The Information Commissioner s response to the Department for Culture, Media and Sport s consultation on requiring direct marketing callers to provide Calling Line Identification The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA), the Privacy and Electronic Communications Regulations 2003 (PECR), the Freedom of Information Act 2000, and the Environmental Information Regulations. He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The Information Commissioner welcomes the opportunity to respond to DCMS s consultation on requiring direct marketing callers to provide Calling Line Identification (CLI). The Commissioner s remit extends to the oversight and enforcement of unsolicited direct marketing contact via electronic means including live and automated telephone calls. In undertaking this role, the Commissioner investigates complaints, gathers intelligence from numerous sources and coordinates his activities with other relevant regulators. The Commissioner supports the proposed changes, noting in particular the potential for these changes to assist him in his enforcement work. He remains committed to taking action against organisations which breach PECR when his regulatory powers allow him to do so with a view to tackling the nuisance, anxiety and distress these calls cause to the public. Ofcom has recently estimated that 1.7 billion live sales calls and 940 million recorded sales calls are made annually to UK consumers 1. With this scale of direct marketing calls being undertaken, it is vital that individuals are able to exercise their rights in respect of those calls and that complaints can be appropriately investigated and addressed by the Commissioner and other regulators as appropriate. 1 http://stakeholders.ofcom.org.uk/binaries/consultations/review-of-how-we-use-persistent-misusepowers/annexes/annexes_7-8.pdf
Do you agree that the Government should amend PECR to make it a requirement for direct marketing callers to provide CLI? Yes. The Commissioner strongly supports the idea of requiring callers to provide CLI when making direct marketing calls. The Commissioner is supportive of this requirement for several reasons. Firstly, it sends out a message to callers and call recipients alike that direct marketing should and can be carried out in a legitimate, transparent and accountable manner, with CLI acting as insurance of that. By insurance, we mean that requiring the provision of CLI should empower individuals to choose whether to answer a call at all. If they do choose to answer and the call is one they wish to complain about, having the caller s CLI should enable them to make a better informed complaint. Inclusion of CLI should also enable individuals to contact the calling organisation directly to express their dissatisfaction about being contacted, enable them to ask to be removed from any relevant call database and also potentially be a first step in exercising their rights under the DPA. From an enforcement perspective, requiring a valid CLI should ensure that more detailed, and consequently more useful, evidence and intelligence can be obtained relating to individual breaches of PECR. It should also assist us in identifying those organisations we most need to target with enforcement activity. However, there is a strong need to ensure that the information obtained is as useful as possible. The requirements of regulation 24 of PECR should be used as the basis for any amendment. We have identified a number of potential issues which need to be addressed to ensure that any amendment is fit for purpose. Specifically, we would want any amendment to include a requirement for a valid CLI to be provided and we would want clarity as to what constitutes valid CLI, addressing the following issues: the CLI needs to be dialable - meaning capable of receiving inbound calls. the CLI needs to be a direct contact number for the organisation that is the subject of the direct marketing or for that organisation s delegated or contracted representatives (the instigator of calls or caller). The CLI could legitimately be for a third party organisation provided that a contract with the marketed organisation governs the relationship. However, inclusion of the genuine CLI for an organisation other than the subject of the marketing or any kind of spoofing need to be specifically excluded;
what needs to happen when an individual who has received a call contacts the number given in the CLI. To ensure the inclusion of a valid CLI assists individuals as well as regulators, we would suggest a requirement that the dialable number be answered in some way, to avoid already frustrated or upset individuals attempting to contact dialable numbers which are never picked up. whether the CLI needs to be a UK number, or whether a non-uk number that is otherwise genuine can be deemed valid; whether a presentation number can be a valid CLI. Any wording needs to take into account that there can be legitimate circumstances when the calling number would not necessarily be the number which the organisation would display as the CLI. For example, where an organisation contacts individuals from multiple different numbers (for example, from different staff) using one overarching CLI would help the call recipient to identify that those calls are from the organisation, as opposed to the individual receiving multiple calls from different numbers. In that situation, the use of one CLI would enable the individual to build an accurate picture of the calls they are receiving; the level at which any charge can be levied for dialling the CLI; and whether geographically targeted CLI can be used. By geographically targeted, we