UK’s ICO publishes draft Direct Marketing Code of Practice
On 8 January 2018, the Information Commissioner launched a public consultation on a Direct Marketing Code of Practice, which she is required by Section 122 of the Data Protection Act 2018 to produce in order to provide practical guidance in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Accordingly, like the existing ICO Direct Marketing Guidance, which it will supersede, the proposed code sets out the law and provides examples and good practice recommendations. To a significant extent, the draft code replicates the current guidance, which was updated in 2018 to reference the General Data Protection Regulation (GDPR). When finalised, the Commissioner must take the code into account when considering whether those engaged in personal data processing for “direct marketing purposes” have complied with the GDPR and PECR. The key aspects of the draft code are summarised below, including new guidance on in-app advertising and direct marketing on social media platforms.
The draft code applies to those who process personal data for “direct marketing purposes”. Section 122(5) of the DPA 2018 defines “direct marketing” as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. The code reiterates that direct marketing is not just advertising goods or services, but also includes the promotion of aims and ideals. This means that it also applies to not-for-profit organisations such as charities and political parties. Also, like the current guidance, it acknowledges that contacting individuals to conduct market research will not constitute direct marketing if it is genuine and not ultimately intended to be used to send direct marketing communications to individuals.
The draft code explains that direct marketing purposes include “all processing activities that lead up to, enable or support the sending of direct marketing”. Processing of personal data with the intention that it is used for communicating direct marketing “by you or a third party” is therefore processing for direct marketing purposes.
The draft code also stresses the distinction between service messages and marketing communications. A renewal or end of contract notice, for example, is unlikely to constitute direct marketing if neutrally worded and not actively promoting or encouraging the individual to renew or take on a further contract. A message will be direct marketing, however, if it actively promotes or encourages an individual to make use of a particular service, special offer, or upgrade, for example. A “key factor is likely to be the phrasing, tone and context”.
Data protection by design
A key theme of the GDPR is accountability. This means being able to demonstrate compliance. Depending on the direct marketing activity, a data protection impact assessment (DPIA) may be required. If the direct marketing activity includes processing of a type likely to result in high risk, a DPIA must be carried out before any processing. Relevant activities in this context would include data matching for direct marketing, large-scale profiling and targeting children. The code suggests that if you use new technologies for marketing and online advertising, it is also “highly likely” that you will need to undertake a DPIA.
The draft code explains that, generally speaking, the two lawful bases under the GDPR most likely to be applicable to direct marketing purposes are consent and legitimate interests. However, if PECR requires consent, then, in practice, consent will likely be the relevant lawful basis under the GDPR. If the intention is to process special category data for direct marketing purposes, it is likely that the only Article 9 condition available under GDPR will be “explicit consent”. Since processing special category data requires a special category condition from Article 9 as well as an Article 6 lawful basis, special category data cannot be processed for direct marketing purposes without the individual’s explicit consent. The draft code helpfully confirms that simply holding a list of customer names associated with a particular ethnicity or religion will not trigger the need for an Article 9 condition unless you specifically target marketing on the basis of that association.
Where consent under PECR is not required, the draft code says that it might be possible to rely on legitimate interests as the legal basis is for processing data for direct marketing purposes, but only if you can show that the way the data is used is proportionate, has a minimal privacy impact and is not a surprise to people or they are not likely to object, and as long as the marketing is carried out in compliance with other legal and industry standards.
The draft code underlines the importance of the accuracy principle of the GDPR for direct marketing, which requires that personal data is accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that personal data held for direct marketing purposes is not factually incorrect or misleading. Children’s personal data requires specific protection in relation to direct marketing. Recital 58 GDPR says: “Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.”
The GDPR does not specify how long personal data can be kept for direct marketing purposes. However, the storage limitation principle means under GDPR that it must not be kept for longer than you need it.
Generating leads and collecting contact details
Transparency is a key part of the GDPR and, as part of this, individuals have the right to be informed about the collection and use of their personal data for direct marketing purposes.
If data are collected directly from individuals, information must be provided at the time the data are collected. If collected from other sources (e.g. public sources or from third parties), fair processing information must be provided within a reasonable period of obtaining the data and no later than one month from the date of collection. Fair processing information must be drafted in clear and plain language, and be easily accessible. It should explain clearly the purposes for which the individual’s personal data are to be processed. Vague terms such as “marketing purposes”, “marketing services” or “marketing insights” are not sufficiently clear. The draft code stresses that any unusual or unexpected processing ought to be at the forefront of any layered fair processing information: “For example, as it is highly unlikely that your customers or supporters etc expect you to collect additional data on them from other sources, this should therefore clearly be brought to the individual’s attention.”
