Giving your name and other personal details to an organisation doesn't automatically give that organisation the right to target you with marketing materials. By law, organisations are required to explain how they intend to use your personal details, and if they want to use your details for 'marketing purposes' they have to give you the option to prevent this. Furthermore, organisations can only sell your details to a third party if you have opted in - failing to tick an opt-out box does not give an organisation the right to trade your personal details.

Which? has found that marketeers are not always upfront about how they intend to use people's personal details, and opting out of receiving junk mail and other types of marketing is often needlessly difficult. Of the ten car insurers it investigated three did not comply with current data protection legislation, while others followed the letter, but not the spirit of current legislation.

Billion pound market

The trade in personal data is big business. In order to better 'target' prospective customers companies are willing to pay large sums of money for detailed information about for instance people's interests and spending habits. It's a market that is estimated to be worth billions of pounds. Admiral, one of the insurers Which? investigated, makes 5% of its profits by selling the details of customers who have been involved in accidents to injury claims companies.

The general public is largely unaware of this trade in personal data. A survey conducted by Which? found that the majority of its membership (55%) assumed that organisations can only use their personal details for marketing purposes if they have been given permission to do so. This is not the case; organisations only have to give people the chance to opt out. The survey also found that Which? members find opt-out boxes are often confusing; 86% would like to see standing wording for opting out of marketing materials.

Privacy notices and opting out

By law, privacy notices need to explain who is collecting personal data, what it is going to be used for, and whether of not the data will be shared with other organisations. This is the legal minimum, and the Information Commissioner's Office, which enforced both the Data Protection Act and Privacy and Electronic Communications Regulations, recommends organisations ensure privacy notices are "genuinely informative". It also recommends organisations write privacy notices in clear language, and not as a "legalistic" document aimed at "indemnifying an organisation".

Despite these recommendations Which? has found that privacy notices are often difficult to find and comprehend, and that opt-out boxes are often hidden. Of the ten car insurers it investigated only two were 'fully compliant' with current legislation (Churchill and Tesco) while three were 'not compliant' (More Than, Esure, and the Post Office). The other insurers were somewhere in the middle. The AA, for instance, does provide information about preventing unwanted marketing and allows people to opt out, but the information is "fairly easy to miss" and to opt out people have write to the company.

Deliberately deceptive

Georgina Nelson of Which? said that insurers practices are simply not acceptable: "Failing to provide adequate notice of marketing practices, and not giving consumers the opportunity to opt out of having their details sold on to potentially hundreds or thousands of other unknown companies, appears deliberately deceptive. These companies should, at minimum, be complying with the law, and we would like to see simple, truthful and transparent tick boxes for marketing options.

In response to the survey the AA, Admiral, AXA, and the Post Office said they would be reviewing the wording of their privacy policies. Only one insurer, Esure, said it would be making "significant changes" to it data protection policies.

Links

• Too many marketing messages! (conversations.which.co.uk)
• Privacy notices (ico.gov.uk)