Direct Marketing Commission - Enforcing Higher Industry Standards

Stephen Almond, Executive Director, Regulatory Risk, who leads the ICO’s team responsible for anticipating, understanding and shaping the impacts of emerging technology and innovation on people and society.

“Last November we wrote to 53 of the UK’s top 100 websites, warning that they faced enforcement action if they did not make changes to advertising cookies to comply with data protection law.

We’ve had an overwhelmingly positive response to our call to action. Of the 53 organisations we contacted, 38 organisations have changed their cookies banners to be compliant and four have committed to reach compliance within the next month.

Several others are working to develop alternative solutions, including contextual advertising and subscription models. We will provide further clarity on how these models can be implemented in compliance with data protection law in the next month.

We expect all websites using advertising cookies or similar technologies to give people a fair choice over whether they consent to the use of such technologies. Where organisations continue to ignore the law, they can expect to face the consequences.

We will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that.

To accelerate our efforts we are developing an AI solution to help identify websites using non-compliant cookie banners. We’ll run a ‘hackathon’ event early in 2024 to explore what this AI solution might look like in practice.

Our advice to all organisations is to take action now to become compliant. We can already see the ripple effect of our intervention with many organisations making changes to cookie banners without receiving a letter from us.

And as we’ll be steadily working our way through the list of websites offering services to UK users to give them all the same message, it makes sense to be compliant before the regulator comes knocking.”

click for more information

The Data & Marketing Commission has had complaints relating to direct mail and telephone marketing where the activity was based on a Legitimate Interest rationale.  This is permissible under ICO guidance and the DMA and others have also issued guidance. The complaints received prompted an assessment of the practices seen in terms of the DMA Code, looking in particular at the timeframes in which data might be used and what might be considered ‘fair and reasonable’; a key Code provision. The assessment did not result in any formal adjudications but we will use this set of conclusions in considering any future complaints:

• Direct Marketing, in particular for post and telephony, will often be practiced under the grounds of Legitimate Interest as is provided for in law and supporting guidance.
• The DMC believes the reasoning behind a wholly consistent approach to timeframes for use of data irrespective of the basis on which it is used, is sound and unexceptional.
• In the light of some evidence seen the DMC believes there is a need to address parameters for the use of data for marketing purposes.  It believes this will be valuable to businesses wishing to use Legitimate Interests and, therefore, required to carry out a Balancing Test.
• Whilst the DMA guidance on the minimum standards of the lifetime of consent was levered towards the grounds for Consent, the DMC intends to use the same guidance applied to the grounds for Legitimate Interest for both third party and first party processing activity.
• This means the DMC intends to use the six and 24 month standard set out in DMA guidance for the valid use of Consent* (see below) to market to apply equally to marketing based on Legitimate Interests.
• These time periods are for guidance and it will be up to individual users of data to consider, justify and record any applicable valid reasons for extending the time period. These could include an annualised product purchase cycle, such as in travel, insurance or utilities.
• When considering data used under a legitimate interest purpose that is coming to the end of a valid lifetime period, the new legitimate interest assessment should treat the time since the original personal data point was captured as a key factor in the assessment.
• Building on this move to alignment over the timeframes for marketing based on Consent or a Legitimate Interest the DMC thinks it is right that there should be broad consistency in relation to how data subjects can exercise a right to opt-out of marketing.
• The DMC believes marketing activity based on Legitimate Interest should make clear how people can ask to stop the unwanted mailings. That explanation should be prominent and the process should be as simple to use as possible. Wherever possible the DMC would expect a request to be removed for marketing lists operated under the Legitimate Interest rationale i.e. it should go to the entity providing this data to third parties. That is to say the consumer should not have to make repeated opt-out requests to individual marketeers. Their wish should be actioned by the originator of the data.

DMA guidance on consent timescales *

The DMA advises its members to adhere to these minimum standards on the lifetime of consent:

• For third-party data: telephone, email, SMS; the maximum time that consent can remain valid is six months after initial collection or any other positive contact
• For third-party postal marketing: the maximum time consent can remain valid is 24 months after initial collection or any other positive contact
• For all first-party data: telephone, email, SMS and post; the maximum time that consent can remain valid is 24 months after initial collection or any other positive contact

The timeframes run from either the initial collection or further positive contact with the customer.

click for more information