The Data Protection Act 2018 (DPA 2018) requires the Information Commissioner to produce a code of practice that provides practical advice on how to undertake direct marketing in a manner that complies with UK data protection and privacy law and also gives recommendations for best practice. On 8 January 2020, the Information Commissioner's Office (ICO) published a draft Code on direct marketing and launched a public consultation seeking views on the draft.

When finalised, the Code will replace the existing ICO guidance that was published in 2013 and updated in 2016. The original guidance is founded on the rules contained within the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The new draft Code is based on the most recently updated version of PECR as well as the DPA 2018 and of course, the General Data Protection Regulation (EU) 2016/679 (GDPR).

Practical advice for those involved in Direct Marketing

The purpose of the Code is to supplement existing data protection guidance with specific, practical advice for those engaged in direct marketing. The draft Code explains what direct marketing is and to whom the Code applies.

A range of direct marketing practices are then studied - covering lead generation, profiling and data enrichment, data brokering, the sending of direct marketing messages and online advertising - and the applicable law outlined and specific compliance advise provided in respect of each area.

Direct Marketing and new technologies

Although the underlying data protection law principles remain the same regardless of the technology used to process personal data, the draft Code looks at the technology currently used in connection with direct marketing, much of it newly emerged. This is helpful in that the review of the data protection and privacy issues arising in relation to each of these technologies is something of a case study on how to ensure that new and innovative technologies are deployed in a manner that complies with data protection and privacy law.

Legal Effect of the Code

The Information Commissioner is the supervisory authority for data protection in the UK and is responsible for monitoring, investigating and enforcing compliance with UK data protection and privacy laws. The Code will not be legally binding but will be admissible as evidence in court proceedings and the ICO is required to take it into consideration when exercising its functions. Ultimately, if your direct marketing practices adhere to the Code, particularly if you find it viable to follow best practice recommendations, it is highly likely that you will be compliant with the data protection and e-privacy laws on which the Code is based.

The public consultation on the draft Code shall close on 4 March 2020. You can take part by visiting the ICO website.

You can read more about the draft Code in our Legal Update, which provides a detailed overview of the proposed changes and direct marketing under GDPR.