Before buying or renting direct marketing lists, you should carry out appropriate due diligence. What this entails is set out in the draft code. It states that simply accepting a third party’s assurances that the data they are supplying is compliant is not enough. It also recommends having a written contract in place confirming the reliability of the personal data being purchased or rented.
Profiling and data enrichment
Profiling and enrichment activities must be done in a way that is fair, lawful and transparent. Due diligence is essential before using profiling or enrichment services. Again, simply accepting a third party’s assurances is not enough.
Article 22 GDPR applies to solely automated decision-making, including profiling, that has legal or similarly significant effects on individuals. If Article 22 is engaged, the individual’s explicit consent is required prior to profiling them for direct marketing purposes. The draft code recognises that the majority of direct marketing based on solely automated decision-making or profiling is unlikely to have a legal or “similarly significant effect”, but stresses that there could be situations where it does, for example: targeting individuals known to be in financial difficulty with marketing about high interest loans. Moreover, profiling people using their special category data requires their explicit consent.
The draft code makes a number of further points: where non-personal data such as assumptions about the type of people who live in a particular postcode is used to enrich details already held about an individual, it will become personal data; in most instances, buying additional contact details for existing customers or supporters is likely to be unfair unless the individual has previously agreed to these extra contact details; and tracing an individual in order to send direct marketing to their new address is likely to be unfair as it takes control away from the individual to be able to choose not to disclose their new details.
Sending direct marketing messages
The draft code reminds us that, no matter which method is used for sending direct marketing messages, the GDPR will apply when personal data are processed. The draft code largely replicates the current guidance on the direct marketing provisions in PECR, reminding us, for example, that in general, under Regulation 22 PECR, direct marketing by electronic mail (e.g. email and text messages) requires the individual subscriber’s consent and that the “soft opt-in” under Regulation 22(3) only applies to the commercial marketing of products and services, not to the promotion of aims and ideals.
While the PECR rules on marketing by electronic mail do not apply to corporate subscribers, the new code also reminds us that the GDPR still applies to B2B marketing if personal data is processed. The code says it makes good business sense to keep a “do not email or text” list of any businesses that object or opt out of direct marketing by electronic mail, and to screen any new B2B direct marketing lists against it. It acknowledges that in many cases legitimate interests will likely be the appropriate lawful basis for processing individuals’ personal data in their business capacity for direct marketing purposes, but says “there is no absolute rule”.
Because individuals may not understand how non-traditional direct marketing technologies work, the draft code states that it is “particularly important” that marketers are clear and transparent about what they intend to do with personal data.
Since Article 6 PECR requires consent when using these types of cookies or similar technologies for online advertising, the code states that it is likely that consent will be the most appropriate basis for any processing using any personal data collected by such cookies.
Social media platforms
The draft code stresses the need to be clear about what data is being used and why, when using a social media presence to target direct marketing at individuals or using the platform’s advertising services and technologies. This is because many different data sources are likely to be used for this purpose. Further, while this type of targeted advertising does not fall within the PECR definition of electronic mail, Regulation 22 PECR does cover direct messaging on a social media platform.
The draft code provides guidance on the use of “list-based” targeting tools that social media platforms offer to display direct marketing messages to users of the platform. List-based targeting is where the marketer uploads personal data to the platform (such as a list of email addresses), which then matches the data with its own user base. Users that match the uploaded list are then added into a group that can be targeted on the platform. The draft code underlines the need to clearly inform individuals about this processing so that they fully understand how their personal data will be used.
In-game and in-app advertising
The draft code recognises that not all in-game advertising is covered by the direct marketing rules. For example, the rules do not apply to in-game advertising that is built into the game (e.g. “static” in-game advertising) where all users see the same ad and that ad is not based on any characteristics of the users. However, “other types of in-game advertising that are more targeted at particular users (e.g. ‘dynamic’ in-game advertising) may be caught by the GDPR, particularly where it uses things like the user’s location and other information such as time of the day the user plays to tailor the advertising”.
As with online advertising, Regulation 6 PECR applies to cookies and similar technologies used as part of in-app marketing – whether this is for contextual or personalised advertising. Again, GDPR standard consent is required prior to using any non-essential cookies, and clear and comprehensive information about the use of such cookies for these purposes must also be provided.
