More companies put data about their customers on sale

Shoppers' spending habits are increasingly being bought and sold by banks and businesses without their consent, reports Chiara Cavaglieri

Barclays is the latest big name to tell its millions of customers that it intends to start selling information about the transactions on their accounts.

The bank has written to customers explaining that the information will be used to compile reports on consumer-spending patterns, and sold on to third parties such as other companies and government departments.

It will also start tracking mobile phones to protect customers against fraud, ensuring that the phone is in the right country when overseas transactions are made (although customers can opt out of this).

These changes to Barclays' “Retail Customer Agreement” terms and conditions will take effect in October this year.

“Barclaycard is following in the footsteps of a host of companies who no longer see their customers as people to provide a service to but instead as a cash cow for personal data, to be monitored and sold on to advertisers with little regard for asking people's permission” says Nick Pickles, director of Big Brother Watch.

Barclays has insisted that “these are statistical reports only – very high level, aggregated and anonymised data about overall trends – not leads for sales or marketing”.

While this may well be true, it is still a concern that the bank can do so without consent from its customers.

This move also reveals a worrying and increasing trend. Tesco was the pioneer for selling data, launching its loyalty Clubcard and using it to pass on details of customers' shopping habits to its data subsidiary Dunnhumby (a customer science company which reported profits of more than £60m in 2011-2012).

Then, only a few weeks ago, Britain's mobile-phone operators Everything Everywhere, Vodafone and O2 announced a joint venture called Weve, selling bundles of data to corporate clients.

Advertisers will never know names or phone numbers, but they can use details on age groups, location and device information to place targeted ads on smart-phone apps and mobile internet sites.

The internet has made it all-too-easy for information to be collected on a vast scale, so it is no surprise that businesses are finding new ways to track people and make a fast buck, but it does sting that they do so without passing on any of this reward to the very customers who create the data.

“Perhaps this explains why Barclays is so desperate to push its customers into using contactless cards rather than cash and to integrate the Oyster card as a way of tracking their customers in even more detail,” says Mr Pickles, who argues that if Barclaycard believes in serving its customers it should start by asking people if they will provide their data and giving them something in return.

The kind of information held by organisations and companies can range from the basics such as your name and address, to details about your family, your shopping habits and even the school you went to. Legally, the good news is that you do have a right to know what information companies hold about you and there are rules governing how they handle this under the Data Protection Act 1998.

“When one hears of proposals to ”sell personal data“ that does tend to send up warning signals, but the fact is that you cannot legitimately sell-on data unless the data subject has given a proper consent, or unless it has been anonymised, in which case it is hard to see what genuine objection there is,” says David Marchese, of law firm Davenport Lyons.

You can ask an organisation not to hold or use information about you if it causes damage or distress, and crucially, you can ask them to stop unwanted direct marketing – most companies will give you the chance to opt out of direct marketing.

If you think that an organisation has breached these regulations, complain to the UK's data protection watchdog, the Information Commissioner's Office.

The problem remains, however, that there is something of a loophole in UK data protection law if companies are selling anonymised data, i.e. data where personal identifiers have been removed so that the information cannot be related back to individuals.

The Open Rights Group – another digital-rights campaign body – has called for new EU laws to force organisations to seek consent for the sharing of anonymised information stating that firms should clarify how they are aggregating and anonymising the data because there are risks that people can be reidentified.

Consumer champion Which? has been vocal too, calling for a crackdown on the way companies trade personal data, including limits on the time that firms can contact a n individual.

“Banks like Barclays that say they want to play fair with their customers should ensure they are protected from unwanted marketing and are in control of their personal data.

“Firms should be clear about what they intend to use data for, with transparent terms and conditions, and enable people to easily opt-out of this,” says Which? executive director Richard Lloyd.

The European Commission has also published long-awaited proposals for the reform of EU data protection law, and when these come into force they will increase consumers' rights.

In the UK, the new Consumer Rights Directive will be implemented in December 2013, strengthening consumer rights with various measures, including a ban on pre-ticked boxes to prevent people inadvertently consenting to junk mail.

In the meantime, it's vital that we all get to grips with our rights and find out exactly what steps we can take to keep our information as private as possible.

Comments