A reader of this blog has called my attention that something looks rather odd with the website of the World Orienteering Day (WOD). The volunteers who sign up cannot opt out from being included on mailing lists that are probably marketing oriented. I asked some legal experts of this field, and they confirmed that the WOD website is on the wrong side of the law, at least in Europe.
According to the lawyers with expertise in internet and data protection, the WOD website blatantly violates the Europe level law of GDPR (General Data Protection Regulation on data protection and privacy for all individuals within the EU), coming into effect on 25 May. I dutifully passed this information on the IOF’s President and CEO, since they are the ones responsible for the lawful operations of the IOF.
According to the lawyers, the website also violates current EU guidelines on internet data use, thus chances are that it also violates existing Swedish laws, but they did not have time to dig into that. After all, it does not really matter. The big issue is whether the website complies the law coming into power on 25 May.
The GDPR requires that not only the current WOD website should be changed, but all data collected on the current website in a non-GDPR compliant way should be deleted before 25 May. All names, phone numbers, email addresses should go, unless explicit consent is obtained, one by one, from the volunteers signed up so far.
The current website forces consent from volunteers in a very deceiving way by showing a pre-checked tick box to accept that the user is included on mailing lists for information from the IOF and its partners. The above picture shows the deceiving check box. The little “forbidden” sign at the base of the cursor indicates that the box is frozen. It cannot be unchecked. In addition, there is nothing to clarify what “relevant information” may mean.
All this does not look like an accidental mistake, but it gives the feeling of a premeditated deception showing the look of a legally compliant request for permission, while it does not give the legally required choice to the user.
This is bad news.
Unfortunately, it is not surprising.
The IOF leadership has a rich track record of doing and tolerating practices that may raise serious questions. I shared some of these stories in earlier posts here and here. Judging by this track record there are no assurances that meaningful action will be taken. Chances are that the IOF leadership will hope to “get away” with it.
That would be worse news.
The IOF may not be in the primary focus of a GDPR audit, but the breach of the law and its apparently intentional nature is rather obvious for people involved in this subject. Although the new GDPR regulation may have been inspired by marketing practices, it is taken very seriously even by charities and voluntary organisations across Europe in their effort to redesign communication with their volunteers. For example, the RNLI, a charity where I am involved as a volunteer crew member, has made it very clear to each and every of its members that compliance with GDPR is taken very seriously across the organisation both in internal and external communications. The RNLI has an almost 200 year long history with a reputation and social respect head and shoulders above all sports organisations. Yet, they did not try to “get away” with ignoring the law. Maybe, that is one of the reasons why they have a far superior reputation.
The EU has significantly increased the fines on data protection related matters. Violation of the GDPR carries serious legal, financial and reputational risk. The fines are several magnitude higher than they were previously: up to €20 million if there has been an infringement of the basic principles, including conditions of consent and data subjects’ rights, i.e. the exact situation with the WOD website. Compare this to the so far record fine of £400,000 for data protection violation in the UK. Apparently the regulators across the EU got pissed off by various entities who tried to “get away” with violating the law.
Needless to stay that even 1% of that maximum fine of €20 million could be lethal to the IOF in its current, rather shaky financial condition.
Is it worth the risk?
* * *
Below you may read more details on the nature of the WOD website’s violation of the GDPR. A more detailed description of the situation and an assessment whether it was more likely an accidental mistake or a deliberate deception of the user.
The issues around the WOD website mentioned by the lawyers include, but not limited to the following
- The WOD website presents a false checkbox to obtain consent to be included in mailing lists. It looks as if the user (volunteer) had a choice to un-tick it, but it is frozen in ticked-in position. The user’s consent is not voluntary. This explicitly breaks the very principles of the law, and raises also ethical questions. The “consent” formally obtained by this method is not lawful, and data collected by this method should be deleted by 25 May 2018.
- It is unclear what is the user forced to consent to. Factual event messages by the IOF would not require consent. Marketing messages that may be sent by IOF partners would require a voluntary “opt-in” method to be legal. Even opt-out, i.e. pre-checked communication boxes are illegal practice. The “relevant information from our partners” is far too vague to meet the law.
- It is unclear what type of data is collected by the website. There is no Privacy Notice that would explain what type of information is collected (including automatic information for example by Google Analytics, cookies, etc). This again breaches the law.
One should always try to understand if a violation happened accidentally or unintentionally. Unfortunately, looking at the WOD website, the feeling one may get is that it was a very deliberate effort.
- The presence of the check box gives the impression of a legally compliant website. The designer of the page did not simply displayed a note that “by registering on this website you agree to the following”. The check box and the wording “by signing this I accept that…” clearly suggest that the designer was aware of the legal requirement to obtain consent from the user.
- The presence of a working check box on the same page (for publishing phone numbers and emails on the website) suggests that the designer knew how to program check boxes. The presence of the frozen check box is unlikely to be a programming error, but rather gives the feeling of a premeditated deception.
The responsibility of the web designer is unquestionable, but the same applies to the leadership of the IOF. Obviously, the ultimate responsibility for lawful operations lies with the President and the Council. We do not know how this “mistake” of publishing the website with deceiving content happened, how was it possible that the deceptive nature was not caught. Was there a lack of quality control? Or was there an explicit expectation to ensure a long mailing list for marketing purposes? Whichever way it happened, the direct responsibility of the IOF’s leadership is also unquestionable.
Unfortunately, there is also an indirect responsibility. Subordinates and contractors are much more likely to “skate close to the line” in legal and ethical aspects in organisations where they observe similar behaviour by the leadership group. In an organisation where financials presented for approval to the General Assembly turn out to be anything but the true and fair picture, where volunteers sent out from the discussion if they may have different opinion than top management, and where Council members look away when suspicion of conflict of interest arises – in those organisations questionable things will happen even without explicit intention.
For me the issues around the World Orienteering Day from the self declared world record claims to the deceptive website underlies the same issue: it is high time to rethink and renew the workings of the IOF before it is too late. I hope that the member federations will wake up in time to do it on their own terms, before they are forced by external powers.