Hootsuite followup: reporting them to the ICO

This is a follow-up to my post about my experience with Hootsuite, who stored my credit card details without my consent. We hit a deadlock because they repeatedly refused my requests for some contact details so I could get in touch with them. They kept asking for my contact details, but I was reluctant to engage with them on such one-sided terms, especially when my whole problem is with their misuse of the information I’ve already supplied. They told me explicitly that they would not help me if I refused to supply my email address, so we hit a deadlock.

I decided to break that deadlock by reporting them to the Information Commissioner’s Office (ICO). That’s something I’ve never done before and I thought it would be interesting to try it. 

It was a pretty simple process. You download and complete a form, then you send them an email with the completed form and any supplementary paperwork attached. (If the info you have is all in paper form, you can do it by post instead.)

My biggest difficulty with the form was Section 1, “Details of the organisation your concern is about”, because Hootsuite’s failure to supply me (or any other customer) with any contact details was a big part of the problem! If I actually had the contact name, phone number or email address that the form asks for,  I wouldn’t be reporting Hootsuite to the ICO in the first place, because I would have been able to resolve my issue with them directly.  I ended up putting “Repeatedly requested but not provided” in most of those fields and finding a London office address on their website, so at least I managed to fill in a tiny part of that section. 

But my guess is that the ICO will reject my claim. Why? Because my experience of dispute resolution services/ombudsmen/regulators/that kind of thing is that they really want you to jump through the right hoops before you bother them. They like reference numbers and proof that you’ve been through the company’s official complaints procedure and that kind of thing: basically, documentary evidence that you’ve made an effort to resolve things on the company’s own terms before escalating the issue.

So my guess is that my refusal to give Hootsuite my email address (or confirm it after they searched their database for possible addresses that could be mine) will count against me, because it counts as a refusal to follow the company’s issue resolution procedures.

(Why was I so stubborn in my insistence on reciprocity of contact details? Because I knew my credit card was expiring anyway, which meant I didn’t need to jump through their hoops to protect my financial data. I had the luxury of abandoning my attempts to resolve the issue directly with Hootsuite and moving on to the more useful task of warning others.)

So when a supervisor on Hootsuite’s social media team gave me that ultimatum, saying that either I confirmed my email address or they wouldn’t help me, I continued to refuse to confirm the email. (My words: “I’ve asked you at least eight times for some contact details; it’s very clear you’re not going to provide them, so I think we’re done here. I think the best thing for me and for others is if I blog publicly about this.”)

Then I reported them to the ICO. Not long after I did that, the same supervisor suddenly got in touch on the email address I’d refused to confirm. (So I guess they didn’t need me to confirm it after all.) His email was pretty hilarious. First of all, he quoted their policy on storing people’s data:

"When you place an order for an item from the Shop, as part of the buying and selling process, Hootsuite collects Personal Information that you give us, such as your name, address, phone number, email address, and credit card information. We use this information to process and fulfill your order, verify your credit card, complete the transaction, or return a purchase. By submitting information to Hootsuite when placing an order on the Shop, you consent to the use of your information for these purposes. We do not use this information for secondary marketing purposes without your consent."

I’m really not sure what part of that makes it clear that they will hang on to your credit card information for over a year after your most recent authorised purchase and then bug you for updated card details once your card gets close to expiry, but whatever.

Then he went on to say that the reason they can’t possibly give me an email address, a telephone number or a postal address is that

Since we are a social media company, our contact page includes a "Contact-us" form

So they can’t give me an email address because they’re a social media company. Right. But they can let me contact them through a webform, a webform that demands my email address. OK.

The email came from “Hootsuite Help Desk” with the address support@hootsuite.zendesk.com. I have no idea whether or not this works as a “real” email address but I don’t think so – I think it’s linked to their ticketing system. After they sent me a few needy automated messages asking why I hadn’t replied, I made perhaps my eleventh request for a real email address: “Give me a real email address to contact you directly and we can discuss this issue.” The answer was yet again, “No, but here are a bunch of other rubbish one-sided ways in which you can sort-of contact us.” So I ignored all the needy follow-ups and my support ticket was eventually closed.

The whole issue is now closed in my head too, although I will be interested to see what the ICO’s response is. My guess, as I said, is that they’ll refuse to look into it on the grounds that my correspondence with Hootsuite doesn’t count as “raising [my] concern with the organisation first”. But we’ll see.