A reader of this blog has called my attention that something looks rather odd with the website of the World Orienteering Day (WOD). The volunteers who sign up cannot opt out from being included on mailing lists that are probably marketing oriented. I asked some legal experts of this field, and they confirmed that the WOD website is on the wrong side of the law, at least in Europe.
According to the lawyers with expertise in internet and data protection, the WOD website blatantly violates the Europe level law of GDPR (General Data Protection Regulation on data protection and privacy for all individuals within the EU), coming into effect on 25 May. I dutifully passed this information on the IOF’s President and CEO, since they are the ones responsible for the lawful operations of the IOF.
According to the lawyers, the website also violates current EU guidelines on internet data use, thus chances are that it also violates existing Swedish laws, but they did not have time to dig into that. After all, it does not really matter. The big issue is whether the website complies the law coming into power on 25 May.
The GDPR requires that not only the current WOD website should be changed, but all data collected on the current website in a non-GDPR compliant way should be deleted before 25 May. All names, phone numbers, email addresses should go, unless explicit consent is obtained, one by one, from the volunteers signed up so far.
The current website forces consent from volunteers in a very deceiving way by showing a pre-checked tick box to accept that the user is included on mailing lists for information from the IOF and its partners. The above picture shows the deceiving check box. The little “forbidden” sign at the base of the cursor indicates that the box is frozen. It cannot be unchecked. In addition, there is nothing to clarify what “relevant information” may mean.
All this does not look like an accidental mistake, but it gives the feeling of a premeditated deception showing the look of a legally compliant request for permission, while it does not give the legally required choice to the user.
This is bad news.
Unfortunately, it is not surprising.
The IOF leadership has a rich track record of doing and tolerating practices that may raise serious questions. I shared some of these stories in earlier posts here and here. Judging by this track record there are no assurances that meaningful action will be taken. Chances are that the IOF leadership will hope to “get away” with it.
That would be worse news.
The IOF may not be in the primary focus of a GDPR audit, but the breach of the law and its apparently intentional nature is rather obvious for people involved in this subject. Although the new GDPR regulation may have been inspired by marketing practices, it is taken very seriously even by charities and voluntary organisations across Europe in their effort to redesign communication with their volunteers. For example, the RNLI, a charity where I am involved as a volunteer crew member, has made it very clear to each and every of its members that compliance with GDPR is taken very seriously across the organisation both in internal and external communications. The RNLI has an almost 200 year long history with a reputation and social respect head and shoulders above all sports organisations. Yet, they did not try to “get away” with ignoring the law. Maybe, that is one of the reasons why they have a far superior reputation.
The EU has significantly increased the fines on data protection related matters. Violation of the GDPR carries serious legal, financial and reputational risk. The fines are several magnitude higher than they were previously: up to €20 million if there has been an infringement of the basic principles, including conditions of consent and data subjects’ rights, i.e. the exact situation with the WOD website. Compare this to the so far record fine of £400,000 for data protection violation in the UK. Apparently the regulators across the EU got pissed off by various entities who tried to “get away” with violating the law.
Needless to stay that even 1% of that maximum fine of €20 million could be lethal to the IOF in its current, rather shaky financial condition.
Is it worth the risk?
* * *
Below you may read more details on the nature of the WOD website’s violation of the GDPR. A more detailed description of the situation and an assessment whether it was more likely an accidental mistake or a deliberate deception of the user.