Opt-in

[brightncheerful]

Opt-in is accelerating. I am fascinated to experience the different approaches to data protection of the numerous businesses, mostly in the commercial property world, whose mailing lists i'm on.

Many use a simple click and that's it Another, a property subsidiary of a bank, required me to fill in a half-completed form, click yes, then wait for an email and click the activation link in the email then delete the ensuing webpage that the link took to.

One organisation emailed me to opt-in or if I didn't respond within 48 hours I'd be automatically opted-out. i didn't. So a few days later, I got a reminder, I still didn't. I haven't heard since.

One firm sent me three separate emails over the course of two days requesting opt-in. I opted-in one and deleted the other two. I hope I am in.

Too many organisations tell me there's nothing i need do unless i want to opt-out in which case I should unsubscribe. My understanding of the new regulations is that that way of going about things is incorrect. Opt-in has to be a positive act.

My favourite so far is a reputable firm in Eastern England whose opt-in message after clicking was to confirm 'unsubscribed'. I contacted the firm direct to enquire and go an 'oh heck' response that presumably must've done the rounds because next day I got a reassuring, apologies, our mailing agency's mistake and is being sorted pronto.

Quite a lot of senders simply tell me they've updated their privacy policy and if interested then I should click to read. I've read a couple of the policies and guess they're template formats. I expect I'll find them useful when i get around to updating my privacy policy which I suppose i ought, even though I've been registered under the DPA for circa 18 years, don't have a mailing list, no log-in or registration on my websites, no cookies or privacy invaders, etc.

---

A non-business, I maintain a simple database for a local sports club whose members and visitors I email from time to time with the organisation's news, etc. I email everyone a few weeks ago but have little response; most people can't be bothered -m and strictly I cannot cajole because that might be construed as a breach of the voluntary opt-in. Frankly I can't see that not having heard from everyone is an issue: on the visitor registration and membership application we tell them the details will be put on a computerised database and I'm registered under the DPA. Someone on the list contacted me the other day requiring removal of their details from the database and expecting me to confirm done I deleted the details, but have not confirmed and am not going to: the tone of the request was unnecessarily nasty stemming as it does concerning another matter nothing to the sports club. I am looking forward to whether that person will contact me again after 25 May demanding i inform them what information I have about them on the database! If so then I am considering replying to say never heard of them. Frankly i think it daft to deliberately want to disconnect from a club whose activities a person participates in on occasions, not least because if for any reason the activity has to be cancelled the person could turn up only to find they've wasted their time and money getting there!

[AndyPandy]

Too many organisations tell me there's nothing i need do unless i want to opt-out in which case I should unsubscribe. My understanding of the new regulations is that that way of going about things is incorrect. Opt-in has to be a positive act.

It has to be a positive act from the 25th, but existing subscribers can be effectively 'grandfathered' as I understand it. Those organisations that are insisting on making you reconfirm are just being doubly safe, but it is probably not necessary.

I emailed my database of circa 800 Newsletter recipients (some opted in, some I soft-opted in) linking to our updated privacy Policy and pointing out that all they need to do is click the unsubscribe if they are not interested moving forwards. I had two opt out and no complaints about the approach.

I think that the new ICO will have bigger fish to deal with than all the millions of small databases / Newsletters etc like thee and me that are toeing the line as best we can.


viewtopic.php?f=64&t=11825

[Dod101]

I am amazed at the number of organisations that seem to have my name on their database and have done quite a lot of opting out in the last few days.

Dod

[Slarti]

I am amazed at the number of organisations that seem to have my name on their database and have done quite a lot of opting out in the last few days.

Dod

As a matter of policy, I never opt out, unless I know I opted in in the first place as it may not be who it claims to be and I don't want to confirm a live email address.

Slarti

[jfgw]

Too many organisations tell me there's nothing i need do unless i want to opt-out in which case I should unsubscribe. My understanding of the new regulations is that that way of going about things is incorrect. Opt-in has to be a positive act.

Does it make any difference whether you originally opted in or out? If the box you checked many years ago was to opt in, does that still count?

Julian F. G. W.

[AndyPandy]

There's a small piece in today's Times (one of the opinion columns and I've only read a hard copy, so no link) that you don't need to contact everyone and that contacting subscribers to ask them to opt in is unlawful in itself (the columnist mentioned that he was contacted by a few Law firms - the irony).

Sorry about the lack of detail, reading from a public copy, which I don't now have to hand.

[Dod101]

I am amazed at the number of organisations that seem to have my name on their database and have done quite a lot of opting out in the last few days.

Dod

As a matter of policy, I never opt out, unless I know I opted in in the first place as it may not be who it claims to be and I don't want to confirm a live email address.

