The ICO’s much-anticipated draft Direct Marketing Code of Practice just came across our desks. This will replace the Regulator’s Direct Marketing Guidance and will have statutory status once final and published. Adhering to the code will be seen as the measure of your compliance with UK data protection laws. There are many Good Practice Recommendations in the document that should not be ignored unless you have a viable alternative method.

Just now it is still a draft and open for consultation until 4th March 2020

Set out here are a few things that caught our eye from a quick scan. We suspect there will be a lot more hiding in the detail of the 120 pages.

It addresses many of the holes in existing law as well as more advanced marketing techniques such as online behavioural advertising, social media targeting, mobile apps and location-based marketing as well as ICO’s other guidance on lawful bases, profiling, cookies, Data Protection Impact Assessments(DPIAs) and so on.

Indirect Personal data collection & right to be informed

Confirmed in the draft is the requirement of an individual to be informed when you haven’t collected personal data directly from that individual (IE you obtained this from publicly available sources or a bought-in list). It says: You are unlikely to be able to rely on disproportionate effort in situations where you are collecting personal data from various sources to build an extensive profile of an individual’s interests and characteristics for direct marketing purposes

This will present a challenge for some list sellers and lead generators. It goes on to say that if you do not actively tell people about your “invisible processing” you must carry out a DPIA before you start.

Online Advertising

The new draft code says “where cookies and other technologies are used Privacy and Electronic Communications Regulations (PECR) applies”. It also highlights that where you are personalising adverts (based on for example an individual’s browsing history) this will be direct marketing. It states: In the vast majority of cases, online advertising involves the use of cookies and similar technologies and therefore PECR applies. Additionally, if you engage in behavioural advertising – for example by personalising adverts on the basis of say an individual’s browsing history, purchase history or login information – this will constitute direct marketing. This is because the decision to target that particular user with a specific advert is based on what you know.

Data Enrichment

This is a big red flag item. The ICO says as it’s unlikely people will anticipate you are doing this or understand what it is. It says: You are not able to enrich the personal data you hold if you and the third-party (where applicable) did not tell individuals about it.

Furthermore, it says purchasing additional contact details for your existing customers is ‘likely’ to be unfair, unless they’ve expressly agreed.

Refer a Friend Campaigns (Viral Marketing)

As you have no direct contact with the people you are instigating an individual to send direct marketing to, it is impossible for you to collect valid consent – Therefore a breach of PECR

Social Media Targeting – List-based Audience

When using “list-based” tools (e.g. Facebook custom audiences or LinkedIn contact targeting), where you upload personal data you already have to the platform (a list of email addresses) you must be transparent and clearly inform people about this processing. If the individual has objected to you using their personal data for direct marketing purposes, you cannot use their data to target them on social media, including by using list-based tools

Many organisations may currently rely on Legitimate Interests, especially when using hashed lists. It’s not clear why the ICO believes audience tools would not meet the three-part test.

Social Media Targeting – Lookalikes

The ICO recognises activities to find customers that are similar to yours. The code says that while the social media platform undertakes the processing activities, organisations using these are initiating the activity.

The ICO’s conclusion; The organisation and the platform are joint controllers. Organisations should be satisfied the platform has taken all necessary steps to provide appropriate transparency information to people.

With more than 120 pages to the Code, there’s a lot to take in. It remains to be seen what if any changes emerge following the consultation.