ICO consultation – Direct Marketing Code of Practice
15th January, 2020 at 13:05pm
The ICO has published its long-awaited draft of the direct marketing code of practice and invited comments from professionals across the industry.
It is a critical document for the data and marketing industry because its elevated status as a code of practice, as opposed to guidance, will give it statutory status. Meaning that it will effectively become the legal rulebook for the sector.
The code consolidates previous GDPR guidance, PECR and cookie advice, and focusses solely on direct marketing – defined by the ICO as essentially one-to-one marketing.
The code has really benefitted from the experience and knowledge that the ICO have gathered since May 2018, in terms of frequently asked questions (FAQs) by organisations and case studies.
The ICO have included relatable, straightforward subject matter and examples that clearly make use of their learnings from previous industry engagement that help clarify grey areas and common mistakes made.
Their understanding of the data and marketing industry has expanded and been brought in line with modern technological advancements and regulatory changes.
There is plenty of useful preamble and scene setting – defining terms i.e. ‘direct marketing’ and ‘service messages’ etc. It also specifically mentions the DMA Code as a point of reference for marketing best practice.
It is aimed at “anyone that processes personal data for direct marketing. purposes”.
Key takeaways and chapter summaries
The code does not address each marketing channel or type of processing separately, as was the case with its predecessor.
Instead it takes a “lifecycle approach” with the main chapters including:
Planning
Generating and collecting data
Profiling
Sending messages
There are also chapters on online advertising, selling and sharing data, and individual rights.
In addition, the code includes sections on marketing in mobile apps, in game advertising, TV advertising, and location-based marketing etc.
It also addresses the impact on different sectors, such as charity and B2B, where the rules are applied slightly differently.
In the planning chapter, there is a lot of focus on getting things right from the start by talking about data protection by design and the benefits of doing data protection impact assessments (DPIA) and conducting appropriate due diligence.
As well as how to understand the correct legal basis to use and the data controller to processor relationship.
Well established marketing practices are clearly explained and there are no huge issues or concerns in the interpretation of the law.
Although some of the finer details may come as a surprise to some i.e. Data appending is considered unfair processing, hosted email campaigns breach PECR, as do ‘Refer a Friend’ promotional campaigns.
Article 14 of GDPR says that if you obtain personal data from somewhere other than directly from the data subject, you are obliged to provide privacy information to that person within a month.
For companies that collect data from such sources as Companies House, Edited Electoral Roll or third-party data providers, this could have a major impact.
There is also a section on sharing data and switching legal basis that appears to be written because the ICO have seen this in practice and want to address it.
There are outstanding compliance questions regarding digital advertising and naturally these are not resolved by this code.
The online advertising and new technologies section has a focus on the need for transparency and the benefits of conducting a DPIA. It also summarises the relevant cookie requirements.
For those that use social media, the code makes it clear that social audiences and ‘lookalike’ audiences require consent.
Also, as a joint controller, the marketer needs to undertake due diligence on the social media platform to ensure that the data being used has valid consent.
Additionally, the code also states that in-app marketing will now need consent by the user, which could significantly impact the market for free apps in the future.
Next steps
The code will be circulated for consultation until 4 March 2020 and the final version is expected to be published later this year.
John Mitchison
Data & Marketing Association
Director of Policy and Compliance