Direct marketing code of practice

The ICO announced in June 2019 that organisations operating in the advertising industry had six months to review their processes, systems and documentation to ensure they are compliant with data privacy laws. The transition period has now lapsed and on January 17 2020 the ICO warned AdTech companies “who have ignored the window of opportunity to engage and transform” that they “must now prepare for the ICO to utilise its wider powers”. The Direct Marketing Code of Practice (the Code), which is currently out for consultation, has made it clear that companies who fail to follow the Code will find it difficult to demonstrate compliance with the GDPR (General Data Protection Regulation) and PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003). We have summarised the Code to help you understand when it applies and the best practices you should follow to ensure you meet the standards required.

Purpose of the Code

The purpose of the Code is to provide guidance to organisations on how to apply data protection principles to direct marketing. The GDPR is not prescriptive and it is the responsibility of data controllers and processors to be accountable and transparent to ensure that all their processing of personal data is fair and lawful. The Code summarises the key parts of GDPR and PECR that apply to direct marketing and provides best practices for organisations.

When does the Code apply?

The Code applies to organisations that process data for direct marketing purposes. This means any advertising or marketing material that is directed to an individual, including the promotion of aims and ideals. It covers all processing activities that lead up to, enable or support direct marketing. However, it does not cover solicited requests, blanket advertising or genuineservice messages.

Who is responsible?

• The controller is responsible for ensuring that direct marketing is compliant with the GDPR and PECR and must choose a processor that has appropriate technical and organisational measures in place.
• Where there are joint controllers, it should be decided at the outset who is ultimately responsible for compliance, but this will not relieve either controller of any of its obligations.
• If you are part of a dual branding campaign, you must still comply with the controller’s obligations under the GDPR and PECR even if you have no access to any data.

Key themes

You should consider data privacy from the start of any project and build in measures to ensure you can comply with the key data protection principles. The following three themes are prominent throughout the Code:

• Greater complexity equals more responsibility: The Code makes it clear that the more complicated a technology used to collect or target individuals for direct marketing is, the greater the responsibility an organisation has to ensure that their processing is fair and understood by data subjects.
• Transparency: A general consent for direct marketing is not sufficient. Organisations should be as specific as possible about how data will be used for direct marketing and should give customers the right to consent (or object) to the specific, purposes. If a data subject objects to direct marketing, their data cannot be used to assist with direct marketing to other data subjects.
• Accountability: It is important to carefully plan and carry out the necessary assessments at the start of any direct marketing campaign to ensure you know what type of data that you are collecting and have documented your reasons for processing correctly. In all communications on any channel, it is important that the data subject knows who you are and how they can find out more about your processing of their personal data.

We have summarised the key take home messages from the Code into 6 questions to be considered when planning your direct marketing projects. To find out more information please see the full Direct Marketing Code of Practice or contact a member of the Simmons & Simmons team.

Practical tips

1. `What is your lawful basis for processing?

• Consent is recommended in the Code as the best practice basis for processing as it gives individuals choice and control over whether they receive marketing messages. You must meet the GDPR standard for consent and keep appropriate records of the consents you obtain.

If you are relying on consent, the key question to ask is whether it is still reasonable to treat that consent as an ongoing indication of an individual’s wishes. Consent is the only lawful basis you can rely upon if you are processing special category data or carrying out the following activities:

• “Live” phone calls to any TPC/CPTS registered numbers or any person who has objected to your phone calls
• Automated phone calls
• Emails, texts, in-app/platform messaging to individuals where no soft opt-in has been put in place
  Legitimate Interests should be used (the Code states) when you want to take control over protecting individuals’ interests and the processing does not involve one of those activities (listed above) in relation to which consent must be obtained.
  • Contractual Relationship: If consent is not required and you have a contract with the individual, you may be able to rely on your contractual relationship as the basis for the marketing activity to the extent it is necessary for the performance of that contract. However, this basis cannot be relied upon if the marketing activity is merely necessary to maintain your business model, or because you have included the fact that you will process data for direct marketing within your terms and conditions.

