The Information Commissioner’s Office has dropped its investigation into the data practices of Which?, sparking accusations that the regulator has “bottled it” despite evidence that its sign-up software broke data protection legislation.
The issue was sparked when one consumer found himself bombarded with marketing emails even though he had not completed an online sign up form for paid-for product reviews, so the organisation did not have consent to capture and then use his data.
Which? did admit that it had flouted the law but insisted it was a one-off “technical error”, a defence that the ICO appears to have swallowed hook, line and sinker.
In a letter from ICO lead case officer Elizabeth Lealman, the regulator states: “I understand why this matter is important to you. However, our role is to help organisations to improve their information rights practices. In this case, on the basis of the information available to us, there is no firm evidence to suggest a systematic problem with the Which? website which is adversely affecting a large number of people. The information available to us at this time suggests that an error occurred in this case and Which? has taken steps in order to address it.
“We adopt a targeted, risk based approach and do not use our powers lightly or routinely. We respond proportionately to breaches with an aim of helping organisations to meet their information rights obligations more easily. This is because our powers are designed to change behaviour and promote compliance and not primarily to punish. With this in mind, we will not be taking any further action in this matter.”
However, one industry insider alleges that this incident could never have been a one-off. The source said: “A software program automatically sent out an email specifically aimed at those who had not completed the trial offer form, and were therefore clearly off limits for communication.”
He added: “The regulator says there is no evidence of systematic breaches by Which? even though Which? has admitted the breaches. Is the ICO actually aware of how online data capture software systems work? The actions in the Which? case are obvious as being systematic.
“The ICO appears not to have even asked how the breaches occurred. This seems strange. The regulator also says it has a risk-based approach when it comes to offences. This seems to be a new policy.
“The regulator says its role is to promote compliance, not punish. This is not true, and is not reflected in other cases of data and privacy breaches. It looks to me like the ICO has bottled it. Is the decision to not even give Which? even cursory punishment based on an ongoing relationship, and the fact that Which? acts as a government consultant on consumer data practice? It does not seem fair on companies that have been fined for less.”
A Which? spokesman said: “Data protection is very important to us and we immediately took the necessary steps to address the technical problem that caused the issue and to resolve this matter. The Information Commissioner’s Office has written to us and confirmed they will be taking no further action at this time.”
ICO launches investigation into Which? data practices
‘Consumer champion’ Which? admits to data breach
Privacy chief accused of sucking up to the Daily Mail
Illegal data being sold on industrial scale for just 4p
Which? goes to war with Microsoft over Windows 10
Energy customer database triggers junk mail fears