DMA Comment: The ICO's Direct Marketing Code of Practice
13 Jan 2020
The ICO has published its long-awaited draft of the direct marketing code of practice and invited comments from professionals across the industry.
It is a critical document for the data and marketing industry because its elevated status as a code of practice, as opposed to guidance, will give it statutory status. Meaning that it will effectively become the legal rulebook for the sector.
The code consolidates previous GDPR guidance, PECR and cookie advice, and focusses solely on direct marketing – defined by the ICO as essentially one-to-one marketing.
The code has really benefitted from the experience and knowledge that the ICO have gathered since May 2018, in terms of frequently asked questions (FAQs) by organisations and case studies.
The ICO have included relatable, straightforward subject matter and examples that clearly make use of their learnings from previous industry engagement that help clarify grey areas and common mistakes made.
Their understanding of the data and marketing industry has expanded and been brought in line with modern technological advancements and regulatory changes.
There is plenty of useful preamble and scene setting – defining terms i.e. ‘direct marketing’ and ‘service messages’ etc. It also specifically mentions the DMA Code as a point of reference for marketing best practice.
It is aimed at “anyone that processes personal data for direct marketing purposes”, but in my opinion, it should be read by all those involved in the marketing process within an organisation.
It is not a technical or legal document and is written in an accessible style that is easy to understand – don’t be put off by the document size (123 pages!).
Key takeaways and chapter summaries
The code does not address each marketing channel or type of processing separately, as was the case with its predecessor.
Instead it takes a “lifecycle approach” with the main chapters including:
- Generating and collecting data
- Sending messages
There are also chapters on online advertising, selling and sharing data, and individual rights.
In addition, the code includes sections on marketing in mobile apps, in game advertising, TV advertising, and location-based marketing etc.
It also addresses the impact on different sectors, such as charity and B2B, where the rules are applied slightly differently.
In the planning chapter, there is a lot of focus on getting things right from the start by talking about data protection by design and the benefits of doing data protection impact assessments (DPIA) and conducting appropriate due diligence.
As well as how to understand the correct legal basis to use and the data controller to processor relationship.
Well established marketing practices are clearly explained and there are no huge issues or concerns in the interpretation of the law.
Although some of the finer details may come as a surprise to some i.e. Data appending is considered unfair processing, hosted email campaigns breach PECR, as do ‘Refer a Friend’ promotional campaigns.
It could also be argued that there is a slightly unbalanced tone to the guidance – the ICO recommends getting consent for all marketing despite the perfectly GDPR compliant option of using legitimate interests, but it is worth noting that it is written by a regulator not a marketing agency.
There are also some points that might come as unwelcome clarification for some marketers.
Article 14 of GDPR says that if you obtain personal data from somewhere other than directly from the data subject, you are obliged to provide privacy information to that person within a month.
For companies that collect data from such sources as Companies House, Edited Electoral Roll or third-party data providers, this could have a major impact.
There is also a section on sharing data and switching legal basis that appears to be written because the ICO have seen this in practice and want to address it.
There are outstanding compliance questions regarding digital advertising and naturally these are not resolved by this code – further information can be found on the ICO website here.
The online advertising and new technologies section has a focus on the need for transparency and the benefits of conducting a DPIA. It also summarises the relevant cookie requirements.
For those that use social media, the code makes it clear that social audiences and ‘lookalike’ audiences require consent.
Also, as a joint controller, the marketer needs to undertake due diligence on the social media platform to ensure that the data being used has valid consent.
Additionally, the code also states that in-app marketing will now need consent by the user, which could significantly impact the market for free apps in the future.
The draft code has only been available since Wednesday and I’m sure more questions will be raised by DMA members and others in the industry, something this in-depth requires time to fully reflect upon.
Hopefully, for now, this provides readers with some useful takeaways before they have a read through – something that I strongly recommend.
The code will be circulated for consultation until 4 March 2020 and the final version is expected to be published later this year.
Further details about the ICO’s announcement can be found on our website here.