The ICO has published a draft Code of Practice on Direct Marketing. The Code is out for consultation and will replace the previous ICO guidance on Direct Marketing.
The Code is a statutory code of practice and as such must be taken into account by the ICO when assessing compliance with direct marketing obligations under the GDPR[1] and/or PECR[2]. It can also be used as evidence in court proceedings. It applies to all organisations which process personal data for direct marketing purposes and so covers charity fundraising as well as the commercial promotion of goods and services.
The Code runs to some 121 pages. Much of its contents will be familiar to those well versed in direct marketing regulation but it provides welcome clarification on a number of knotty issues, while arguably applying a fairly strict interpretation of the rules in many places. It also seeks to shed light on how direct marketing legislation applies to “new technologies” including the use of “lookalike audiences” on social media and facial recognition or detection.
This Code is essential reading for those involved in direct marketing – in this blog we provide a snapshot of some of the key issues covered.
Direct marketing purposes
The Code emphasises that processing for “direct marketing purposes” includes not only the sending of direct marketing communications such as marketing emails but all processing activities that lead up to or enable the sending of the communications. This would include trying to generate leads by sending mass messages even if these messages do not contain any sales or promotional material – so an email to contacts asking them to consent to future marketing will count as a direct marketing communication.
Service messages
The Code discusses the boundary between “service messages” (i.e. communications sent for administrative or customer service purposes) and direct marketing messages. This is relevant because a genuine service message is not a marketing message and therefore falls outside the scope of the rules on direct marketing. In determining which side of the line a communication falls, the Code states that a key factor is likely to be the “phrasing, tone and context.” If a message is actively trying to encourage a person to make use of a new service that is available to them, this is likely to be direct marketing, whereas a more factual communication which “has a more neutral tone” is more likely to fall on the right side of the line as a service message.
Public sector communications
The Code clarifies that public sector bodies are also bound by the rules on direct marketing, where they use marketing or advertising to promote their interests even where those interests may be to fulfil statutory functions. The Code uses the example of GP practices sending text messages to patients inviting them to a healthy eating event or a regulator sending an email to individuals promoting its new online complaints tool – both practices are classed as direct marketing. The ICO casts the net quite widely in this context, even categorising the following text message relating to flu vaccines as direct marketing:
“Our flu clinic is now open. If you would like a flu vaccination please call the surgery on [ ] to make an appointment.”
Such a wide interpretation could significantly impact on the ability of medical services to access those who need them by text or email – if prior consent is needed for messages of this nature.
Data protection by design
The Code looks at accountability and stresses the importance of planning direct marketing activities before you start! It contains (at page 26) a helpful checklist of questions that organisations should ask themselves before launching a direct marketing campaign.
“It is hard to retrofit GDPR and PECR into your direct marketing activities once you have started the processing”.
Unhelpfully for charities and others involved in joint fundraising promotions, the Code adopts a wide interpretation of the remit of PECR for joint marketing campaigns. It cites the example of a supermarket supporting a charity at Christmas by sending out a marketing email to its customers promoting the charity’s work. In this case the Code states that although the supermarket is not passing the contact details of its customers to the charity, it needs to have obtained consent from its customers to receive direct marketing promoting the charity. Corporates working with charities will therefore need to ensure that they have consent from their customers to receive electronic marketing in connection with their corporate social responsibility activities.
Lawful bases for direct marketing
The Code explores which
lawful bases are most likely to be relevant to processing for direct marketing
purposes. It recommends as good practice that organisations obtain consent for
all their direct marketing regardless of whether PECR requires it or not. While
this may represent a lofty ambition of the ICO’s, implementing this
recommendation would have significant implications for organisations many of which
are already dealing with drop
offs in consent since GDPR came into effect.
In considering Legitimate Interests as a lawful basis, the Code helpfully says that the fact that the GDPR states that direct marketing “may be regarded” as a legitimate interest (in Recital 47) is likely to help organisations demonstrate the purpose test, as long as the marketing is carried out in compliance with relevant laws and standards. However in carrying out a balancing test, organisations are urged to avoid giving undue weight to presumed benefits to individuals of receiving marketing. Also it is important to remember that legitimate interests cannot be used as an alternative to consent in relation to electronic marketing messages apart from when an organisation can rely on the soft opt-in exception.
The Code emphasises that if organisations wish to process special category personal data for direct marketing purposes, in reality, the only condition available for processing is explicit consent. This would include profiling individuals for direct marketing purposes, on the basis of, for instance, their ethnicity, politics or sexual orientation.
The Code helpfully reiterates the point in the ICO’s guidance on Special Category Personal Data that simply holding a list of names (where those names are associated with a particular ethnicity or religion) is not in and of itself processing special category personal data unless you specifically target individuals on the basis of inferences you have made about them from the list.
How to tell people about using their data for direct marketing
The ICO outlines reasonably stringent requirements in relation to how organisations explain to individuals that their personal data is being processed for direct marketing purposes. For instance the Code cites the example of a charity explaining to supporters that it is carrying out profiling. When carrying out financial profiling, organisations should be explaining to supporters that they want to profile their financial standing to decide who has capacity to donate more money or who might leave a legacy. Using vaguer wording about assessing the likely donations that will be received in the future is not clear enough.
Online advertising and new technologies
The Code explores how new technologies are impacted by the rules on direct marketing and in particular examines how the rules can be applied to direct marketing activities on social media. The Code provides that:
- Direct messaging on a social media platform such as Facebook will be treated as electronic mail and so will need consent under PECR.
- When targeting individuals through the use of “audience” tools (i.e. tools that allow you to display direct marketing to users of the social media platform) it is likely that you will need consent of the individuals whose data is being processed. You will also need to tell them about your use of audience tools on social media in your privacy notice.
- If an individual objects to you using their personal data for direct marketing purposes, you cannot then target them on social media using audience tools or otherwise.
- If you are marketing to a “lookalike audience” (i.e. an audience made up of individuals that you have not previously engaged with, but who look like your list based audience, perhaps because of similar interests or characteristics ) you need to ensure that the social media platform has provided the necessary transparency information to individuals. The Code stops short of saying that consent is needed here, reflecting the practical difficulties of obtaining such consent.
This Code, once it comes into force is likely to become a heavily thumbed guide for those engaged in marketing and fundraising activities. Organisations have the opportunity to respond to the draft Code to petition for any changes to the draft. The consultation closes on 4th March.
Bates Wells will be preparing a response to the draft Code. We will also be discussing the Code at our roundtable for charities – “Tricky Issues in Data Protection” on 13th February.
If you would like to input
into our response, have any questions on the Code or would like to attend our
roundtable please contact Mairead O’Reilly at [email protected]
[1] General Data Protection Regulation 2016
[2] Privacy and Electronic Communications (EC Directive) Regulations 2003