Naked Security Naked Security

Regulator fines COVID-19 tracker for turning contact data into sales leads

Would you like marketing material with your track-and-trace?

The Information Commissioner’s Office (ICO, the UK’s data protection regulator) has just issued a fine for “spamming without consent”.

That doesn’t sound very newsworthy on its own, but the interesting thing about this story is the circumstances under which the email addresses were collected in the first place.

The company that’s in trouble goes by the name Tested.me, and according to the ICO it was formed in the middle of 2020 to help businesses in the UK meet the government’s hurriedly imposed coronavirus track-and-trace rules.

Unfortunately for Tested.me, they also asked for consent to use contact data for purposes other than coronavirus tracking…

…but the way in which they went about it was not deemed appropriate by the ICO.

The company was fined £8000 (just over $11,000), which it must pay by 2021-06-08.

Intriguingly, the ICO is offering a £1600 “early payment discount” if the fine is paid in advance of the final deadline, although “early” in this case means anywhere up the day before, namely 2021-06-07.

We suspect that the main reason for offering this discount is not, in fact, to collect the money more quickly, but because anyone taking advantage of “early payment” cannot then appeal against the judgement.

Modest at first sight

Right now, you might be thinking that an £8000 fine sounds pretty mild, given that the offence relates to the emergency collection of data that people would almost certainly not have given out under normal circumstances.

You’ve probably assumed, or at least hoped, when you’ve handed over data during the pandemic “for the greater good of all”, that the company collecting it would treat it with more than the usual amount of care.

So any misuse of anti-pandemic data for marketing purposes sounds like a low blow when you first hear about it.

It turns out, however, that while Tested.me may have been sloppy in the eyes of the ICO, the company didn’t blatantly abuse the email addresses that it collected.

According to the ICO, everyone who received marketing emails from the company had, in fact, chosen to check a box on the track-and-trace web form that said, “Tick here if you agree for this venue, its alliance [sic] and tested.me to send you marketing materials in the future.

Deleted after 21 days

The ICO noted that immediately below the abovementioned consent checkbox was wording that said, “To comply with Government Guidance during the Covid-19 pandemic, we are collecting your name and contact details. We will store these for 21 days only before deleting them in line with GDPR regulations. Your details will not be shared with any other company or organisation.

When reading this part of the Penalty Notice, we assumed that the Commissioner took issue with Tested.me for what we considered an obvious ambiguity in the wording above.

That’s because the promise that the data would be “stored for only 21 days” seems to apply to any and all uses of the data, and therefore that any marketing consent would implicitly evaporate after those 21 days.

After all, if the company no longer has your contact data, it no longer has anything to which it can connect your “I consent” check-box, so it couldn’t market to you even if it wanted to.

However, it looks as though the ICO’s concerns were more nuanced, namely that the consent itself was too broad.

Amongst other things, the ICO:

  • Took issue with Tested.me’s use of the undefined “alliance” in its consent wording, given that there was no way to figure out how broad that “alliance” might be and therefore how many “allied” companies might end up with the contact data.
  • Took issue with the fact that consent wasn’t broken out into separate categories, individually covering the venue itself, the abovementioned “alliance”, and Tested.me.
  • Took issue with the fact that consent covered generic “marketing materials”, instead of requesting permission separately for different contact methods such as phone and email.
  • Took issue with the omission of a overarching Privacy Notice or Privacy Policy setting out the company’s general practices with respect to privacy and consent.

In an amusing irony, it seems that Tested.me managed to spam a few people a second time, even after they had opted out after receiving their first email from the company.

Tested.me, it seems, actually did something right: when users opted out, the company really did delete all their data, rather than simply marking them as inactive members of a mailing list.

Most reputable marketing companies make it easy to unsubscribe from mailouts, but many of them keep you on their list thereafter, requiring you separately to use “right to be forgotten” rules to get off their list altogether.

Those people who were spammed a second time by Tested.me had opted in a second time when later visiting another venue using the company’s service, and the company had no way of checking whether they had, in fact, opted out before.

So, for all that the ICO castigated Tested.me for non-compliance, the apparently modest fine of £8000 reflects that the ICO accepted the company did not set out to break the rules.

Additionally, the ICO notes that Tested.me had no previous history of violating GDPR rules, and stopped sending marketing emails altogether as soon as the ICO contacted it to express its concern.

What to do?

  • If you’re a user, sit down and decide how much your contact data is really worth. If the “marketing material” you are being asked to opt into doesn’t pass that threshold, stick to your guns and simply don’t opt in.
  • If you’re a marketing company, sit down and decide how much your reputation is worth. Don’t squeeze people to opt in when they’re in a hurry or when they are providing data for regulatory reasons rather than of their own free will. An unwilling “user” who feels as though they have been duped into consenting can turn into a angry and vocal enemy that will do you no good.
  • If you live in a country where GDPR or a similar regulation applies, go out of your way to understand it. Doing what you think is “just about enough” to comply is not satisfactory. You need to know and to comply with the rules as they actually are, not as you wish they were.
  • Make it as easy for people to get deleted from your database as it is for them to be marked inactive. People who feel strongly enough to click [Unsubscribe] aren’t suddenly going to change their mind and un-unsubscribe a few hours later. And if they ever do want to re-subscribe later, they can do easily enough whether they’re already in your database or not.