The direct marketing landscape has undergone a period of significant change in the last decade. According to Ofcom's 2018 Communications Market Report 90% of the UK population had home access to the internet and usage of smartphones increased from 27% of all adults in 2011 to 78% in 2018.
UK consumers are producing huge volumes of data and when this data relates to an identifiable individual, or is combined with such data, it constitutes personal data. The value of personal data is significant; it enables organisations to target individuals directly with personalised advertising or marketing material.
Public consultation launched on new draft code of practice
On 8 January 2020, the ICO published a new draft code of practice on direct marketing and launched a public consultation seeking views on the draft.
This follows the launch of a new data protection regime in 2018; the General Data Protection Regulation (EU) 2016/679 (GDPR) and Data Protection Act 2018 (DPA 2018), which came into force on 23 and 25 May, respectively. This regime superseded the Data Protection Act 1998 (DPA 1998). The DPA 2018 requires the ICO to publish new guidance on direct marketing to replace the current version that was published in 2013 and updated in 2016.
The ICO has been clear that the purpose of the new guidance is not to duplicate the extensive data protection and privacy guidance already in existence. The draft Code seeks to provide practical, hands-on guidance to facilitate compliance with UK data protection and e-privacy laws for those involved in direct marketing.
With simple language, 'real world' examples, best practice recommendations, further reading suggestions and links to the relevant sections of the legislation, the result is a user-friendly compliance manual that will no doubt benefit organisations engaged in direct marketing and data protection practitioners alike.
Who does the draft Code apply to?
Direct marketing is "the communication (by whatever means) of advertising or marketing material which is directed to particular individuals". (Section 122(5) of the DPA 2018)
If you undertake direct marketing or are involved anywhere in the direct marketing supply chain, the draft Code applies to you. It is important to note that as well as commercial activities, direct marketing also includes the promotion of aims and ideals. This means that the rules about direct marketing apply to marketing or advertising to individuals for the purpose of charity fundraising and awareness raising, political campaigning and promoting public services.
What is the legal effect of the Code?
The Code will not in itself be legally binding. However, the Code will be admissible as evidence in court proceedings and the ICO must take any relevant provision of the Code into consideration when exercising its functions.
The ICO has advised that compliance with the Code will be strongly indicative of compliance with data protection laws and if you cannot show that your direct marketing practices are in line with the Code, it will be "difficult" to demonstrate compliance with data protection legislation.
The Applicable Law
Direct marketing is regulated by GDPR, the DPA 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). PECR implements the European Directive 2002/58/EC, known as the 'e-privacy Directive', and covers electronic marketing and marketing by phone, together with rules in relation to the use of cookies and other tracking technologies.
The EU is currently in the process of replacing the e-privacy Directive with a new regulation to complement the GDPR. Until this happens, PECR continues to apply.
What is new in the 2020 draft Code?
The original guidance looks at the rules contained within the DPA 1998 and PECR on direct marketing, focusing primarily on calls and texts to individuals.
When the current direct marketing guidance was updated in 2018, certain sections were signposted to indicate that they would be subject to change once GDPR had come into force. Although many of the founding data protection principles remain the same, the draft Code represents a fairly substantial re-write.
The draft explains and demonstrates how to ensure that your direct marketing practices are compliant with the new data protection legislation and the updated versions of PECR.
Although a sizeable document, the draft Code is broken down into sections providing specific guidance in relation to different direct marketing practices and the use of new technologies for marketing and online advertising. Each section outlines the applicable data protection issues and risks to be considered and provides practical guidance to facilitate compliance.
We explore some of the notable differences between this draft Code and the current guidance below.
Interaction between PECR and GDPR
Before looking at the changes in the draft Code, it is helpful to revisit the interaction between GDPR and PECR.
PECR sits alongside GDPR, and regulates ePrivacy, whether or not personal data is being processed. PECR deals with electronic marketing, telephone marketing (and screening numbers against the Telephone Preference Service), and rules on the use of cookies and other tracking technologies (whether used for marketing or other purposes).
Under PECR, direct marketing by email, SMS or other electronic means is subject to the prior consent of the individual. There are two exceptions to this:
The Corporate subscriber exemption this applies where the recipient is, for example, an incorporated body or Scottish partnership. This is generally interpreted as meaning that prior consent is not required to send an email to someone at a "work" email address. However, applying this exemption can sometimes be difficult in practice, as marketing databases will often hold a mix of corporate and "personal" contact details.
The "soft opt-in" this applies where the contact details have been collected in the course of the sale (or discussions on the sale) of goods or services and allows organisations to market "similar" goods and services provided that the individual was given the opportunity to opt out at the point of data collection and in each subsequent electronic marketing communication. The ongoing application of the soft opt-in and opt-outs caused particular confusion in the run up to GDPR.
It is important to remember that irrespective of whether consent is required under PECR or if you are relying on the soft opt-in, where personal data is being processed you must still have a legal basis under GDPR.
The draft Code emphasises that if consent is required under PECR, it will never be appropriate to rely on legitimate interests as your legal basis for processing because you cannot legitimise processing that is prohibited elsewhere in the law. Where consent is required under PECR, that consent must meet the requirements of GDPR in order to be valid.
Five key changes that apply to direct marketing
While many sections of the draft Code will be familiar from previous ICO guidance, there are five key areas where the draft Code addresses changes introduced under GDPR.