2. How will you collect the contact details?

• There are a number of ways to collect information about individuals such as:
  • Directly from the individual
  • From third parties
  • By using publicly available sources.
• Regardless of how the data is collected, you must provide individuals with a GDPR compliant privacy notice at the time of collection or, when you receive information from third parties, within a reasonable time after you receive the information. There are limited exceptions to this requirement, but they are unlikely to apply in a direct marketing context and it is considered good practice to provide the policy in any event.
• You should undertake a proportionate due diligence exercise and should not rely on third party assurances. The lists must be screened against your own suppression lists.

3. How can you use profiling or data enrichment for direct marketing?

• Data profiling: You can use profiling for direct marketing, but you must comply with the direct marketing rules. If you are using data profiling information to make decisions about data subjects, you must also comply with the applicable rules on automated decision making. The rules on automated profiling are likely to apply when targeting vulnerable groups, children or when using profiling to price out individuals (e.g. offering them a much higher price than other people). If these circumstances apply you can only profile with the individual’s explicit consent.
• Data enriching: If considering enriching data you need to consider what you previously told individuals about how and if you would use third party data or public sources to create a profile on them. It is unlikely that individuals would anticipate that you will seek to learn more about them. For example, buying additional contact details to combine with information you have on an individual, for example a phone number to match an address, is unlikely to be considered fair as it takes away an individual’s choice as to how they are contacted.
• Data cleansing: Using data cleansing services that remove deceased records and out of date contact details will assist with complying with the GDPR principles of accuracy and data minimisation.
• Data tracing: Using a data tracing service is unlikely to be compliant (unless an individual has clearly consented to you doing so), as this removes an individual’s choice to tell you their new contact details. It may be considered reasonable to use alternative contact details an individual has provided to you to remind them how to keep their details updated with you, but careful consideration should be given to check this contact is fair, lawful and transparent.

4. How will you send the direct marketing message?

• GDPR rules apply and are the same no matter what method you choose to communicate with people. PECR obligations change depending on the type of direct marketing:
  • By Post: If the post is directed to ‘the householder’ and the individual is not named, it is unlikely to constitute direct marketing. However, if you process an individual’s data to target them and then anonymise the name this will be direct marketing. When direct marketing by post ensure individuals know that you intend to use their data in this way and screen the list of people against your suppression list. You must also provide a method for people to object to the direct marketing.
  • By Live Calls: When live calling you must ensure you do not call numbers registered with the Telephone Preference Service or the Corporate Telephone Preference Service or anyone who has objected to you calling, unless you have their consent. You must also say who is calling, allow your number to be displayed to the person receiving the call and must provide contact details of a Freephone number if asked. There are strict rules in relation to call management schemes and pension scheme calls.
  • Automated Calls: You may only process data for automated calls if you have consent specifically for this type of processing. You must provide the same information as you would for live calls. If purchasing a consented list of individuals, you must undertake appropriate due diligence in relation to those individuals.
  • Electronic Mail (including email and texts): Generally, consent is required unless the soft opt-in exception applies. In any instance a valid way to unsubscribe must be provided to individuals, for example an address or Freephone number for individuals to contact. Additional rules apply if you are using tracking pixels.
  • Corporate Subscribers: GDPR still applies to corporate direct marketing to the extent that you are processing personal data. PECR applies when you are carrying out direct marketing by live or automated call, or fax. PECR does not apply to marketing by electronic mail, but you must still provide a valid email address to allow individuals to unsubscribe. Also you should note that sole traders and certain partnerships are not classified as corporate subscribers under PECR so may benefit from greater protections.
• PECR and GDPR still need to be considered when using third parties or individuals to send direct marketing messages on your behalf.

5. Will you use online advertising or new technologies?

Individuals may not understand how new technologies work so it is particularly important to be clear and transparent about what you intend to do with this data.

• Cookies

  • If you use cookies or similar technologies for direct marketing purposes you must inform users and obtain GDPR standard consent. As this consent must be freely given it is advised that you should be careful if considering putting up a ‘cookie wall’ that prevents users from accessing content if they do not consent.
  • Consent for cookies cannot be bundled up with the agreement to use the platform unless the use of cookies is considered necessary for that service. For example, when tracking shopping into a payment shopping basket.