The draft code provides guidance on the use of advertising IDs for direct marketing, noting that operating systems such as Android and iOS incorporate unique identifiers which can be used for marketing purposes. It also notes that Recital 30 GDPR states that an advertising ID forms an example of an “online identifier” which can make an individual “identifiable”. The draft codes states that if advertising IDs are used for marketing purposes, “you need to know the specific details of how the different platforms use these identifiers, the information and controls they provide to individuals (and what you also provide), and how your use links to other advertising techniques. You also need to consider compliance with other relevant laws such as PECR.”
The use of location-based marketing techniques must be transparent. As well as clearly telling people about this type of tracking, consent is also likely to be the most appropriate legal basis for this type of data processing. The draft code also states that it will be difficult to demonstrate that the legitimate interests requirements are met since it is unlikely to be in people’s reasonable expectations that their location will be tracked in order to send them ads.
Since in most instances the marketer will not be the developer of marketing or advertising technologies but will be buying it in or using it to show adverts, the marketer may need to undertake appropriate due diligence on any third parties that supply advertising services and/or technologies. For example, the marketer should be clear about the capabilities and functionality of the technology and whether the product developer or provider conducted a DPIA.
Selling or sharing data
As well as stressing the need to exercise caution when selling or sharing data for direct marketing purposes “because you are responsible for ensuring that it is fair and lawful to do so”, the draft code provides useful guidance on the lawful bases for such activities. If relying on consent to sell or share data for direct marketing purposes, to be valid, such consent must be specific, unambiguous, informed and freely given: “You cannot infer that you have consent just because you are selling the list to organisations with similar aims or objectives to you.” Further, when determining if legitimate interests applies to sharing or selling the data, the reasonable expectations of individuals must be taken into account. This means asking, amongst other things, “Is your intended purpose and method obvious or widely understood?”
As well as the right to be informed, the key rights in the direct marketing context are the rights to object, rectification, erasure and access. In particular, the code reminds us that the right to object to direct marketing is absolute, can be exercised at any time and in any way, including, via a third-party opt-out service. If someone objects to their data being processed for direct marketing, all data processing for direct marketing purposes must stop and their details should be added to a suppression list.
Similarly, if consent to direct marketing is withdrawn, data processing for direct marketing purposes must stop immediately or as soon as possible. The code repeats the familiar refrain that you cannot swap from consent to another lawful basis for this processing at the point the individual withdraws consent.
Further, withdrawal of consent or an objection to direct marketing is likely to mean that the data should be erased unless a small amount is needed for another purpose, such as a suppression list. In that respect, the draft code acknowledges that, even if the right to erasure did arise, it is likely that Article 17(3)(b) applies because the processing of the suppression list to ensure that their wishes and rights are complied with is necessary for compliance with a legal obligation (i.e. not to use personal data for direct marketing purposes).
The DPA 2018 contains a number of exemptions from particular GDPR provisions, and these add to the exceptions that are already built into the GDPR. As the draft code observes, there are no exemptions that specifically apply to processing for direct marketing purposes.
PECR contains very few exemptions. The two exemptions in Regulation 6 from the requirement to provide clear and comprehensive information and gain consent prior to using cookies and similar technologies do not apply to online advertising, tracking technologies or social media plugins.
Almost every piece of guidance released by the ICO comes with the health warning: “For serious infringements of the data protection principles, we have the power to issue fines of up to €20 million or 4% of your annual worldwide turnover, whichever is higher.” Failure to follow a statutory code of practice could therefore have particularly serious consequences. The ICO says it will monitor compliance with the code through proactive audits. It also says that adherence to the code will be a key measure of compliance and that direct marketers who do not follow the code will find it difficult to demonstrate that their processing complies with the GDPR or PECR. Since the code is designed to update the previous guidance, not only in light of the GDPR and the Data Protection Act 2018, but also in light of new technologies, the sections on social media and in-app advertising are likely to be closely scrutinised by stakeholders during the consultation period which closes on 4 March 2020. Indeed, there are already calls for more detail on the use of the soft opt-in exemption in the context of a negotiation for a sale, particularly in the context of so-called “free” services. Ultimately, however, regardless of what technology you use to deliver direct marketing or collect data for direct marketing purposes, you still need to comply with the GDPR and PECR. The draft code goes some but not all of the way to telling you how.