are referring to an organisation choosing to use a local telephone code as opposed to their actual national or non-local number to encourage an individual to answer the call. We have raised potential concerns previously 2 that there may be fairness issues to the localisation of CLI from the perspective of the DPA (in that individuals may be encouraged to pick up a call that they would otherwise not have answered because they believe it to be local). There is a potential for the individual to be misled by targeted use of a local number, and it is our experience that less legitimate organisations use this as a deliberate tactic to improve call pick up rates, relying on individuals to respond to the local number where a generic or national one would be ignored. As well as covering off the basic requirements of valid CLI, any wording included needs to be compatible with VOIP (Voice over Internet Protocol), which is increasingly being adopted. VOIP calls can terminate either at an IP address or be diverted to a landline number. Any amendment to PECR needs to enable enforcement activity and contact from individuals where VOIP calls have been made. 2 ICO s response to Ofcom s call for inputs on Ofcom s persistent misuse of the telecommunications network powers - https://ico.org.uk/media/about-the-ico/consultation-responses/2014/1042777/ico-response-ofcomcall-for-input-persistent-misuse-of-the-telecommunications-network-20141107.pdf
Our concern is that if the requirements for including CLI are insufficiently clear, this may leave loopholes which less ethical organisations may seek to exploit. We also want to avoid situations arising where organisations unwittingly fail to comply, as a result of simply not understanding what is required of them. We are also keen to ensure that any requirement introduced is consistent with the guidance that Ofcom has issued in relation to presentation CLI, to ensure that both the Commissioner and Ofcom can enforce their separate powers (under PECR and the Communications Act 2003 respectively) consistently and tackle the problem of nuisance calls in a cohesive and constructive way. Are there any other costs or benefits that may be associated with this proposal that you think the Government should consider before taking a final decision? We have considered this question both from the perspective of the public, as well as from our perspective as a regulator. It is worth considering that there may, in the short term, be some inconvenience for certain individuals if CLI is required. For example, the requirement to provide CLI when making direct marketing calls could negate individuals use of services which automatically reject or block calls from withheld numbers. Anecdotal evidence also suggests some individuals currently refuse calls on the basis that they come from numbers listed as withheld or unknown. It might be worth considering that the proposed requirement to provide CLI could make those individuals choices as to which calls to refuse more difficult. Depending on how the requirement to provide CLI is received by the public, it could either reduce or increase the information available to regulators. Where the provision of CLI genuinely enables individuals to exercise the power of choice over which calls to answer, an unintended consequence could be that it ultimately acts to reduce the evidence made available to regulators such as the ICO. Where calls go unanswered through choice, and without the call recipient being inconvenienced by the call itself, there may be a reduction in reported complaints and consequently, of the evidence available. Conversely, individuals could choose to make more complaints, with the expectation of increased enforcement action. The side effect of this and cost to individuals - would be an increase in the time spent by individuals completing complaint forms, whether those of the ICO, TPS or their own telephone operators. (Although we are currently taking steps to further improve our online reporting process to reduce the time it takes to complete multiple reports.)
Overall, as a regulator we strongly welcome this proposal. As has been identified in the consultation document, this proposal could result in significant regulatory benefit to the ICO. The adoption of this proposal would enable streamlining of our investigation, evidence and intelligence gathering processes and consequently could have a cost saving impact for the ICO (and consequently free up some resource for additional enforcement activity). We estimate that around 13% 3 of the complaints and concerns that we receive relate to calls received from spoofed CLIs, and as such we spend a disproportionate amount of time identifying the organisation responsible. Removal of this burden would enable us to identify and target organisations more quickly, resulting in shorter investigation times and enabling us to mitigate threats to consumers much earlier. It is therefore our view that any potential costs are significantly outweighed by potential benefits. February 2016 3 It is extremely difficult to identify a definitive number of complaints where CLI is invalid. We are reliant on the data entered in our online reporting tool. For example, where a CLI is one digit short, is this because the CLI was spoofed, or because it was entered incorrectly? The 13% figure is a sample, based on analysis of complaints received in Augsut 2015 where a CLI has not been provided or has been found to be invalid based on previous information or investigation. It is important to note that the real figure could be much higher, depending on calls which are never reported to the ICO or to the TPS.