DMA Comment: The ICO Direct Marketing Code of Practice - The Big Issues

We have been studying the ICO’s draft for a Direct Marketing Code of Practice since 8 January - speaking to our Members, canvassing opinion and building a DMA reaction to the work.

And fundamentally our position remains that the draft ICO Code is a good document; a useful frame for marketers and compliance professionals at all levels.

There are, however, challenges that can’t be ignored.

Challenge: Indirect data collection (ICO draft Code, pg48)

What do we need to tell people if we collect their data from other sources?

“If you collect personal data indirectly - ie. from sources other than the individual - you must still be transparent and comply with the right to be informed.

Other sources could include publicly available data or third-party suppliers such as data brokers.

Here you must provide privacy information to individuals within a reasonable period and at the latest within a month of obtaining their data.”

Consider, as well, data collected from various sources by brokers and aggregator and sold to third parties for direct mail campaigns.

If you did not present the individual with your privacy policy when the data was collected, you must provide that information within a month.

You can do this either with a dedicated privacy communication that includes that information, or provide a link to it the first time you get in contact with the individual.

Not many large direct mail campaigns are completed within a month.

So what about the people you chose not to mail, either because you decided they were not right for your offer or they were suppressed (goneaway, MPS etc.)?

Do you have to contact them to tell them you won’t be contacting them?

There are two exception to this requirement

• The individual already has the information
• Providing the information would involve disproportionate effort

The information required is slightly different for data collected directly than that obtained indirectly, so it’s unlikely you will be able to use the first exception.

Disproportionate effort is described on page 49.

“If you want to rely on the disproportionate effort exception, you must assess and document whether there’s a proportionate balance between the effort involved for you to give privacy information and the effect of the processing on the individual.

If the processing has a minor effect on the individual then your assessment might find that it’s not proportionate to put significant resources into informing individuals.

However, the more significant the effect the processing has on the individual then, the less likely you are to be able to rely on this exception.”

For example: If a company bought data directly from a publisher or obtained a section of the edited electoral register (EER) for their own marketing, it would be more likely that they could use the disproportionate effort exception.

But for larger data brokers and data services companies who combine data and who are unknown to the data subject that would not be the case.

If they had to contact each individual as described in this section, it could be unaffordable - putting the vast majority of the third-party data market and all its associated products and services at risk.

Bad news for data brokers and bad news for the users of their data products in both the B2C world and B2B.

Challenge: Consent (ICO draft Code, pg30)

How do we decide what our lawful basis is for direct marketing?

“If PECR requires consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent.”

We all know that you need consent to send an email.

This section tells us that, while you need consent under PECR for sending an email, any other processing you do also requires consent under GDPR.

This would include profiling, segmentation, analysis etc.

And because sending an email and profiling are two different processes we must assume you would need a separate consent tick box alongside the usual consent tick box to send email marketing.

The added complexity to your data structure and CRM selections would complicate UX and thus user experience.

This section of the draft code is copied directly from the ICO’s Legitimate Interests Guidance (page 29). The guidance was written before the ICO introduced its definition of ‘direct marketing purposes’ which includes all marketing related processing and would not have been interpreted in this way at the time.

Challenge: Can we offer data broking services? (ICO draft Code, pg102)

“Where data is shared with you for direct marketing purposes on the basis of consent, then the appropriate lawful basis for your subsequent processing for direct marketing purposes will also be consent.”

But why should one company’s legal basis influence another?

How could the recipient of the data do any profiling or do any suppression matching prior to sending a communication if they can’t use Legitimate Interests?

We’re interested in your thoughts if you feel this affects your business.

Challenge: How does direct marketing using social media work? (ICO draft Code, pg90)

Social media audiences and lookalikes require consent.

“Individuals are unlikely to expect that this processing takes place, therefore you should not bury information about any list-based tools you use on social media within your privacy information.

It is likely that consent is the appropriate lawful basis for this processing as it is difficult to see how it would meet the three-part test of the Legitimate Interests basis.”

There are a wide variety of services offered by social media platform, but they seem to have been all lumped together and all need consent.

Consent for everything social media related seems a bit heavy handed.

If a person has a first party relationship with a brand and a first party relationship with Facebook, it doesn’t seem unreasonable for the brands marketing to appear in the individuals feed, assuming this clearly explained in a privacy policy.

Challenge: ICO draft Code and good practice recommendations

Simply put, the regulators job is to interpret the law.

It is not the job of the regulator to tell a sector what it considers good practice. The marketing industry and its trade associations should decide what is good practice.

For example, the draft includes good practice recommendations around consent:

“Get consent for all your direct marketing regardless of whether PECR requires it or not.”

We are unsure why this features in the draft.

Recital 47 of GDPR could not be clearer:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

The draft Code also features a good practice recommendation about the use of third party data:

“When sending direct marketing to new customers on the basis of consent collected by a third party we recommend that you do not rely on consent that was given more than six months ago.”

However, we contest this guidance.

What about data collected for insurance renewals, holidays, replacing cars? There are many reasons why a company might delay communication until the most relevant time for the consumer.

We would continue to urge the ICO to provide recommendations on how to comply with the law; how to create a truly useful DPIA; and advice on what sort of due diligence they think is appropriate.

Marketing industry specifics should be left to the marketing industry.

Challenge: ICO draft Code and the presentation of new or undefined terms

Many people have commented that the tone of the document is heavily weighted towards consent, with constant references to how hard it will be to justify Legitimate Interests.

We have had feedback that the draft positions marketing and profiling as somewhat nefarious activity.

Again, we seek clarification on these positions, and would welcome more feedback from Members. Here’s some of the thoughts we have collected:

Anti-competitive

The bigger your organisation the less concerned you need to be about the Code.

As the rules tighten up on marketing practices relied on by SME’s more business will be driven to the online giants.

Poor consumer experience

More tick boxes, more privacy information, more confusion for consumers.

Sending marketing back 20 years

No more third-party data.

Profiling and audience selection made more difficult.

Increased costs and lower ROI for marketers.

Concluding: Your next steps…

We must reiterate that it is vital you read the draft Code.

Let us know your thoughts here on how your business might be affected - get back to us by 14 February.

You can also respond directly to the ICO, the consultation is open until 4 March.