Websites and Internet ticketing engines need to be changed to accommodate new guidance agreed with the Information Commissioner, which applies specifically to how arts and entertainment organisations operate under the Privacy and Electronic Communications Regulations (2003), known as PECR (pronounced “pecker”). The whole process of recognising returning customers, what ‘notifications’ are given to purchasers about who is processing their data and what for, and how permissions are collected is interpreted differently for on-line sales, over-turning previous guidance.

The Audience Agency, in the form of Leo Sharrock, and I have been in discussion on this with the Information Commissioner since the end of 2014. This all started when various presenting venues objected to sharing their data with touring companies, a requirement that comes into force for Arts Council England National Portfolio Organisations in April this year (2016).

I had previously been researching this issue together with Andrew @TicketTattle Thomas on behalf of Peter Bellingham, then at Welsh National Opera. Clearly, many venues were not complying with the previous guidance agreed with the Information Commissioner in 2005, negotiated by Tim Baker and I, which actually was a fairly positive regime in terms of assumed “soft” opt-ins and “dual-key control” sharing of data. Non-compliance included problems arising from not recognising returning customers, as well as what happened when ‘notifications’ were served up and ‘permissions’ collected.  This often meant that the customer’s status and permissions were not correctly recorded on the system. The ICO officer helping us, simply said our sector had had over 12 years to comply with the 2003 PECR rules, so it was not unreasonable to expect it now!

Don’t confuse Data Protection with PECR

The fundamental issue, covered in the new guidance and information website – https://www.audiencedatasharing.org/ – is that PECR is different and on top of the 1998 Data Protection Act (DPA). That means it over-rides DPA on-line.  Looking around, it seems most ticketing system suppliers and the websites of arts and entertainment organisations have based their on-line processes and texts on the DPA, and not changed them when the 2003 PECR came in.

Recognise returning customers

From a process point of view, returning customers on-line need to be recognised early in their transaction process and their status used to determine if they need to be served up notification statements again and asked permission again. This isn’t a matter of choice: returning customers must be recognised and then advised on how to change their permissions if they wish, and subsequently given the opportunity to unsubscribe at the top of every email communication. The words meaning “at the top” are in the law. Don’t see much compliance with that.

So recognising returning customers comes first.  It is also a serious problem if the system allows duplicate records to be created or confuses the status and permissions of existing customers. What we see at present is that some systems permit purchasers to click past the notifications and permissions without answering anything, and then shows their status as “None” or even “Not asked”, in some cases meaning subscribers and members end up as “Do not contact”. That in itself could a breach of the law.

Some see that the real challenge to existing practice is that notifications are different and specific for PECR and not the same as for over-the-counter or phone sales under the DPA. So on-line terms such as “third parties” or “other arts organisations” are not acceptable. This completely changes how ‘notifications’ are worded and permissions obtained. And it completely changes the basis for permission to share data.

Data sharing under new rules

Ironically, the major objection of some venues has been that Data Sharing is not permitted under the DPA – always entertaining to wave the ICO’s large green published guidance document Data sharing code of practice in response – you wonder how hard their lawyers had worked on this? However, the ICO emphasises that on-line under PECR it is the notifications given and how the permissions are obtained that are crucial. Best practice is always to seek separate permission for the venue by name and the touring company by name, with the customers being asked to opt-in to hear from each.  Looking at venue websites, usually on system supplier pages, that needs big changes.

New notification and permissions regime

The guidance has lots of detail on this, including the long convoluted wording the ICO wants if it is thought difficult to insert the name of the touring company the customer is buying tickets for into the notification. No, don’t laugh, some people have actually said it might be difficult. I am sure system suppliers will not be laughing, since supplying software which is not ‘fit-for-purpose’ under UK law is a breach of various laws in itself. And venues won’t be laughing as they review how they approach getting permissions on-line on a company by company basis.

Leo Sharrock and I will be talking this through at the Ticketing Professionals Conference in Birmingham on Friday 26th 10.45 to 11.30 so that is a good opportunity to get your questions in: http://ticketingprofessionals.co.uk/sessions/concurrent-session-5b/.

Roger Tomlinson

February 2016