New ICO guidance on marketing consent: a data perspective

The ICO has been working with Ofcom to look at ways to combat nuisance calls and texts. The Data Protection Act (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR) contain overlapping provisions that regulate marketing consent. PECR says that prior marketing consent, given to the sender, is required for email and SMS, and the DPA says that consent must be informed. The ICO has contemplated the interplay between these two statutes and come up with a way to cut down the third-party supply of marketing touch-point data.

The latest ICO guidance basically says that PECR can be read in two ways: either third-party marketing consent for email and SMS doesn't work full stop, as it needs to be given directly to the sender, or it does work if you are transparent and informative enough at the point of data collection. The ICO's new guidance states that it is possible to get valid third-party marketing consent if the permission notice states the categories of organisation who will rely on that consent.

The trouble with third-party consent time limits
However, the ICO then goes on to say that organisations would struggle to rely on third-party consent if it is more than six months old. On this point a number of leading data protection commentators believe the ICO has suggested a best practice measure which is higher than the requirements of law. The six-month recency rule is nowhere to be found in either the DPA or PECR. The ICO's rule of thumb flies in the face of established industry practice that marketing consent is valid until such time as someone opts out. If it is possible to inform enough about the type of organisation to which the consent applies, then surely it must also be possible to clarify sufficiently in the permission language, if need be, that consent is provided on an ongoing basis unless someone opts out. The DMA is in the process of clarifying this with the ICO, as well as whether the new guidance applies retrospectively.

Complying with the new ICO guidance
As a processor of data with third-party consent, the MSP needs to be mindful of the new guidance so it can steer its clients who rely on bought-in lists in a compliant direction. The ICO has provided a useful check list of questions to ask the list provider in order to determine whether the list can be used. An MSP who is savvy about the marketing consent rules can help its clients to form an opinion on the validity of the list. It might also wish to offer this as a value-added service.

An MSP also needs to double check whether or not it is a data processor of the third-party lists. An older ICO document on data controllers and processors is relevant in this regard. This suggests for example that if an MSP is externally regulated (eg by the FSC) then it becomes a data controller as it is no longer acting on the instructions of its client. The ICO also says that if it had to decide which role each party plays it will take into account how the contracting parties allocate risk in the contract. So it is vital the MSP gets specialist data protection law assistance to ensure that it is indemnified against liability from its third-party list activities.

Alex Hazell, Head of Legal, Acxiom UK