I think most of them in my case were my late wife's contacts. I had not thought of the point you make though.

Dod

[brightncheerful]

…that you don't need to contact everyone and that contacting subscribers to ask them to opt in is unlawful in itself (the columnist mentioned that he was contacted by a few Law firms - the irony).

At a guess, contacting subscribers to ask them to opt-in is contrary to the intention that subscribing is to be a positive 'unconditional' act of the subscriber, not a consequence of being asked to subscribe.

----

I don't think it's all "the millions of small databases / Newsletters etc like thee and me" that 'fear' the ICO enforcing the regulations to the letter, but the prospect of scores of people contacting the millions of small databases, etc - 'data controllers' - wanting to know what data/information about them is held on those micro databases. Requests have to be answered within 28 days, at no charge to the enquirer.

---

Updating privacy policies (or introducing such a policy) seems to be a way around the opt-in procedure. As I understand, there is nothing to prevent me from contacting everyone I deal with to tell them about something they're probably not the slightest bit interested in. More likely I suspect they'd wonder how I have the time to do all that when I'm supposed to be getting on with the work I'm doing for them.

[Alaric]

There's a small piece in today's Times (one of the opinion columns and I've only read a hard copy, so no link) that you don't need to contact everyone and that contacting subscribers to ask them to opt in is unlawful in itself

It has to be a particularly poor piece of legislation that even the experts don't know what it's supposed to legalise and outlaw.

In the limit, every mobile phone stores contact details. They tried to exempt personal use, but where does that end? You hold contact details for all the members of a small club, because they are your friends, but have no official role. Presumably outside the scope of the Act. Now you are asked be an officer of the club. What changes?

[brightncheerful]

"You hold contact details for all the members of a small club, because they are your friends, but have no official role."

That applies to me, involving another sports club. A gesture of goodwill, I collated - by asking the people concerned and telling them why - emails of the regulars and gave the data to someone with an official role, on the strict understanding that none of the details are to be kept in a database, including a mobile phone and under no circumstances should my contact details (included amongst the data) be in a contacts app for which any social media organisation has access. I've no idea what happened since, other than to be told the club has a Facebook page!

Which I am unable to access because I'm not on fb. I suppose I could ask a friend who is on fb to check …

[didds]

Its just a mess. Clearly its been dreamt up (albeit for all the right reasons, fair enough) with enormous multi-nationals in mind, and no consideration or at least understanding of the impact on one man businesses and small orgainsations run by amateurs for amateurs, where such a "database" on a computerised device (or whatever the wording is" could be as limited to a wordpad rtf file with names and phone numbers, or indeed as per above a mobile phone with stored numbers, used for nothing more than the occasional email saying there's a get together on Sunday week and the AGM every March.

I have a very small one man "business" - I probably make £500 a year from it at most. very low key. My computerised records such as they are consist of invoices with names and addresses on them, and an email client that automagically stores email addresses. If I had to pay any fees to register because of this there would be no point in running the business basically as they'd cut into the minimal pocket m,oney profit i make. I chatted to an online help window thing and the woman there told me full stop, no questions as i had this stuff on a computer that was it, i was caught and I had to register etc. She however didn't sound as if she was actually listening to what I was saying so i phoned the helpline the next day. the woman there said at first yes, register. So i suggested all I need do then was blank all the invoice name and address details on record, and clear all the stored email addresses and i wouldn't have to do so. she agreed. Then appeared to have a light bulb moment and THEN said - ah, this is for records and accounts then? Which it is, that's it. I don;t send multiple emails out etc. So then she said as its records and accounts only I am exempt, no need to register.

So there we are! Goodness knows if I really am exempt, other than I have a verbal assurance with no back up (I asked for that in writing but she said they didn't do that but all i had to do was say it was for records and accounts!). I just also believe that nobody is ever (ha!) going to be so desperate as to chase up a one man band with a dozen clients a year, mostly repeats. In the same way nobody ever chased me for DPA registration because I and my wife were trustees of my pension scheme, and thus I had a record of my own and my wife's address!!! (which i was assured when i asked the DPA I would need to be registered for. bugger that.)

didds

[Slarti]

Its just a mess. Clearly its been dreamt up (albeit for all the right reasons, fair enough) with enormous multi-nationals in mind, and no consideration or at least understanding of the impact on one man businesses and small orgainsations run by amateurs for amateurs, where such a "database" on a computerised device (or whatever the wording is" could be as limited to a wordpad rtf file with names and phone numbers, or indeed as per above a mobile phone with stored numbers, used for nothing more than the occasional email saying there's a get together on Sunday week and the AGM every March.

