The ICO’s much-anticipated draft Direct Marketing Code of Practice just came across our desks. This will replace the Regulator’s Direct Marketing Guidance and will have statutory status once final and published. Adhering to the code will be seen as the measure of your compliance with UK data protection laws. There are many Good Practice Recommendations in the document that should not be ignored unless you have a viable alternative method.
Just now it is still a draft and open for consultation until 4th March 2020
Set out here are a few things that caught our eye from a quick scan. We suspect there will be a lot more hiding in the detail of the 120 pages.
It addresses many of the holes in existing law as well as more advanced marketing techniques such as online behavioural advertising, social media targeting, mobile apps and location-based marketing as well as ICO’s other guidance on lawful bases, profiling, cookies, Data Protection Impact Assessments(DPIAs) and so on.
Indirect Personal data collection & right to be informed
Confirmed in the draft is the requirement of an individual to be informed when you haven’t collected personal data directly from that individual (IE you obtained this from publicly available sources or a bought-in list). It says: You are unlikely to be able to rely on disproportionate effort in situations where you are collecting personal data from various sources to build an extensive profile of an individual’s interests and characteristics for direct marketing purposes
This will present a challenge for some list sellers and lead generators. It goes on to say that if you do not actively tell people about your “invisible processing” you must carry out a DPIA before you start.
This is a big red flag item. The ICO says as it’s unlikely people will anticipate you are doing this or understand what it is. It says: You are not able to enrich the personal data you hold if you and the third-party (where applicable) did not tell individuals about it.
Furthermore, it says purchasing additional contact details for your existing customers is ‘likely’ to be unfair, unless they’ve expressly agreed.
Refer a Friend Campaigns (Viral Marketing)
As you have no direct contact with the people you are instigating an individual to send direct marketing to, it is impossible for you to collect valid consent – Therefore a breach of PECR
Social Media Targeting – List-based Audience
When using “list-based” tools (e.g. Facebook custom audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (a list of email addresses) you must be transparent and clearly inform people about this processing. If the individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools
Many organisations may currently rely on Legitimate Interests, especially when using hashed lists. It’s not clear why the ICO believes audience tools would not meet the three-part test.
Social Media Targeting – Lookalikes
The ICO recognises activities to find customers that are similar to yours. The code says that while the social media platform undertakes the processing activities, organisations using these are initiating the activity.
The ICO’s conclusion; The organisation and the platform are joint controllers. Organisations should be satisfied the platform has taken all necessary steps to provide appropriate transparency information to people.
With more than 120 pages to the Code, there’s a lot to take in. It remains to be seen what if any changes emerge following the consultation.