ICO consults on draft direct marketing code of practice

On 8th January 2020 the Information Commissioner’s Office (ICO) launched a consultation on their draft direct marketing code of practice.

The Code itself will replace the existing direct marketing code and guidance around the application of the Privacy and Electronic Communications Regulations (PECR) which set the rules on marketing consent and how GDPR’s new rules factor into processing marketing data. You can read the full draft here and respond to the draft to the ICO here (you’ve got until March 4th to respond). Once the ICO has considered responses to the Code the final version will be published “later this year” along with some tools, checklists, etc.

Whilst the PECR marketing rules haven’t changed since 2003, obviously in terms of processing marketing data GDPR now applies, so the main changes in the Code are around this aspect rather than changing the rules on whether or not you need consent to send email marketing. Highlights in the Code include:

  • Planning your marketing using a data protection by design approach. Specifically the Code suggests you should put policies in place, maintain documentation around your marketing activities (which include your lawful basis for processing), make sure contracts are in place with any third-parties who do your marketing for you and if necessary carry out data protection impact assessments (DPIA) if you’re using technology or new ways of using the marketing data or if you’re doing large scale profiling, tracking, etc.
  • If you use special category data for direct marketing purposes then as well as having a lawful basis for processing (probably consent or legitimate interest) you will also need to identify a special category condition which is likely to be explicit consent
  • Keeping marketing data accurate and up to date including recording the source of the data, which methods of direct marketing an individual has consented to, any objects, opt-outs, etc. and allowing individuals their right to update their data
  • Meeting GDPR requirements when you’re generating leads and collecting contact details whether from third-parties selling you a list, collection yourself (e.g. from customers) or publicly available sources (e.g. LinkedIn). Regardless of how you’ve come from the data you will need to make sure you tell individuals you have their data for marketing purposes, which means if you have collected the data from public sources or bought in a list you get one month to communicate the fact to the individual (this is the individuals’ right to be informed) although it may be possible to rely on an exemption
  • Profiling activities must be carried out fairly, lawfully and transparently which may mean you will need comply with the GDPR rules on automated decision making, carrying out a DPIA
  • Data enrichment activities (where you use other sources to find out more about data subjects for profiling purposes) requires knowledge from the individual that their data will be used in this enrichment activity via your own privacy notices and those of the sources from where the information came and that the processing isn’t unfair; similarly, if you’re matching or appending data then this is unlikely to be unfair and consent is likely to be required
  • Confirmation about the different consent rules in PECR (including that you don’t need to consent to market to “corporate subscribers” but GDPR still applies to the corporate subscriber’s personal data)
  • If you’re using audience based marketing on social media (e.g. you’re uploading a list of contacts to target on a specific social media platform), the individuals need to be aware that you are doing this as they are unlikely to expect this type of processing. Furthermore, you’re likely to need consent to do this
  • If you’re using customer lists (or other personal data) to identify “look-a-likes” on social media then you are likely to be a joint controller with the social media network (meaning you need to be clear the network applies the appropriate GDPR controls particularly around transparency). You will also need to ensure the individuals know their data is to be used in this way and be clear on your lawful basis for processing (unfortunately, the ICO have not been clear on what they think that lawful basis may be – consent or legitimate interest?)
  • Using facial recognition technologies to identify individuals and then market to them is unlikely to be lawful plus you will be processing special category data (biometric data) which will require explicit consent from the individual to use for processing
  • Before using new technologies for marketing activity you should ensure you are happy the provider of the technology is compliant (and telling you the truth), and has carried out a DPIA; you’ll also need to carry out a DPIA yourself
  • Selling or sharing data to/with third-parties has to be fair and lawful. This means you will need to consider whether you have been transparent that you will be selling the data and if you are relying on consent that specific consent for selling/sharing was collected; and if you’re relying on legitimate interest for the selling/sharing then you will need (as part of your legitimate interest assessment) consider what you’ve told the individuals at the time of collecting/having the data
  • Data brokering services will need to make sure they tell the individuals that they are processing their data, what you will be doing with it and that they can exercise their rights including to object to marketing
  • Using suppression lists (so you know who has “unsubscribed”) is lawful provided you only use them to make sure you don’t continue marketing to them; the lawful basis is likely to be compliance with a legal obligation

While the Code itself is not legally binding the ICO are likely to use your non-compliance with the Code against you given they see the Code as best practice and a way of demonstrating your compliance with both PECR and GDPR.

Leave a comment