We’ve waited with bated breath but it’s finally here – the direct marketing industry is getting its first code of practice.
The change comes after the Information Commissioner’s Office (ICO) publication of a draft of the new direct marketing code of practice, which gives the industry a legal rulebook to follow rather than just offering guidance.
The code aims to consolidate all the ICO’s previous guidance around GDPR, the Privacy and Electronics Regulation (PECR) and cookies.
Whilst industry bodies such as the Data & Marketing Association have issued guidance, as a marketing community, we’ve never had a legal framework.
If brands and marketers don’t follow this, they will find it difficult to show they are complying with the GDPR, which means they could be on the sharp end of an eye-watering fine.
Here at Edit, we’ve spent some time digesting the code, and below are some of the key takeouts.
The scope of direct marketing
Little new to be discovered here: the scope of direct marketing continues to be defined in common sense terms.
New details and guidance on accountability and planning of marketing campaigns
Data protection by design continues to be a prominent concept here, with steadfast emphasis on the need for a data protection impact assessment for data matching.
There is useful clarification around when legitimate interests and consent are appropriate. The ICO position seems to be that it’s difficult to demonstrate legitimate interest when creating personality profiles from large amount of combined data.
Lead generation and collecting contact details
Many companies have overlooked a point made clear here: the GDPR requirement to inform individuals that their personal data is being processed within one month of receiving the data from another source. The draft indicates reliance on “disproportionate effort” to do so within the timeframe.
Profiling and data enrichment
There are no surprises when it comes to data cleansing, matching and enrichment, but there is a useful checklist of due diligence questions to consider when engaging third party suppliers.
Sending direct marketing messages
Interestingly, this section implies that the use of Direct Mail may move towards full consent rather than having to rely on legitimate interest.
Other than that, there’s no further clarification on “negotiations for a sale of a product or service” in the context of soft opt-ins for email marketing, which would have been useful.
Online advertising and new technologies
Lookalike targeting comes under unexpected scrutiny here, stating that consumers are unlikely to expect it; therefore, consent is required, along with the process being drawn to the attention of individuals outside of standard privacy policies. This is at odds with other content in the draft which makes clear that such forms of marketing are outside its remit.
Selling or sharing data
The code makes clear that a reliance on legitimate interest to disc lose or sell data is only relevant in certain circumstances. Detailed guidance is also given on how to comply transparency and consent requirements if you’re a data broker.
Data subject rights
The messaging is consistent regarding informing data subjects via privacy notice, of their right to object to direct marketing. Guidance is given as to how a user may exercise that right.
Additionally, when relying upon consent to process personal data for direct marketing purposes, it’s reiterated that when an individual withdraws consent you cannot swap from consent to another basis.
There are clearly some areas that may come as a surprise if you haven’t previously read the former iterations. Lookalike audiences in social now require consent, as does showing an ad on social networks. In app advertising is now also consent driven. There are still several outstanding issues in areas such as cookies and digital advertising that the code does not solve, although the ICO has issued some separate thoughts on these areas.
The draft is open for consultation is open until 4 March 2020.
