On 8 January 2020, the UK’s Information Commissioner’s Office (ICO) published a draft Direct Marketing Code of Practice (Draft Code) for public consultation. The Draft Code is intended to update existing guidance published pre-GDPR and provide clarity on certain important issues.
Summarised below are the key takeaways from the Draft Code:
Service messages: According to the Draft Code, consent is not required under the Privacy and Electronic Communications Regulation (PECR) where an organisation sends service or operational messages to individuals (e.g., a message informing a user they are approaching their monthly data limit). When determining whether a communication is a service message, key factors such as the tone, phrasing and context of the message will be taken into consideration. Importantly, an organisation will not avoid the direct marketing rules by using a neutral tone. For example, a message from a supermarket chain sent to an individual saying ‘Your local supermarket stocks carrots’ is clearly still promotional despite the use of a neutral tone. The ICO confirms that where a service message includes promotional elements the marketing rules apply, even if promotion is not the primary purpose for the message.
Dual branding promotion: Where an organisation partners with a third party to deliver electronic communications, both parties will need to comply with PECR irrespective of whether it has access to the data used. The ICO gives the example of a supermarket sending out a marketing email promoting a charity it supports. Although the supermarket is not passing customer contact details to the charity, both the supermarket and the charity each need to ensure customers have provided valid consent to receive direct marketing in relation to the charity.
Data protection impact assessment (DPIA): Where an organisation wants to carry out ‘large scale profiling’, ‘wealth profiling’ or target children for marketing profiling, then a DPIA must be completed before the commencement of such activities. In addition, the ICO requires DPIAs be carried out before commencing any major new project involving the use of personal data, and when using new technology, profiling, data matching, invisible processing, using location data or behaviour of individuals (for example, online advertising, web and cross device tracking, tracing services) or when running loyalty schemes. In carrying out DPIAs in a marketing context, organisations must be able to: (i) describe the nature, scope, context and purposes of the processing; (ii) assess necessity, proportionality and compliance measures in place; (iii) identify and assess risks to individuals; and (iv) identify any additional measures to mitigate those risks. The ICO suggests that it is likely that all direct marketers will need to carry out a DPIA and that this will bring financial and reputable benefits and build trust with individuals.
Lawful basis for direct marketing: The two lawful bases for direct marketing under the GDPR are consent and legitimate interests. However, the Draft Code confirms that if consent is required under PECR, it will also be the relevant legal basis under the GDPR.
- Obtaining consent: According to the ICO, it is good practice to obtain GDPR-standard consent for all direct marketing regardless of whether PECR requires consent.
- Duration of consent: The Draft Code states that organisations that obtain consent from individuals via a third party can only rely on such consent provided it was obtained from the individual within the prior six months.
- Processing special category data: According to the Draft Code, it is likely that the only Article 9 condition available under the GDPR will be the ‘explicit consent’ of the individual for special categories of data, such as race, religion or health. However, the Draft Code explains that Article 9 will not be triggered by simply holding a list of customer names, even if those names are associated with a particular ethnicity or religion, unless an organisation specifically targets marketing based on that inference. The ICO further notes that organisations are unlikely to be able to use facial recognition technology to display direct marketing to specific individuals in a manner that is compliant with the fair and lawful processing principle under the GDPR.
According to the ICO, it is unlikely that legitimate interests can be relied upon for intrusive profiling, tracing, and/or the use of ‘list-based’ targeting tools or ‘audiences’, as it would be difficult to meet the three-part test of the legitimate interest basis. These three points are (i) identifying a legitimate interest behind the processing (the ‘purpose’ test); (ii) showing that the processing is necessary to achieve that purpose (the ‘necessity’ test); and (iii) balancing the legitimate interest against the individual’s rights (the ‘balancing’ test).
Making service conditional on direct marketing: The Draft Code states that, in most cases, it is unlikely that an organisation can make the provision of a service/product conditional on an individual providing their consent for direct marketing e.g., a train service making the provision of passenger wifi conditional on the receipt of consent for direct marketing. However, the ICO states that there are exceptions, for example, retail loyalty schemes operated for the purposes of sending members promotional offers.
Tell-a-friend scheme: According to the Draft Code, these schemes are in breach of PECR because it is impossible for the organisation to obtain valid consent from the “friend” i.e., the organisation does not have a direct relationship with the “friend”.
Personal data collected from a third party: According to the Draft Code, organisations must still provide data protection notices to individuals where they have obtained their personal data from a third party (including, publicly available personal data). Where an organisation buys data from a vendor it can send out the data protection information alongside the marketing materials. The Draft Code states, in some circumstances, that organisations may rely on the exemption to provide a notice where giving a notice would involve disproportionate effort (Article 14(5)(b) of the GDPR). For example, if the processing has a minor effect on the individual then it may be disproportionate to put significant resources into informing individuals. However, the ICO further states that organisations will not be likely to rely on this exemption where they are collecting personal data from various sources to build an individual’s profile of interests and characteristics for direct marketing purposes. This point was recently considered by Poland’s data protection authority when it issued a fine against a company that aggregates personal and other data from publicly available documents and registers for failing to inform more than 6 million individuals that it was processing their data, and in effect, breaching the GDPR’s obligation to inform. In handing down its decision, the Polish data protection authority rejected the company’s argument that fulfilling its information obligations towards certain data subjects would result in a ‘disproportionate effort’ as sending a data protection notice by post, or by telephone, was not an ‘impossible’ activity and does not require a ‘disproportionately large effort’ in a situation where the company already had a database containing such contact details.
Cookies: If pixels or similar technologies are incorporated in email marketing messages then consent will be required under Regulation 6 of PECR (i.e., the cookie consent rule). Separate consent will need to be obtained for the sending of the email marketing communication.