• Social Media

  • To meet GDPR requirements you must be very clear about what information you are using and why. This can be difficult when direct marketing on social media platforms, as personal data is frequently collected from multiple different sources. Direct marketing on social media is not covered by PECR, unless you use a social media platform’s direct messaging functions.
  • If you are using information provided to you by users with lists of individuals (an “audience”) provided by social media platforms, you must clearly state that the personal data collected will be used for this specific purpose and must not use it for this purpose if the user objects.
  • If you share personal data about your users with a social media platform, to create a new audience to target with your adverts (a ‘lookalike’ audience), it is likely you will be considered to be a joint controller with the platform and must ensure all your GDPR and PECR obligations are met. You must inform users who have provided information to you that you will process their data to create lookalike audiences and ensure you have a valid basis to do this. If users have objected to their personal data being used for marketing purposes, it must not be used to create lookalike audiences.
  • Where subscription TV providers offer similar audience services to social media platforms, the same rules apply.

• Location based Advertising

  • You must be clear to data subjects that you are using personal data for location based advertising. It is unlikely that you can rely on legitimate interests for this type of advertising, as it is unlikely to be in people’s reasonable expectations that you will track their location in order to send adverts to them.
  • If you are a telecoms service provider there are also specific requirements under PECR that apply. However, these do not generally apply to GPS information collected independently of telecoms service providers or information collected at a local level (such as, businesses offering free Wi-Fi).

• Facial Recognition or Facial Detection

  • Facial Recognition: It is unlikely that you will be able to use facial recognition for direct marketing, as it is very difficult to meet the requirements of lawfulness, fairness and transparency. Facial recognition also uses biometric data, so if you are using this data you must also have explicit consent for processing.
  • Facial detection is not automatically considered special category data, as it is not used to identify a person but to categorise them. However, the GDPR requires that you only process the minimum personal data necessary for your purpose. This means if you could achieve the same outcome using less data (i.e. if there is an alternative way of achieving your aim without using facial detection data) your processing may not be considered compliant.

• In-game Advertising: Static in-game adverts where all users receive the same advert will not be considered to be direct marketing. However, if information such as location or time of day is used to tailor the advertising it may be considered direct marketing.

• Mobile Apps: Consent is considered the appropriate lawful basis for carrying out any behaviour monitoring using apps. The consent for marketing cannot be bundled into your terms and conditions unless you can demonstrate that the direct marketing is necessary for the provision of your service.

• Advertising IDs: Advertising IDs, whilst labelled ‘anonymous identifiers’ are considered an example of “online identifiers” for the purposes of GDPR. This is because they can still be used to track and profile a specific individual even if the name of that person is not known. If you are using advertising IDs you must ensure you know the details of how each platform uses these identifiers and the information they provide to individuals.

• Connected Devices – Internet of Things Devices: If personal data is collected by any internet connected device, the GDPR applies. PECR will apply when you are storing or accessing information from a connected device.

6. Will you be selling or sharing data?

• Regardless of how you collect the data, if you intend to sell or share data you must meet the requirements of the GDPR and PECR, even if you will not make a monetary gain from doing so.
• Consent or Legitimate Interests?
  • If you are seeking to rely on consent to sell or share data, then you must ensure that the consent specifically applies to the selling or sharing of data.
  • You may be able to rely on legitimate interests to share data, which can be your legitimate interests, those of a third party if those interests are not outweighed by the legitimate interests of the data subject themselves.
  • Once a lawful basis is established, this is permanently tied to that data when it is shared. For example, if data is shared for direct marketing purposes on the basis of consent, then all subsequent processing must also be carried out on the basis of consent. You cannot then rely on legitimate interests to process data that was collected on the basis of consent.
  • It is good practice to include a clear and simple opt-out that enables people to object to the selling or sharing of their data. You should also maintain records of how and when you collected data, to ensure you can give assurances to buyers about the data you are selling.

What next?

The consultation closes on the 04 March and following this the Code will be finalised and laid before Parliament. Parliament has 40 days to approve the Code and if there is no objection it will be issued by the ICO. The Code will come into force 21 days after it is issued.

Once in force it will be important for companies to ensure that their direct marketing practices are compliant with the Code. Carefully considering and implementing the Code now will ensure that you have the correct measures in place for when the Code comes into force.