The ICO’s Direct Marketing Code of Practice will become the practical guide for organisations seeking to stay within the law (the Data Protection Act 2018, which enacted the General Data Protection Regulation [GDPR] and the Privacy and Electronic Communications Regulations [PECR]). It takes a broader view than the current Direct Marketing Guidance.
The draft Code has been out for consultation and now the ICO is reviewing the responses it has received, including those from the DMA, which should shortly be published on the DMA website.
Some parts of the draft Code should come as no surprise, some may be things you’ve sort-of guessed but chosen to ignore and others may be news to you. The DMA Contact Centre Council's Regulation Hub has highlighted a few aspects that might be most significant for contact centres:
How does the ICO describe ‘direct marketing’?
The draft code states that the concept of direct marketing purposes is wider than just sending direct marketing communications and includes not only sending the communications themselves, but also all processing activities that lead up to, enable or support sending those communications. For example, collecting personal data to build a profile of an individual with the intention of using this to target advertising to them will be processing for direct marketing purposes.
Activities such as lead generation, list brokering, data enrichment, data cleansing, matching or screening, audience segmenting or other profiling and contacting individuals to ask them for consent to direct marketing will also constitute processing for direct marketing purposes.
Subsequently, if an individual does not give permission for the processing of their personal data for direct marketing purposes this is not limited to just to sending direct marketing messages, but can extend to all processing related to those communications (p.13-14).
Consent is King & Legitimate Interests is the Poor Relation?
Although not at all mandatory, it’s interesting that the Draft Code includes a “Good Practice Recommendation” that Consent is the ICO’s preferred / recommended legal basis for Direct Marketing (p.31).
Legitimate Interests is Not a ‘Get Out of Jail’ Card
Draft Code reiterates what we already know, that Legitimate Interest is made up of 3 elements which must be considered carefully and may not justify direct marketing processing (p.34-on).
Some Consent Incentivisation is ok
Although consent must be freely given and not incentivised, the Draft Code specifically recognises that most direct marketing intrinsically offer some advantage to those who consent to it (e.g. discounts if you join a loyalty scheme) (p. 33).
Is it just a service message?
‘Service Messages’ are those sent to an individual for customer service or admin purposes and are not considered direct marketing. It is the tone, phrasing and context of the message that is key. If it has a neutral tone and is intended only to provide information to the individual, it is likely to be a service message. However, if the message contains any active promotion or encourages an individual to do something (such as an upgrade, take advantage of a special offer or use a specific service) it is likely to direct marketing.
The draft code reiterates the ICO’s current guidance that if a service message includes elements that are direct marketing then the direct marketing rules apply to that message, even when it is not the main purpose of the message (P19-20).
Buyer (or Renter) of Marketing Data Beware!
The Draft Codes makes it very clear that the purchaser / renter of data must undertake extensive due diligence on the data and its provider (p.52-54). If, indeed, there’s much 3rd party data left to buy or rent (see below).
NB And if your contact centre is in the business of creating, selling or brokering of 3rd party data lists then prepare for some big changes down the line. This sector will be subject to potentially very disruptive challenges (p.99 onwards).
The End of Traditional ‘Member Get Member’ Schemes
Draft Code makes it clear that getting a customer to pass on a friend or relative’s personal details to a supplier is not legitimate as there’s no likelihood, let alone guarantee, that they have explained how the data will be processed. This is not a surprise but now the advice is explicit – and schemes could work in future if, say, customers could pass sign-up links or literature to friends for them to review and complete themselves (p.54, p.83).
Profiling & Data Enrichment
The draft Code says it is almost certainly not compliant to enrich customer records with additional data unless customers have agreed to it – even updating a ‘gone-away’ records with a new, correct address or landline number would be invalid (p.56).
Suppression Lists Rule!
The draft Code includes a very clear acceptance of the importance of maintaining suppression lists to ensure those who object to or opt out of Direct Marketing have their wishes respected (p.110-111).
TPS Still Doesn’t Trump All
Reassuringly, the Code confirms most people’s understanding that as long as you had a customer’s consent to call them about marketing offers then if that person subsequently registers with the TPS then you still can call them (as long as you really had proper consent, of course….) (p.67-68).
Creating an Account Doesn’t Count, says the ICO?
According to the draft Code, even a customer “…log[ging] into a company’s website…” to browse doesn’t support the ‘Soft Opt In’ basis for future contact by the brand (p.76).
Once the Code is finalised, which is expected to happen later this year, the Code will be presented to Parliament which will have 40 days to decide whether or not to approve the Code. Assuming there is no objection, the Code will come into practice 21 days after it is issued. The DMA Call Centre Council will be keeping a close eye on the development of the Code to provide up-to-date information on if and when the Code will be implemented and what this might mean to you and your contact centre.
And remember that each month the DMA Contact Centre Council produces a brief monthly summary of all the contact centre regulation news - here's March's.
#dma #contactcentres #contactcentrecouncil #compliance #dataprotection