Compliance Update: Reminder of Expectations for Robust method of verifying consumer consent to charging and marketing to a mobile device, as outlined in General Guidance Note on Privacy and Consent to Charge
Issued on 24 Jan 2013
FOR THE ATTENTION OF ALL THOSE INVOLVED IN PROVIDING PREMIUM RATE SERVICES FOR THE PURPOSES OF SECTION 120 OF THE COMMUNICATIONS ACT 2003, WHO INITIATE OR OTHERWISE FACILITATE CHARGING AND/OR MARKETING TO A MOBILE HANDSET
About this Notice
This Notice is a reminder for all those who provide premium rate services (PRS) for the purposes of section 120 of the Communications Act 2003, and who further initiate or otherwise facilitate charging to a mobile device, of PhonepayPlus’ expectation that providers have a robust method in place to verify consumer consent to any charges or marketing to a mobile device.
In particular PhonepayPlus would draw providers’ attention to paragraphs 2.4 – 2.12 of our General Guidance Note on Privacy and Consent to Charge. This Guidance sets out methods which can be used to evidence consent to charge to the satisfaction of PhonepayPlus.
The 12th edition of the PhonepayPlus Code of Practice (“the Code”) came into effect in September 2011. The most relevant Rules in respect of consent to charge and marketing are as follows:
Consumers must not be charged for premium rate services without their consent. Level 2 providers must be able to provide evidence which establishes that consent.
Consumers must not be contacted without their consent and whenever a consumer is contacted the consumer must be provided with an opportunity to withdraw consent. If consent is withdrawn the consumer must not be contacted thereafter. Where contact with consumers is made as a result of information collected from a premium rate service, the Level 2 provider of that service must be able to provide evidence which establishes that consent.
In order to further clarify our expectations in relation these rules, PhonepayPlus issued a General Guidance note on Privacy and consent to charge in order to assist networks and providers. Paragraphs 2.4 to 2.12 of this note set out a number of different methods for robustly verifying consumer consent to charging and/or marketing to a mobile device, but also invited providers to approach PhonepayPlus’ compliance team with other, equally robust, alternatives. The methods of verification set out in the Guidance were, for ease of reference, as follows:
- A requirement for a consumer to send a Mobile Origination (MO) message to initiate charging (providers are reminded that where there is evidence of malware which initiates an MO from a consumer’s phone without their consent, then this will not be an acceptable method of verification).
- The use of the Payforit system.
- The use of PIN based opt-in, whereby a consumer enters their number into a website, has a randomly generated PIN sent to their handset via text message, and then enters that PIN back into the website in order that it can be reconciled with their phone number. Each stage of this process must be recorded, time-stamped, and stored with an independent third party, with records available to PhonepayPlus upon request.
Next Steps and Expectations
Level 2 providers are reminded that consent for all charges, or marketing they initiate, to a mobile handset must be verifiable in a way which PhonepayPlus deems to be robust and compliant with the Code, and that records must be available to PhonepayPlus from an independent source in the event of any investigation. It is likely that a PhonepayPlus Tribunal will regard any failure to have robust verification systems in place as being serious.
Level 1 providers are reminded that where they contract with third parties in respect of the facilitation of charging or marketing to mobile handsets then they must satisfy themselves either that a Level 2 client has robust consent verification systems in place in respect of their services, or that a Level 1 client is performing such checks as to ensure Level 2 providers further down the chain are using robust consent verification systems. We expect this to form part of Level 1 providers’ Risk Assessment and Control procedures with reference to Guidance on Due Diligence, Risk Assessment and Control.
Networks are also reminded that as part of their Due Diligence and Risk Control procedures, they should be aware of the mechanism by which providers further down the value-chain verify consent to purchase, or to future marketing, from a consumer, and should be satisfied the chosen method is robust enough to protect against consumer detriment.
As per paragraph 2.11 of the Guidance Note, where providers employ a method other than those outlined, compliance advice from PhonepayPlus should be sought before commencing operations.
Compliance advice is available, free of charge and in writing, from the Executive. Please note that Executive advice is not binding on the PhonepayPlus Board, although a record of advice is maintained and taken into account should a service later be found to be in breach of the Code.
Contacting the Executive:
PhonepayPlus Tel: 020 7940 7474
Clove Building Fax: 020 7940 7456
4 Maguire Street
London Website: www.phonepayplus.org.uk