On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.The Draft Code aims to help those undertaking direct marketing to comply with the DPA 18, the General Data Protection Regulation (“GDPR”), and the Privacy and Electronic Communications Regulations 2003 (“PECR”). The Draft Code builds on previous ICO guidance, as well as taking into account submissions made during the ICO’s initial call for views which closed in December 2018.
The Draft Code adopts a practical lifecycle approach to direct marketing. In the first section it examines the definition of direct marketing to help organizations decide whether the Draft Code applies to them, before considering issues such as planning, lead generation and data collection, delivering marketing messages, selling or sharing data, and individuals’ rights. A brief overview of each section of the Draft Code is provided below.
Does the Code Apply to Us?
- The Draft Code applies to any organization that processes personal data for “direct marketing purposes.” If an organization’s aim is to send direct marketing communications, then all processing activities which lead up to, enable or support the sending of those communications amount to processing for direct marketing purposes, not just the communication itself.
- “Direct marketing” is defined in section 122(5) of the DPA 18 and means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”
- Direct marketing includes the promotion of aims and ideals as well as advertising goods or services. Any method of communication which is directed to particular individuals could constitute direct marketing.
Planning Your Marketing
- An organization must consider data protection and privacy issues upfront when planning its marketing activities. This includes implementing data protection by design, and assessing whether a data protection impact assessment (“DPIA”) is required. The Draft Code outlines certain questions that organizations can ask themselves to assist them in meeting their data protection by design obligations, and specifies certain marketing activities that are likely to result in a high risk to individuals, and consequently likely to require a DPIA.
- The Draft Code recognizes that consent and legitimate interests are likely to be the only two lawful bases applicable to an organization’s direct marketing purposes. The Draft Code reiterates that, in the UK, the standard for consent under PECR is the same standard as required by the GDPR. Where consent is obtained in compliance with PECR, then, in practice, consent is also the appropriate lawful basis under the GDPR. The Draft Code states that trying to apply legitimate interests when an organization already has GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for individuals.
- The Draft Code provides guidance on the timeframe for which consent remains valid. When sending direct marketing to new customers on the basis of consent collected by a third party, the ICO recommends that organizations do not rely on consent that was given more than six months previously.
Generating Leads and Collecting Contact Details
- The Draft Code emphasizes the importance of ensuring that individuals are fully informed about what an organization intends to do with their data. Where data is collected from sources other than the individual, the Draft Code emphasizes the requirements of Article 14 of the GDPR and the need to provide privacy information within a month of obtaining the data. This is likely to be of interest to organizations that collect data from such sources as Companies House, the Electoral Roll, or third party data providers.
- The Draft Code outlines the possible application of the exceptions to Article 14 of the GDPR, and emphasizes the need for an organization to record its reasoning for relying on an exception in order to demonstrate accountability.
- If an organization is considering buying or renting direct marketing lists, it must ensure it has completed appropriate due diligence. Simply accepting a third party’s assurances that the data they are supplying is compliant will not suffice.
- An organization cannot escape its obligations by asking existing customers to provide it with contact details of friends and family to use for direct marketing purposes. The Draft Code suggests this approach is likely to breach PECR.
Profiling and Data Enrichment
- If an organization is considering enriching its data, it must check what it has previously told individuals about using third parties or public sources to gather extra data to create or expand a profile on them. This may include checking what that third party told data subjects about selling that data to other organizations.
- The Draft Code states that in most instances, buying additional contact details for existing customers or supporters is likely to be unfair, unless the individual has expressly agreed. This is likely to be true no matter how clearly an organization explains in its privacy information that it might seek out further personal data about individuals from third parties.
- An organization is unlikely to be able to justify tracing an individual in order to send direct marketing to their new address.
- The Draft Code emphasizes the need to conduct appropriate due diligence before using profiling or enrichment services, and includes example questions that an organization may consider asking of a third party service provider.
Sending Direct Marketing Messages
- The GDPR will apply to the processing of personal data irrespective of the method an organization uses for sending direct marketing messages. The Draft Code also outlines when PECR will apply.
- The direct marketing rules apply to asking individuals to send direct marketing to their family and friends (i.e., viral marketing and ‘tell a friend’ campaigns). It is likely that viral marketing and ‘tell a friend’ campaigns by electronic mail would breach PECR.
Online Advertising and New Technologies
- The ICO emphasizes the need for transparency as individuals may not understand how non-traditional direct marketing technologies work.
- If an organization uses direct messaging on a social media platform to send marketing, this will constitute direct marketing for the purposes of PECR.
- The use of social media audiences and ‘look-a-like’ audiences (e.g., Facebook Custom Audiences or LinkedIn Contact Targeting) requires consent. Also, as a joint controller with the social media platform, an organization must undertake due diligence on the social media platform to ensure valid consent has been obtained and appropriate transparency information has been provided.
- The Draft Code recognizes that a number of new and emerging technologies are being used for the purposes of direct marketing, and emphasizes the need to conduct due diligence and perform a DPIA. The Draft Code details some of these emerging technologies, including subscription TV, on-demand and ‘over the top’ services, facial recognition or detection, in-game advertising and mobile apps.
Selling or Sharing Data
- Organizations that wish to sell or share data with third-parties must ensure that individuals are informed that their data will be used for these purposes, and that any consent is valid for sharing and/or selling data for direct marketing purposes.
- Data brokering services will need to inform individuals that they are processing their data, the source of the data, and that the individuals can exercise their rights, including the right to object to direct marketing.
- The Draft Code states that where data is shared with an organization for direct marketing purposes on the basis of consent, then the appropriate lawful basis for any subsequent processing for direct marketing purposes will also be consent. It is not appropriate to switch to legitimate interests for any further processing for direct marketing purposes.
Individual Rights
- The Draft Code identifies the right to be informed, and the rights to objection, rectification, erasure and access, as the most likely to be relevant in the direct marketing context.
- The right to object covers any processing that is for direct marketing purposes and is not limited to the sending of direct marketing. Where an individual objects, an organization must stop using data for all direct marketing purposes, for example, using data to create direct marketing insights into particular geographical locations or disclosing the data to third parties for direct marketing purposes.
- The Draft Code recommends the use of suppression lists rather than simply deleting all record of an individual. This allows an organization to screen any new direct marketing lists to ensure it does not send direct marketing to anyone who has previously objected or withdrawn their consent.
Exemptions
- No DPA 18 exemptions apply specifically to processing data for direct marketing purposes. That said, the Draft Code recognizes that certain exemptions may be relevant to direct marketing, such as the exemptions to the requirement to provide notice under Article 14 of the GDPR.
- The Draft Code references two exemptions in Regulation 6 of PECR (from the requirement to provide clear and comprehensive information, and gain consent for cookies and similar technologies) but notes that these do not apply to online advertising, tracking technologies or social media plugins.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code