1. A higher standard of 'consent'
In order to process personal data, you must have a lawful basis to do so. Of the six lawful bases, the draft Code advises that in the context of direct marketing, it is likely that only consent and legitimate interests are applicable. The draft Code recommends that even if you can rely on legitimate interests as your lawful basis for processing, the best practice position would be to obtain consent from all data subjects for direct marketing purposes. While this may be the ICO's view of best practice, organisations will need to consider the pros and cons of consent versus legitimate interests.
GDPR contains more specific rules in relation to what constitutes valid consent. GDPR requires that consent be "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
Consent must be:
Unambiguous:
Individuals must take affirmative action to 'opt-in' to processing for direct marketing in order to meet GDPR standard of consent. This means that you cannot use pre-ticked boxes or rely on inaction, silence or default settings and requests for consent cannot be hidden within other terms and conditions or a privacy policy.
Specific and informed:
Individuals must have control and genuine choice about whether their personal data is processed for direct marketing. You must explain what you plan to do with the data and for what purpose, in a way that the average person can digest and understand - this is particularly important if you plan to use new technology or if you plan to use the data in a way that the individual would not expect you to.
Consent must be specific. Separate consent must be obtained for each proposed processing activity and each purpose for the processing. It is not possible to rely on vague, blanket consent. You must also let the individual know the name of any third party who wishes to rely on the consent _ this is particularly relevant if you are operating as a data broker.
In addition, consent must be easy to retract and should not be a pre-condition to receiving goods or a service unless the processing is necessary for the provision of the goods or the service. For example, if you ask to receive emails about new products for sale that are similar to those you have previously purchased, consent for direct marketing would be necessary.
2. Greater transparency
Transparency is a fundamental feature of GDPR. Individuals have the right to know what personal data you hold about them and how you plan to use it for direct marketing purposes.
Collecting personal data directly from the individual
When you collect personal data about an individual for direct marketing from them, at the time of collection, you must provide them with a privacy notice containing the information set out in Article 13 of GDPR. This includes: (i) who you plan to share it with; (ii) what rights they have as a data subject _ discussed below; (iii) how they can withdraw consent if you are relying on consent as a legal basis; (iv) how long you plan to keep the data; and (v) what you plan to do with it.
Collecting personal data about an individual from another source
When you collect personal data about an individual for direct marketing from another source e.g. from a data broker, from publicly available information or from another organisation, within one month of obtaining the data, you must provide the information set out in Article 13 of GDPR and also inform the individual: (i) where you got the personal data from and (ii) details of the categories of personal data that you hold about them, e.g. gender, interests, contact details.
It is not necessary to provide this information if you can demonstrate that it would take a disproportionate effort to do so (weighted against the effect of the processing on the individual). However, the draft Code warns that if you compile a profile of information about an individual including their contact details, interests, likes and dislikes from different sources, it is unlikely that you can rely on this exemption as this processing would surpass what the individual would reasonably expect you to do.
In practice, the requirements in relation to information notices and the stricter rules on consent mean that organisations will need to carry out detailed diligence before using marketing lists provided by data brokers.
3. Accountability principle
The GDPR introduced the accountability principle as a new seventh data protection principle. The essence of this principle is that you must be able to demonstrate your compliance with GDPR.
The draft Code advises how to ensure that you comply with this obligation on a practical level when undertaking direct marketing.
In addition to the requirements that most will be familiar with now (e.g. having a privacy policy in place and written contracts with any data processor you engage that include mandatory data processing clauses) the draft Code advises that you must keep a record of who has provided consent for direct marketing, when they gave it, how they gave it, what you told them you would do with the data and for what purpose.
Another important feature of the accountability principle is the requirement to undertake Data Protection Impact Assessments. These are discussed below.
4. Data subject rights:
GDPR introduced a number of rights for data subjects, exercisable in relation to their personal data. Those of particular relevance in the context of direct marketing are the rights to objection, rectification, erasure and access. Each of these rights and what data controllers must do if data subjects exercise them in relation to direct marketing practices, are explored in the draft Code.
5. Data Protection Impact Assessments
GDPR introduces a new legal obligation to undertake a Data Protection Impact Assessment (DPIA) before carrying out processing that is likely to put individuals' rights and freedoms at high risk. If a Data Protection Impact Assessment finds that the processing will result in a high risk that can't be mitigated, the ICO should be consulted.
The ICO has compiled a list of processing activities that would be likely to result in a high risk to the data subjects. The draft Code notes those activities that are particularly relevant in the context of direct marketing:
large scale profiling;
data matching;
invisible processing;
tracking the geolocation or behaviour of individuals, wealth profiling, loyalty schemes; and
targeting children or other vulnerable individuals for marketing and profiling.
You will be required to carry out a DPIA before undertaking any of these activities.
The draft Code adds that if you plan to use new and emerging technology for marketing and online advertising, it is highly likely that you require a DPIA.
Use of new technology for direct marketing
New practices covered by the guide include: social media marketing, digital marketing on subscription-based streaming and catch-up TV platforms, digital marketing using facial recognition or detection, in-game advertising, mobile app advertising, geo-targeting and advertising via the Internet of Things.
While the draft Code can't forecast what new technologies will be used for direct marketing purposes in the future, the underlying principles will remain the same regardless of the application.
Ensuring that the data subject has control over their personal data and the personal data is not used unfairly or improperly is paramount. Compliance with the Code, when published and the underlying data protection regime should not be perceived as a deterrent to innovation, rather it provides an opportunity to build public trust and support for emerging technologies and their application to personal data.
The public consultation on the draft Code closes on 4 March 2020. You can provide feedback through the ICO's website.