serve you adverts on other websites about things which you’ve shown an interest in on our own website, or relating to campaigns you have interacted with;

And under cookie policy (by the way set to default ON), at the bottom of the page, expand the list:
…/help/our-policies-and-standards/1979/our-cookies-policy-your-cookies-preferences

Under “Advertising & Targeting cookies”:
An example of the many third parties is ‘Lead Intelligence’:
“These are cookies used by Lead Intelligence – a lead management platform that streamlines the lead buying and management process for agencies and advertisers providing them with significantly more insight and reliability.”

Excuses that your data is anonymised are dubious since it’s notoriously difficult to effectively anonymise data, especially now in the world of big data when this stuff is cross referenced so easily. If a consumer rights organisation is adopting a rather cavalier attitude, what are the likes of Facebook/google etc up to?

pa says:
9 June 2019

Isn’t it surprising?

Which kept quiet about the whole thing.

Not very honest, are they?

Kevin says:
9 June 2019

I originally submitted this on 31st May, 10 days ago, with the full Which URL’s, but it’s been on “Your comment is awaiting moderation – we’ll get to it as soon as we can” status. Despite contacting them a few days ago, the original is still, shall we say, ’embargoed’.

Ironic given the topic and author.

Kevin, as you seem to have discovered, any full web links sentence posts to “moderation” but posts with incomplete stub links usually appear immediately.

I see another of my posts has been removed with no explanation.

Removed and held posts are becoming a bit of a problem. By the time they are released their dates put them way down the pecking order so nobody knows they are there.

Hi Kevin,

We had a discussion about this last year you might be interested to read.
https://conversation.which.co.uk/home-energy/the-lobby/#comment-1532445

The page has been migrated but does work eventually if you keep refreshing it.

Kevin says:
9 June 2019

Hi Alfa, thanks for the link, as you say, a couple of refreshes necessary.
The quoted policies I referred to do not seem to be in strict alignment with the policies as stated by Which’s Adam Gillet?
I don’t have a problem with functional cookies, but the Which policy doesn’t restrict the use of them, and explicitly allows marketing and targeted advertising.
The answer here has got to be to NOT collect the data in the first place unless there’s a specific, risk assessed requirement for it.

The post just dropped on my doormat, urging me to join Nextdoor for my parish – a “free online network sharing recommendations for traders, discuss safety and local issues, plan neighbourhood events, post things for sale, and much more”“.

It all sounds very good. I looked at the websire and find “With offices in San Francisco, London and Amsterdam, Nextdoor was founded in 2010 and is funded by Benchmark Capital, Greylock Partners, Kleiner Perkins Caufield & Byers, Tiger Global Management, and Shasta Ventures as well as other investors and Silicon Valley angels.“. “As of December 2017 Nextdoor had raised $285 million in financing.[16] About $75 million in new funding announced that month put its valuation at $1.5 billion” (Wiki). My suspicious mind tells me that they will have a way of making money from this operation, presumably from knowledge of those who register. so despite the attraction I’m wary of joining in.

Does anyone – Which? – know anything about this operation?

Do you remember Streetlife? It was a really useful forum that could be based in your area for discussing local issues.

Streetlife was bought by Nextdoor and the way it worked totally changed. I don’t know if it still the same, but it was too invasive of your privacy, you could no longer be anonymous and your address was shown to everybody else on the site.

alfa, thanks. My impression as well.

Best steered clear of methinks.

Almost like medieval religion, pioneered by the likes of Facebook et al, the population has been conditioned to accept the virtues of sharing as a Good Thing. Reluctance to share risks being a social outcast [like me]. It has infected the younger generations and is gradually embracing the entire community and at its heart is the use and manipulation of personal data.

I still think a notice on a tree or on the gate or in some other public place is as good a way as any of advertising or seeking support for something. It happens where we live with events, activities, appeals, sales, and warnings posted in almost every road. Dog walkers spread the message as well.

A ‘community’ that lives hidden within the dark bubble of a social media platform and does not transact in a personal way is not really a community, is it?

John Ward said: 10 June 2019

Almost like medieval religion, pioneered by the likes of Facebook et al, the population has been conditioned to accept the virtues of sharing as a Good Thing.

Excellent analogy, John, but I fear it goes a lot further. The parallel between medieval religion and social media rings uncomfortably true, in far more ways than one.

Perhaps the most worrying is in the ability of social media to exert a unique peer influence and use that same influence to warp truth, create ‘truth’ and intimidate those who know the actual truth. We associate medieval religion with the Inquisition and the witch hunts, so perhaps even closer to what we’re witnessing today.

Darn! Very early for this sort of thinking.

I agree, Ian, but I must admit I wasn’t expecting the Spanish Inquisition.

The controlling mind, the triumph of the will – characteristics of dictatorship that have subtly woven themselves into the popular psyche and are becoming taken as gospel. Frightening really. We are sleepwalking into a miasma of indoctrination by a handful of media manipulators.