The UK Information Commissioner’s Office has published a draft Code of Practice on Direct Marketing, which is now out for consultation. Here we discuss the context for this and key takeaway points from its 120+ pages.
Why is the ICO publishing this document?
The ICO is required under the Data Protection Act 2018 to publish a statutory code of practice on direct marketing, so this is the ICO delivering on that requirement. It draws on the feedback from the call for views undertaken last year. As a statutory code, once finalised, it will need to be presented to government for review and sign off.
There is already an existing Direct Marketing Code which has long been one of the most well-read and useful codes of practice the ICO has produced and is regularly consulted by data protection and marketing teams alike for guidance on email, post and SMS marketing rules. The code contains key information and pointers given that fines for breaches of direct marketing rules remain the most frequent we see. However, this code is outdated and required updating in light of changes around GDPR and the Privacy and Electronic Communications Regulations 2003, as well as to adapt to new technologies and marketing techniques.
What does the new draft code cover?
The draft code covers much of the ground that was covered by the existing one but there are some new sections and a couple of surprises. Broad topics for guidance are as follows:
- The scope of direct marketing
This is all common sense stuff and there is little new here – for example the ‘useful’ nugget that a message that says “your local supermarket stocks carrots” would be considered promotional. Good to know.
- New details and practical guidance around expectations on accountability and planning of marketing campaigns
The buzzphrase ‘DP by design’ makes a frequent appearance here as you would imagine. Worth noting the reminder that data protection impact assessments are required for data matching in direct marketing, large scale profiling and targeting children (remember this is under 18s not just under 13s). This section also contains useful clarification around when legitimate interests and consent are appropriate with the ICO stating that it considers it will be hard to demonstrate the balancing test requirements for reliance on legitimate interests where the marketing involves collecting and combining large amounts of personal data from various different sources to create personality profiles.
The section on special category data is worth noting since it mentions that inferring special category data from customer lists (for example if a company sells disability aids) is not something which triggers the requirements for a lawful basis for special category data under Article 9 unless the data is specific to the individual or used to target marketing on the inference of their health status. This is confusing given the ICO’s updated guidance on special category data which states the converse by expressly includes inferences which it issued last year.
- Advice on lead generation and collecting contact details
Useful details are provided in this section around the GDPR requirement to inform individuals that their personal data is being processed within one month of receiving the data from another source. This point has been overlooked by some companies to date and involves ensuring practical safeguards to ensure that data collected from public sources, social media or third parties is either deleted or the individual contacted within that time. The draft also indicates expectations around reliance on “disproportionate effort” to do so.
- Profiling and data enrichment
Profiling is a big focus for regulators so it is good to see more detail in the new code on this area. There is information on data enrichment, matching and data cleansing. None of this is surprising but will be useful for marketing teams, including a checklist of due diligence questions to consider when engaging third party suppliers in this area.
- Sending direct marketing messages
This section largely follows the existing code. It is a little disappointing that more detail has not been added on the thorny issue of what constitutes “negotiations for a sale of a product or service” in the context of the soft opt in consent for direct email marketing however. The code gives very obvious examples but does not cover issues such as free services, apps or competitions.
- Online advertising and new technologies
This will be the section that attracts the most attention since the code picks up on new technologies such as on-demand and OTT content services, in-game advertising and mobile apps.
The most useful, but perhaps alarming, section relates to social media marketing. The code discusses commonly used tools such as custom audience and lookalike targeting. It is surprising the draft states that individuals are unlikely to expect custom audience targeting, therefore consent is likely to be the most appropriate lawful basis and that information about such processing should be drawn to the attention of individuals outside of privacy policies. It is incredibly rare to see this approach taken in practice and this is likely to raise an eyebrow or two, especially since elsewhere in the draft it is clear that such form of marketing does not fall within the Privacy and Electronic Communications Regulations.
Similarly surprising is the ICO’s advice that the use of personal data for lookalike audiences on social media platforms, another commonly used tool, is likely to make both brand and the platform joint controllers in relation to the data (and not just the use of pixels and plugins).
We would expect push back on this advice in the consultation responses.
On the other hand, the code does not go into detail around the use of cookies and programmatic advertising. This is largely because this is such a big topic where the ICO has issued recent guidance and, specifically in relation to the use of real time bidding, an investigation has been ongoing, with the ICO announcing in December that it continues to have concerns and is deciding on what action it will take.
- Selling or sharing data
Helpful information is provided here on considerations that should be made if an organisation is relying upon legitimate interests in order to disclose or sell data, which the code makes clear is only available in certain circumstances. Further detailed guidance is also given on data brokering services and how to comply with transparency and consent requirements if you operate one.
- Data subject rights
A reminder is given that data subjects should be informed, via your privacy notice, of their right to object to direct marketing, and guidance is given as to how a user may exercise that right. Additionally, when relying upon consent to process personal data for direct marketing purposes, the fact that you cannot swap from consent to another lawful basis when an individual withdraws consent is repeated – hopefully we are all aware of this by now!
The code also states that (obviously) when operating a suppression list, withdrawal of consent will not preclude an organisation from keeping that user’s details on the suppression list, as the organisation’s lawful basis for operating this list is likely to be ‘necessary for compliance with a legal obligation’ (Article 6(1)(c)).
What is the deadline?
The draft is open for consultation is open until 4 March 2020. You can provide feedback here.