‘Consumer champion’ Which? admits to data breach

which oneSelf-proclaimed consumer champion Which?, the organisation which carries huge clout within Westminster and claims to be a beacon of data protection best practice, has been forced to admit its own email sign-up process has been in breach of not one, but two data laws.
The issue was sparked when one consumer, who has since contacted Decision Marketing, visited the Which? website to gather information on buying a new printer and to find out what product reviews said.
Access to Which? product reviews is by paid subscription, but there was an offer of a trial at a discounted rate. The consumer partly filled in basic name and contact detail information, but abandoned the form before completing it, and did not tick the opt-in box to receive further communication.
However, within 24 hours, he had started to be bombarded with marketing emails from Which?, encouraging him to sign up for its services despite the opt-in box not being ticked, trial terms and conditions not being accepted, or him becoming a customer.
The consumer contacted the company immediately, demanding an explanation.
Which? at first grudgingly admitted there had been a mistake, but refused to say whether it considered it had broken data laws. So the consumer wrote to the company directly asking the question again.
In a letter from head of member services Matt McEnroe – published today by Decision Marketing – the organisation claimed the matter had been sparked by “a technical issue” but added: “In this instance, we were in breach of the Data Protection Act and of the Privacy and Electronic Communications Regulations.”
McEnroe went on to say the company “conducted a full investigation, identified the issue and took immediate steps to ensure that further communications were prevented from being sent in error”. He added that “your query was the only one received relating to this matter”.
However, one industry insider alleges that this incident could never have been a one-off. The source said: “The data software program was obviously not checked for compliance as it was designed to collect data it should not.
“A different software program automatically sent out an email specifically aimed at those who had not completed the trial offer form, and were therefore clearly off limits for communication.
“The software had to be programmed, but also the investment in at least two creative treatments [seen by Decision Marketing] aimed at non opt-in/non customers shows Which? had a strategy based on ignoring regulation. Either it knowingly broke two regulations, or its compliance process ignored the very basics of data protection and privacy.”

Related stories
Illegal data being sold on industrial scale for just 4p
Which? goes to war with Microsoft over Windows 10
Energy customer database triggers junk mail fears