Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Some folks may be vaguely interested in an ongoing project of mine, which is to use GDPR and other rights, to trace an apparent data leak that led to me getting a specific item of junk mail.  I suspect this will end with a tick box on a form, that was ticked by (say) a hotelier on my behalf, saying "I consent to spam", but I want to get right to the bottom of it.  I actually get very little junk mail or spam these days, and want to keep it that way.


So, a few weeks ago, I received a leaflet posted from company A, a huge UK company.  It was addressed to me, in person, "Mr Muddle" which makes it personal data.  If they'd addressed it to just the house, they'd have been OK.   So I wrote to company A, asking where they got my data.  They named Company B.

I wrote to company B, a well known International name, asking where they got my data, and who else they may have shared it with.  They named nearly 40 other companies to whom they have already sold my data, and named their source... company C.

Company C looks rather scary.  It is a name I have never heard of, appears to be a very small entity.  On their website, they boast to have over 10 million email addresses available, among other data.  Company C admits to holding various categories of personal data, from those 10 million email addresses, to phone numbers, postal addresses, and (yes really) web browsing behaviour - possibly just their own website, unclear at this stage.

I am awaiting a response from company C, to disclose what they know about me, by what authority, and who else they may have passed it to.

I'm reluctant to name companies A, B, C at this stage but will keep this thread updated if anybody shows any interest.

[burakkucat]

Hmm . . .    Junk-mail (or rats). 

[Ronski]

Interesting, do those companies need your permission to hold data about you, or is it all OK because someone somewhere ticked a tick box?

[sevenlayermuddle]

My understanding is that permission is needed at the start of a chain.

A hotel might collect the data, maybe from a guest's check in paperwork, with the "consent" option ticked.   They can then sell that data to company C, with an assurance that consent has been given.  Company C can then sell that to many company Bs, and each company B can sell it to many company As, all based on the original tick box.  And so on, and any of them can send you junk mail if the consent was for 'marketing'.

...Just my understanding but so far in this adventure, none of the companies involved have disagreed.

[Chrysalis]

I would love to know the company names, can I ask why you dont want to name them, is it concerns of legal action?

[sevenlayermuddle]

I would love to know the company names, can I ask why you dont want to name them, is it concerns of legal action?

No, it is because this is an ongoing exercise, and I don’t want them to identify me or second-guess my moves.   Call me paranoid, but I strongly suspect that data collectors like this will routinely scour social media and online forums, in pursuit of any data they can identify.    Also, they are all just representatives in what I consider a sordid industry.   And it is the industry that is sordid, more than the individual companies, so I’m not really setting out to shame them.

That said, I see no reason not to name them, after I reach my objective of identifying the tick-box, or other event, that started the ball rolling.   That won’t be soon, as they seem to drag their heels at every opportunity, even if eventually they ‘fess up to what they’ve been doing.

[sevenlayermuddle]

PS Chrysalis,

Here is one of the companies I now know has been passed my personal data with authority to use it for junk mail by their own clients, all legitimate within GDPR rules, even though I had never heard of them. 

I don't intend to contact all of the companies that have been named (life is too short) so no probs identifying this one as a random example.    Their website gives a flavour of the industry, I think.   First impression is they might be into online spam as well as junk mail, but I've not digested it all in detail.   

https://www.blueberrywave.com

[d2d4j]

Hi 7LM

I wish you well in your quest but I would be surprised if anything changed moving forward

Many thanks

John

[sevenlayermuddle]

Agreed, I don’t expect to change the world.

Even if I find a GDPR non-compliance I think I’d resist taking it to ICO, as I suspect the whole process would be energy-sapping and pointless.

Apart from shutting down one single route of junk mail, it is largely just to satisfy my own curiosity as to how the industry works, and how sordid (or not) it really is.  And let’s not mention, on these forums, the lethal effect that curiosity is supposed to have had on a certain creature in the past.   

[Chrysalis]

Thanks 7LM, what I am mostly interested in is if a company that primary business is something that is completely unrelated to digital customer marketing but sells data perhaps as a means of some extra pocket money, blueberry clearly state on their home page what they do.

If one of the companies was like that then I am interested but will wait until you ready or maybe in PM can tell me and I wont ever post it anywhere.

[sevenlayermuddle]

Well if it helps, here is one of the other companies that are listed by Company B in my post, as a data provider.

https://www.myoffers.co.uk

That company has no part at all in my own data trail, just I notice it is listed as a provider.  And in fairness to that company above, I actually do not know whether company B would treat the data supplied by them in the same way they treated my own data, passing it on to dozens of others.  They may, conceivably, treat this data differently.