ICO draft code for direct marketing

  • by Dan Martin
  • 04/03/2020

Today is the consultation deadline for comments on the ICO's new draft code of conduct for direct marketing. The code is being put together to bring guidance on practice up to speed with the relevant applicable legislation like GDPR, and it also has an eye on the future of PECR.

If you engage in direct marketing activity, whatever the final code looks like, it will apply to you so it's worth getting a head start on what is likely to be contained. The report can be found here: https://ico.org.uk/media/about-the-ico/consultations/2616882/direct-marketing-code-draft-guidance.pdf

It's 124 pages long, but the summary at the top is only 4 pages and gives a good steer for those wanting the essence without all the technical detail.

There are a few key highlights that you may want to look at. In my opinion these will, should they become part of the code, have a notable effect on what you are expected to do around personal data.

The code is explicit about data enrichment and how it applies to direct marketing and your data protection obligations. For instance, if you use non-personal data to infer something about someone - let's say affluence based on postcode - then connect that inference with the person's data, then it becomes personal data. This seems reasonable, but the depth and breadth of how this might apply is where things get interesting.

Under GDPR, cookie data is now classified as personal data. So what if you run a cookie-based remarketing campaign, overlaying geo-data to reach a more appropriate audience for your product or service? If the person does not know this, and would not reasonably expect you to do this, then the GDPR obligations around transparency and whether the person has consented in an informed manner may well apply.

Online advertising technologies are also pulled out into their own section. One of the notable elements is whether people you may be marketing to understand those technologies. It says "Individuals may not understand how non-traditional direct marketing technologies work..." and "Individuals are unlikely to understand how you target them with marketing on social media so you must be upfront about targeting individuals in this way."

This seems to be something of a blanket approach. Surely whether someone understands how they might be targeted is directly connected to the targeting being used and their general familiarity with the fact this kind of thing is commonplace in marketing. Regulating and guiding online advertising has long been out of step with the pace of the market, and while this part of the code may bring some extra detail in this area, there are still levels below it.

And then there is the fact that, with the practice of behavioural and programmatic advertising, sometimes the advertiser themselves may not even know how the recipient has been targeted! So, this will be one to watch.

Finally, there is the guidance that "the right to object to direct marketing is absolute." Of course, this has been part of the direct marketing business for ages, but the question of how feasible this is to manage in a digital landscape where many activities are now classified as direct marketing is tricky. Your advertising may use dozens or even hundreds of cookies. With so many catchment possibilities, how do you reliably stop one of them serving an ad to a person that has written to you to opt out of everything? And do you have the right to use the person's personal data to upload a screening list to the digital platforms you use for advertising? These are more questions that will need examining practically.

We've put in our comments of course, and so have many other industry practitioners. It will be interesting to see the next proposed version of the code.

The latest from WPNC

Stay up to date

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.