New ICO guidance on marketing consent: a data perspective | DMA

Filter By

Show All
X

Connect to

X

New ICO guidance on marketing consent: a data perspective

The ICO has been working with Ofcom to look at ways to combat nuisance calls and texts. The Data Protection Act (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR) contain overlapping provisions that regulate marketing consent. PECR says that prior marketing consent, given to the sender, is required for email and SMS, and the DPA says that consent must be informed. The ICO has contemplated the interplay between these two statutes and come up with a way to cut down the third-party supply of marketing touch-point data.

The latest ICO guidance basically says that PECR can be read in two ways: either third-party marketing consent for email and SMS doesn't work full stop, as it needs to be given directly to the sender, or it does work if you are transparent and informative enough at the point of data collection. The ICO's new guidance states that it is possible to get valid third-party marketing consent if the permission notice states the categories of organisation who will rely on that consent.

The trouble with third-party consent time limits
However, the ICO then goes on to say that organisations would struggle to rely on third-party consent if it is more than six months old. On this point a number of leading data protection commentators believe the ICO has suggested a best practice measure which is higher than the requirements of law. The six-month recency rule is nowhere to be found in either the DPA or PECR. The ICO's rule of thumb flies in the face of established industry practice that marketing consent is valid until such time as someone opts out. If it is possible to inform enough about the type of organisation to which the consent applies, then surely it must also be possible to clarify sufficiently in the permission language, if need be, that consent is provided on an ongoing basis unless someone opts out. The DMA is in the process of clarifying this with the ICO, as well as whether the new guidance applies retrospectively.

Complying with the new ICO guidance
As a processor of data with third-party consent, the MSP needs to be mindful of the new guidance so it can steer its clients who rely on bought-in lists in a compliant direction. The ICO has provided a useful check list of questions to ask the list provider in order to determine whether the list can be used. An MSP who is savvy about the marketing consent rules can help its clients to form an opinion on the validity of the list. It might also wish to offer this as a value-added service.

An MSP also needs to double check whether or not it is a data processor of the third-party lists. An older ICO document on data controllers and processors is relevant in this regard. This suggests for example that if an MSP is externally regulated (eg by the FSC) then it becomes a data controller as it is no longer acting on the instructions of its client. The ICO also says that if it had to decide which role each party plays it will take into account how the contracting parties allocate risk in the contract. So it is vital the MSP gets specialist data protection law assistance to ensure that it is indemnified against liability from its third-party list activities.

Alex Hazell, Head of Legal, Acxiom UK

Hear more from the DMA

Please login to comment.

Comments

Related Articles

This article is written by MBA Group Ltd.

priscilla-du-preez-tAnrp8P51tY-unsplash.jpg

As abandoned baskets reach the highest levels in a decade, how can you make sure your customers successfully checkout?

hero-man-thinking-about-making-a-purchase.webp
As Black Friday approaches, marketers face pressure to captivate customers. The '23 season showed how brands use real-time data, AI, and dynamic content to tailor their messaging and boost engagement. Learn from them to shape your strategy.
iStock-1661657038.jpg

Telemarketing continues to hold a significant place in the marketing strategies of many businesses, despite a relentless wave of digital transformation. Contrary to common misconceptions, telemarketing is not an obsolete tactic.

Depositphotos_103113358_S (1).jpg