Direct Marketing Commission - Enforcing Higher Industry Standards

Data & Marketing Commission | Enforcing Higher Industry Standards



ICO consultation – Direct Marketing Code of Practice 15th January, 2020

The ICO has published its long-awaited draft of the direct marketing code of practice and invited comments from professionals across the industry.

It is a critical document for the data and marketing industry because its elevated status as a code of practice, as opposed to guidance, will give it statutory status. Meaning that it will effectively become the legal rulebook for the sector.

The code consolidates previous GDPR guidance, PECR and cookie advice, and focusses solely on direct marketing – defined by the ICO as essentially one-to-one marketing.

The code has really benefitted from the experience and knowledge that the ICO have gathered since May 2018, in terms of frequently asked questions (FAQs) by organisations and case studies.

The ICO have included relatable, straightforward subject matter and examples that clearly make use of their learnings from previous industry engagement that help clarify grey areas and common mistakes made.

Their understanding of the data and marketing industry has expanded and been brought in line with modern technological advancements and regulatory changes.

There is plenty of useful preamble and scene setting – defining terms i.e. ‘direct marketing’ and ‘service messages’ etc. It also specifically mentions the DMA Code as a point of reference for marketing best practice.

It is aimed at “anyone that processes personal data for direct marketing. purposes”.

Key takeaways and chapter summaries

The code does not address each marketing channel or type of processing separately, as was the case with its predecessor.

Instead it takes a “lifecycle approach” with the main chapters including:

Generating and collecting data
Sending messages
There are also chapters on online advertising, selling and sharing data, and individual rights.

In addition, the code includes sections on marketing in mobile apps, in game advertising, TV advertising, and location-based marketing etc.

It also addresses the impact on different sectors, such as charity and B2B, where the rules are applied slightly differently.

In the planning chapter, there is a lot of focus on getting things right from the start by talking about data protection by design and the benefits of doing data protection impact assessments (DPIA) and conducting appropriate due diligence.

As well as how to understand the correct legal basis to use and the data controller to processor relationship.

Well established marketing practices are clearly explained and there are no huge issues or concerns in the interpretation of the law.

Although some of the finer details may come as a surprise to some i.e. Data appending is considered unfair processing, hosted email campaigns breach PECR, as do ‘Refer a Friend’ promotional campaigns.

Article 14 of GDPR says that if you obtain personal data from somewhere other than directly from the data subject, you are obliged to provide privacy information to that person within a month.

For companies that collect data from such sources as Companies House, Edited Electoral Roll or third-party data providers, this could have a major impact.

There is also a section on sharing data and switching legal basis that appears to be written because the ICO have seen this in practice and want to address it.

There are outstanding compliance questions regarding digital advertising and naturally these are not resolved by this code.

The online advertising and new technologies section has a focus on the need for transparency and the benefits of conducting a DPIA. It also summarises the relevant cookie requirements.

For those that use social media, the code makes it clear that social audiences and ‘lookalike’ audiences require consent.

Also, as a joint controller, the marketer needs to undertake due diligence on the social media platform to ensure that the data being used has valid consent.

Additionally, the code also states that in-app marketing will now need consent by the user, which could significantly impact the market for free apps in the future.

Next steps

The code will be circulated for consultation until 4 March 2020 and the final version is expected to be published later this year.

John Mitchison
Data & Marketing Association
Director of Policy and Compliance

click for more information

The DMC sets out its position for cases where Legitimate Interest is presented as the basis for marketing activity 6th January, 2020

The Data & Marketing Commission has had complaints relating to direct mail and telephone marketing where the activity was based on a Legitimate Interest rationale.  This is permissible under ICO guidance and the DMA and others have also issued guidance. The complaints received prompted an assessment of the practices seen in terms of the DMA Code, looking in particular at the timeframes in which data might be used and what might be considered ‘fair and reasonable’; a key Code provision. The assessment did not result in any formal adjudications but we will use this set of conclusions in considering any future complaints:

  • Direct Marketing, in particular for post and telephony, will often be practiced under the grounds of Legitimate Interest as is provided for in law and supporting guidance.
  • The DMC believes the reasoning behind a wholly consistent approach to timeframes for use of data irrespective of the basis on which it is used, is sound and unexceptional.
  • In the light of some evidence seen the DMC believes there is a need to address parameters for the use of data for marketing purposes.  It believes this will be valuable to businesses wishing to use Legitimate Interests and, therefore, required to carry out a Balancing Test.
  • Whilst the DMA guidance on the minimum standards of the lifetime of consent was levered towards the grounds for Consent, the DMC intends to use the same guidance applied to the grounds for Legitimate Interest for both third party and first party processing activity.
  • This means the DMC intends to use the six and 24 month standard set out in DMA guidance for the valid use of Consent* (see below) to market to apply equally to marketing based on Legitimate Interests.
  • These time periods are for guidance and it will be up to individual users of data to consider, justify and record any applicable valid reasons for extending the time period. These could include an annualised product purchase cycle, such as in travel, insurance or utilities.
  • When considering data used under a legitimate interest purpose that is coming to the end of a valid lifetime period, the new legitimate interest assessment should treat the time since the original personal data point was captured as a key factor in the assessment.
  • Building on this move to alignment over the timeframes for marketing based on Consent or a Legitimate Interest the DMC thinks it is right that there should be broad consistency in relation to how data subjects can exercise a right to opt-out of marketing.
  • The DMC believes marketing activity based on Legitimate Interest should make clear how people can ask to stop the unwanted mailings. That explanation should be prominent and the process should be as simple to use as possible. Wherever possible the DMC would expect a request to be removed for marketing lists operated under the Legitimate Interest rationale i.e. it should go to the entity providing this data to third parties. That is to say the consumer should not have to make repeated opt-out requests to individual marketeers. Their wish should be actioned by the originator of the data.

DMA guidance on consent timescales *

The DMA advises its members to adhere to these minimum standards on the lifetime of consent:

  • For third-party data: telephone, email, SMS; the maximum time that consent can remain valid is six months after initial collection or any other positive contact
  • For third-party postal marketing: the maximum time consent can remain valid is 24 months after initial collection or any other positive contact
  • For all first-party data: telephone, email, SMS and post; the maximum time that consent can remain valid is 24 months after initial collection or any other positive contact

The timeframes run from either the initial collection or further positive contact with the customer.

click for more information