ICO publishes new draft Code on Direct Marketing

Posted on 28 January 2020

The ICO has published a draft Code of Practice on Direct Marketing. The Code is out for consultation and will replace the previous ICO guidance on Direct Marketing.

The Code is a statutory code of practice and as such must be taken into account by the ICO when assessing compliance with direct marketing obligations under the GDPR[1] and/or PECR[2]. It can also be used as evidence in court proceedings. It applies to all organisations which process personal data for direct marketing purposes and so covers charity fundraising as well as the commercial promotion of goods and services.

The Code runs to some 121 pages. Much of its contents will be familiar to those well versed in direct marketing regulation but it provides welcome clarification on a number of knotty issues, while arguably applying a fairly strict interpretation of the rules in many places. It also seeks to shed light on how direct marketing legislation applies to “new technologies” including the use of “lookalike audiences” on social media and facial recognition or detection.

This Code is essential reading for those involved in direct marketing – in this blog we provide a snapshot of some of the key issues covered.

Direct marketing purposes

The Code emphasises that processing for “direct marketing purposes” includes not only the sending of direct marketing communications such as marketing emails but all processing activities that lead up to or enable the sending of the communications. This would include trying to generate leads by sending mass messages even if these messages do not contain any sales or promotional material – so an email to contacts asking them to consent to future marketing will count as a direct marketing communication.

Service messages

The Code discusses the boundary between “service messages” (i.e. communications sent for administrative or customer service purposes) and direct marketing messages. This is relevant because a genuine service message is not a marketing message and therefore falls outside the scope of the rules on direct marketing. In determining which side of the line a communication falls, the Code states that a key factor is likely to be the “phrasing, tone and context.” If a message is actively trying to encourage a person to make use of a new service that is available to them, this is likely to be direct marketing, whereas a more factual communication which “has a more neutral tone” is more likely to fall on the right side of the line as a service message.

Public sector communications

The Code clarifies that public sector bodies are also bound by the rules on direct marketing, where they use marketing or advertising to promote their interests even where those interests may be to fulfil statutory functions. The Code uses the example of GP practices sending text messages to patients inviting them to a healthy eating event or a regulator sending an email to individuals promoting its new online complaints tool – both practices are classed as direct marketing. The ICO casts the net quite widely in this context, even categorising the following text message relating to flu vaccines as direct marketing:

“Our flu clinic is now open. If you would like a flu vaccination please call the surgery on [ ] to make an appointment.”

Such a wide interpretation could significantly impact on the ability of medical services to access those who need them by text or email – if prior consent is needed for messages of this nature.

Data protection by design

The Code looks at accountability and stresses the importance of planning direct marketing activities before you start! It contains (at page 26) a helpful checklist of questions that organisations should ask themselves before launching a direct marketing campaign.

“It is hard to retrofit GDPR and PECR into your direct marketing activities once you have started the processing”.

Unhelpfully for charities and others involved in joint fundraising promotions, the Code adopts a wide interpretation of the remit of PECR for joint marketing campaigns. It cites the example of a supermarket supporting a charity at Christmas by sending out a marketing email to its customers promoting the charity’s work. In this case the Code states that although the supermarket is not passing the contact details of its customers to the charity, it needs to have obtained consent from its customers to receive direct marketing promoting the charity. Corporates working with charities will therefore need to ensure that they have consent from their customers to receive electronic marketing in connection with their corporate social responsibility activities.

Lawful bases for direct marketing

The Code explores which lawful bases are most likely to be relevant to processing for direct marketing purposes. It recommends as good practice that organisations obtain consent for all their direct marketing regardless of whether PECR requires it or not. While this may represent a lofty ambition of the ICO’s, implementing this recommendation would have significant implications for organisations many of which are already dealing with drop offs in consent since GDPR came into effect.

In considering Legitimate Interests as a lawful basis, the Code helpfully says that the fact that the GDPR states that direct marketing “may be regarded” as a legitimate interest (in Recital 47) is likely to help organisations demonstrate the purpose test, as long as the marketing is carried out in compliance with relevant laws and standards. However in carrying out a balancing test, organisations are urged to avoid giving undue weight to presumed benefits to individuals of receiving marketing. Also it is important to remember that legitimate interests cannot be used as an alternative to consent in relation to electronic marketing messages apart from when an organisation can rely on the soft opt-in exception.

The Code emphasises that if organisations wish to process special category personal data for direct marketing purposes, in reality, the only condition available for processing is explicit consent. This would include profiling individuals for direct marketing purposes, on the basis of, for instance, their ethnicity, politics or sexual orientation.

The Code helpfully reiterates the point in the ICO’s guidance on Special Category Personal Data that simply holding a list of names (where those names are associated with a particular ethnicity or religion) is not in and of itself processing special category personal data unless you specifically target individuals on the basis of inferences you have made about them from the list.

How to tell people about using their data for direct marketing

The ICO outlines reasonably stringent requirements in relation to how organisations explain to individuals that their personal data is being processed for direct marketing purposes. For instance the Code cites the example of a charity explaining to supporters that it is carrying out profiling. When carrying out financial profiling, organisations should be explaining to supporters that they want to profile their financial standing to decide who has capacity to donate more money or who might leave a legacy. Using vaguer wording about assessing the likely donations that will be received in the future is not clear enough.

Online advertising and new technologies

The Code explores how new technologies are impacted by the rules on direct marketing and in particular examines how the rules can be applied to direct marketing activities on social media. The Code provides that:

Direct messaging on a social media platform such as Facebook will be treated as electronic mail and so will need consent under PECR.
When targeting individuals through the use of “audience” tools (i.e. tools that allow you to display direct marketing to users of the social media platform) it is likely that you will need consent of the individuals whose data is being processed. You will also need to tell them about your use of audience tools on social media in your privacy notice.
If an individual objects to you using their personal data for direct marketing purposes, you cannot then target them on social media using audience tools or otherwise.
If you are marketing to a “lookalike audience” (i.e. an audience made up of individuals that you have not previously engaged with, but who look like your list based audience, perhaps because of similar interests or characteristics ) you need to ensure that the social media platform has provided the necessary transparency information to individuals. The Code stops short of saying that consent is needed here, reflecting the practical difficulties of obtaining such consent.

This Code, once it comes into force is likely to become a heavily thumbed guide for those engaged in marketing and fundraising activities. Organisations have the opportunity to respond to the draft Code to petition for any changes to the draft. The consultation closes on 4^th March.

Bates Wells will be preparing a response to the draft Code. We will also be discussing the Code at our roundtable for charities – “Tricky Issues in Data Protection” on 13^th February.

If you would like to input into our response, have any questions on the Code or would like to attend our roundtable please contact Mairead O’Reilly at [email protected]

[1] General Data Protection Regulation 2016

[2] Privacy and Electronic Communications (EC Directive) Regulations 2003

Bates Wells Impact Report 2022

It’s been another busy year at Bates Wells and we continue to live through interesting times. Martin Bunch, our Managing …

3 things you must do to ensure your organisation complies with Data Protection rules following relaxation of Covid-19 measures

During the past two years of the Covid pandemic, a lot of extra personal data would have been collected. While …

UK International Data Transfers – What’s Changed and What Now?

The UK’s new international data transfer mechanisms: the International Data Transfer Agreement and Addendum to the EU Standard Contractual Clauses …

Bates Wells Impact Report 2022

The story so far – extraordinary times, amazing people. Visit our new microsite to learn more. As a B Corp, …

Data Protection – burden or opportunity?

Eleonor Duhs, our head of Data Privacy, takes a look at how data privacy is rapidly becoming a human rights …

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others