Roll Back time to March 2016.

I had been receiving emails about dance classes for the last few months. I don’t remember signing up for them and anyone who knows me will testify to the fact that I have no sense of rhythm at all. I’m never going to be a dancer.

Anyway, somehow I had been added to this mailing list for salsa dance classes. I started receiving emails about January and on average I was getting three a week. On occasion I was getting two a day. There was no method to unsubscribe from the emails. Having got bored with receiving the emails I decided to respond to an email by asking to be removed from the mailing list. I did this on two occasions a week apart. I didn’t receive a reply. Then one day another email pinged into my email inbox and I decided I needed to take direct action so I rang the telephone number shown from my mobile. It went to an answerphone giving me details of the classes available (Was there no escape?).

I decided I would call back again later. Just after I put the phone down, a text came in – guess what – it was a text to tell me about dance classes from the number I had just called. I was furious. I rang the number again, this time it was answered. I explained that I was very angry that I was receiving these emails and to receive a text was just too much – I had not given her permission to send me marketing by text message. The response – “Well people call me all the time wanting to know the times of dance classes so I don’t answer the phone and send them a text” – really, you don’t think that sending emails and the answer phone message giving information about dance classes is enough, you decide to send spam texts as well. “Nobody else has complained” (that old chestnut).

I asked about the previous emails asking to be unsubscribed and she told me she hadn’t received them. I asked her to remove me from her mailing list, so I gave her my email address and she searched, only to tell me it wasn’t there. I said it must be, you are sending me three emails a week on average. “Oh no that isn’t possible as that would mean you were on three lists”. She rechecks and finds I am on her database and on three lists (big surprise!). She said she had been hacked about a month ago and the hacker must have put me on the lists (so a hacker breaks into her email account and adds my name to three of her mailing lists so she can send me emails about dance classes, what a helpful hacker!). She tells me she cannot delete me from her database, “it won’t let me”. I reinforce the fact I wish to be removed from the mailing lists and how she does it is not my problem, I say goodbye and hang up. A little while later another email comes in from her to tell me she has removed me from her mailing lists but she had to remove 10 other people to be able to do it.

What did I learn?
– the dance class provider is not registered with the ICO – potentially a £5k fine and criminal record from not being registered.
– the emails she is sending breach PECR (Privacy and Electronic Communication Regulations) by not having a means to easily unsubscribe.
– Failing to remove me from her mailing list on the two previous occasions is another PECR breach.
– Sending me an unsolicited marketing text is a data protection breach – The ICO has recently fined a company £200k for unsolicited marketing texts.
– the most important thing to her was using the personal information she had gathered to further the spread of her message and the need for security and professionalism that comes from having a client list was lost on her.

My advice to her is:
– Register with the ICO – a £35 annual fee
– Use a proper mailing package such as mailchimp, madmimi, constant contact etc so that she can properly manage her mailing list and those people who are desperate to unsubscribe can do so without the hassle I had. This will also ensure she has the proof of an opt in when GDPR comes into effect in May 2018, if she uses the double opt in for new dancers, provided she puts the right information into the collection notice. For those  receiving her updates now she needs to be able to prove that they have opted in to receive the information she is sending.
– Improve the security of her passwords and the processes she is using.
– Stop sending texts to people automatically, she is potentially raising the risk of the ICO investigating her. To be able to send marketing texts you have to have the specific permission of the individual.
– Think about the security of the information she is holding. Would she be happy with her personal information being dealt with in this way?

Fast forward to today and guess what, I have just received a Linkedin request from her. Is the woman mad or perhaps she needs some good data protection advice?

All small businesses face challenges with regards to mailing lists. You should be taking action now to confirm the list so that you have a good starting point come next May. You don’t want to be in the position of this dance teacher. I’d be interested to hear if you have any stories of a similar nature as I’m sure it can’t just be happening to me. 🙂