One thing that I will point out, or 2
1) This does not only apply to computer based systems. Paper in a filing cabinet, for example, is also included.
2) Our wonderful government hasn't actually passed the necessary law to make this count in the UK yet, and will probably fail to do so by Friday!

Slarti

[didds]

One thing that I will point out, or 2
1) This does not only apply to computer based systems. Paper in a filing cabinet, for example, is also included.

That was my understanding too slarti - I was a bit confused by BnC's post about providing a list of emails on the proviso they weren't kept in a database... whereby as "little" as a handwritten list on the back of an old envelope is still in effect " a database" [ this isn't picking on BnC of course! ]

didds

[Alaric]

My computerised records such as they are consist of invoices with names and addresses on them, and an email client that automagically stores email addresses.

The intent seems to be that it's OK if necessary for the running of the business. Or is it?

But where does this all come from?

Is it the UK government or its Civil Service rampaging out of control?

Is it the EU?

Is it a more general international agreement?

I don't think the tabloid press have really caught on to this (yet).

[didds]

But where does this all come from?

Is it the UK government or its Civil Service rampaging out of control?

Is it the EU?

Is it a more general international agreement?

I don't think the tabloid press have really caught on to this (yet).

My understanding its an EY edict that is to be rationalised into UK law. Slarti (I think) above noted that as yet the UK govt hasn't rationalised it - yet we have this imminent arrival of its registration etc requirements.

If the tabloids and more rabid of our meejah do work it out then presumably it would merely provide more anti-EU ranting as evidence of "us" not being able to decide our own fate etc etc etc.

didds

[Alaric]

evidence of "us" not being able to decide our own fate etc etc etc.

Surely it is evidence. Would parliament have the powers to water down the legislation? For example align it with the VAT threshold which would exempt small businesses and voluntary organisations from being concerned about whether they were complying with requirements that even the supposed experts don't agree on what they are. Individuals are already exempt, if they weren't we'd be required to contact everyone on our contacts lists on phones, email and address books to ask whether they could remain.

[brightncheerful]

Chatting with a friend yesterday, who manages a business operating in private sector health care. compliance is going to be a major challenge where client records are not comprehensively computerised. In my friend's case, approximately 10,000 active records are involved, many of which are not on a computer, and estimated 100,000 archived records, none of which are on computer. By law, the business records have to be kept for at least 7 years. Under the new regulations, all data has to kept securely which include paper records and having to password-protect all computers where any data and contact details are stored. The existing mailing list will have to be split to allow for marketing only and until that is done and clients have confirmed opt-in to the marketing mailings a plan to invite existing and old clients to a free gathering hosted by the business in aid of a charity has had to be put on hold.

As for a person's right to know what information the business holds about the person. the prospect of having to search through dozens, hundreds maybe thousands of sheets of paper, including scribbled notes, to ensure nothing overlooked is daunting to say the least.

[dionaeamuscipula]

2) Our wonderful government hasn't actually passed the necessary law to make this count in the UK yet, and will probably fail to do so by Friday!

Slarti

It was passed yesterday.

It is an EU regulation but has now been passed into UK law. UK citizens should be pleased at the additional protections and other rights they now have. Ironically, the regulation has higher levels of requirements for transfers of data to non-EEA countries, as the UK will become post March 2019.

The vast majority of those required to register (cost for most: £40) were already required to be registered under the DPA anyway.

DM

[Slarti]

As for a person's right to know what information the business holds about the person. the prospect of having to search through dozens, hundreds maybe thousands of sheets of paper, including scribbled notes, to ensure nothing overlooked is daunting to say the least.

I was under the impression that, with certain strictly limited exemptions, I am already able to ask any organisation what data they hold on me.

A number of government related organisations have full time people handling that sort of request, even when they know that they don't hold data on most individuals because they get so many data subject requests.

Slarti

[brightncheerful]

As for a person's right to know what information the business holds about the person. the prospect of having to search through dozens, hundreds maybe thousands of sheets of paper, including scribbled notes, to ensure nothing overlooked is daunting to say the least.

I was under the impression that, with certain strictly limited exemptions, I am already able to ask any organisation what data they hold on me.
Slarti

That's correct. However, the organisation can charge for providing the info: a payment required and in advance can act as a deterrent. The difference going forward is that the organisation cannot charge and the info has to be provided with 30? days.

In my friend's case, a small business whose staff are often overworked, there has never been an issue where a person requesting information has been denied but the difference henceforth is the time-limit. That and the absence of payment deterrent for anyone vexatious.

---

As the ICO reminds, organisations, etc have had 2 years to prepare for today!