Long-awaited direct marketing Code of Practice published for consultation.
What's the issue?
The Data Protection Act 2018 (DPA18) requires the UK's Information Commissioner to prepare a number of Codes of Practice to assist with specific types of data processing. An update to the direct marketing code is probably the one that's been most hotly anticipated following the changes introduced by the GDPR. The Code will have statutory force which means the ICO will have to take it into account when assessing GDPR or PECR compliance and enforcement.
What's the development?
The draft Code of Practice on direct marketing has been published for consultation. The consultation is open until 4 March 2020. Once adopted, the Code will have statutory force. It applies to processing of personal data for direct marketing purposes. Direct marketing is widely defined and "includes the promotion of aims and ideals as well as advertising goods or services. Any method of communication which is directed to particular individuals could constitute direct marketing. Direct marketing includes all processing activities that lead up to, enable or support the sending of direct marketing".
The Code looks at data protection by design, lawful basis including consent, generating leads and collecting contact details, profiling and data enrichment, sending direct marketing messages, online advertising and new technologies, sharing and selling data, data subject rights and exemptions. The ICO intends to publish accompanying tools including checklists.
What does this mean for you?
There aren't any major surprises in the draft Code. It builds on previous guidance but takes a wider approach to cover all areas of the GDPR as well as PECR, including sections on data protection by design, the use of DPIAs, accountability and lawful basis. The Code also takes a more detailed look at new technologies and sectors like online advertising, facial recognition, targeting on social media and in-game advertising, and considers specific issues relating to them.
Of course, this may not be the final story. Not only could the draft Code change as a result of the consultation, it also precedes the ePrivacy Regulation which might change rules on direct marketing. To date, the various drafts of the beleaguered legislation do not suggest major differences beyond those introduced by the GDPR (for example, around the standard of consent), but until we see a final version, uncertainty remains.
It will be very difficult (given that it will have statutory force) to be able to demonstrate GDPR and PECR compliance if you do not also comply with the Code although the "good practice recommendations" it includes are recommendations rather than obligations. This means the Code is essential reading and should be looked at now as it is unlikely to change dramatically on its road to finalisation.
Read more
The Code covers the following issues:
What is direct marketing?
The definition of direct marketing is wide and "includes the promotion of aims and ideals as well as advertising goods or services. Any method of communication which is directed to particular individuals could constitute direct marketing. Direct marketing purposes include all processing activities that lead up to, enable or support the sending of direct marketing."
Lawful basis
- The two most likely applicable lawful bases are consent and legitimate interests. If you need consent under PECR, consent will also be the lawful basis under the GDPR. If you need an Article 9 condition to process special data, the only available one will be explicit consent.
- In most cases, it is unlikely you will be able to make using personal data for direct marketing purposes a condition of buying a product or service.
Generating leads and collecting contact details
- You need to comply with transparency and information requirements at the time of collection where details are collected directly, or within a reasonable period and no later than one month from date of collection if from third parties or publicly available information.
- If you are buying or renting direct marketing lists, you must carry out due diligence.
Profiling and data enrichment
- You must complete appropriate due diligence.
- If you use non-personal data like assumptions about the type of people who live in a particular postcode, it will become personal data.
- In most cases, buying additional contact details for your existing customers or supporters is likely to be unfair unless the individual has previously agreed to your having the additional details.
- You are unlikely to be able to justify tracing (eg tracing an individual's new address in order to continue sending them direct marketing).
Sending direct marketing messages
- GDPR will always apply.
- PECR only applies to live and automated calls, email, text and fax.
- Soft opt-in under PECR only applies to products and services marketing, not promotion of aims and ideals.
- PECR may apply differently to B2B marketing and may still apply even if you ask someone else to send your electronic messages.
Online advertising and new technologies
- Carrying out online targeted advertising or direct marketing using new technologies is highly likely to require a DPIA prior to processing.
- Cookies (or similar) require consent to GDPR standard which can only be obtained after clear and comprehensive information is provided to the individual.
- It is particularly important to be clear, transparent and upfront about targeting.
Selling or sharing data
This must be fair and lawful. You must be transparent.
Rights
The right to object to marketing is absolute. Minimal contact details must be added to suppression list to ensure the right is respected once requested.
Exemptions
GDPR – certain Articles contain limited exemptions. They should be applied on a case by case basis.
DPA18 – there are no exemptions which apply specifically to processing for direct marketing.
PECR – the exemptions in Regulation 6 to the cookie consent requirement do not apply to online advertising, tracking technologies or social media plugins.
