After initially issuing a call for views in December 2018, the ICO has now published the draft of its new direct marketing code of practice and has launched a consultation requesting input from across the industry. The consultation is open until 4 March 2020.
This is a statutory code of practice prepared under the Data Protection Act 2018 and aims to provide practical, applied guidance relating to the undertaking of direct marketing. As with all codes of practice, although it only adds context to the legislative requirements and provides the ICO’s view of best practice, rather than having the absolute force of law, the ICO will expect companies to follow this guidance in order to evidence compliance with GDPR and the Privacy and Electronic Communication Regulations 2003 (“PECR”).
Importantly, the code of practice makes it explicit that “direct marketing” is considered extremely broadly by the ICO and includes all processing activities that lead up to, enable or support the sending of direct marketing.
The code is structured to cover planning of direct marketing and data protection by design, guidance on specific direct marketing activities and on individuals’ rights in the context of direct marketing. Although much of the guidance restates the position required by law, there are a number of areas that go further and represent the ICO’s proposed positions. Organisations should particularly note:
- where an organisation collects personal data from sources other than the applicable individual (for example, through public sources), the organisation must provide privacy information (including the details of the personal data that has been obtained and the source of that data) to the relevant individual within a reasonable period of obtaining the data, and no later than one month from the date of collection;
- when making use of data on the basis of consent collected by a third party, it is recommended that companies do not rely upon any such consent that was given more than 6 months ago – this means that processes will need to be in place to periodically refresh such consents. This period is proposed by the ICO within this guidance and not required by law – the frequency of consent refresh was removed from the final draft of the GDPR (previously having been proposed as a 2-year interval). As such, organisations may wish to question this shortened period within any consultation response given that this is likely to create a particularly onerous compliance requirement;
- further, the code explicitly reinforces that the company using the data for the applicable purposes is responsible for compliance under GDPR/PECR; where an organisation makes use of bought or rented direct marketing lists, including where obtained from a third party data broker, relying on assurances from that third party is not sufficient (even if this is provided contractually) – you must be able to demonstrate your compliance and undertake proportionate due diligence together with conducting regular audits of the same;
- data enrichment is specifically identified as an activity that needs to be carefully considered, with certain actions such as data matching or appending specifically noted as being unlikely to be compliant (for example, purchasing additional contact information for your customers even where you have consent from those customers to use the details they have provided to you – the customer would need to consent from the customer to you having this extra information);
- tracing an individual in order to send direct marketing to their new address is unlikely to be justified (unless you have evidence to show that the individual expected their updated contact details would be shared); and
- a specific section of the guidance is dedicated to online advertising and new technologies (including geotargeting, the use of mobile advertising IDs and facial recognition/detection) which:
- identifies additional types of data that may be collected by companies above those specifically provided by the data subject, namely ‘observed data’ (being data obtained via observing a data subject’s interactions with or use of technology) and ‘inferred data’ (being data that is inferred or derived from data which has been provided or observed);
- includes a more nuanced analysis of the use of social media platform tools such as custom audiences and lookalike audiences, with a particular focus on the requirement for transparency when obtaining consent from end users to use data in this way;
- states that it is highly likely that any company making use of online advertising or new technologies will require a DPIA; and
- gives limited examples of the types of due diligence questions that would be considered appropriate when making use of these new technologies.
So what does this mean for you?
At the moment, this remains a draft code of practice pending completion of the consultation and as such, there is no specific action to take as a direct result. However, this draft shows the direction of travel of the ICO and it seems unlikely to dramatically change. Further, the vast majority of its contents reflect what is already considered best practice. As such, although organisations should watch this space for the final draft, it may be useful to start the process of information collection regarding current practices and begin to give consideration to changes that may be required to meet the new guidance.
Certain elements of this guidance represent positions that are more restrictive or prescriptive than those required by law. As such, we would recommend that organisations carefully review these positions in particular and comment accordingly as part of the consultation.
Off the back of the revised code, the ICO also intends to produce practical tools (such as checklists) to help support organisations in their direct marketing activities, so keep an eye out for these as well.
If you wish to be part of the consultation, you can participate here.